🐝 Hive Five 166 - Mastery: Languages, Burp Suite, and APIs

Hi friends,

Greetings from the hive!

Last week, I created my first extension for Raycast, my go-to desktop launcher. This extension allows you to quickly search and query public bug bounty programs and Vulnerability Disclosure Programs (VDPs), streamlining the process of identifying potential targets.

Developing this extension was a blast, and I can't wait to share it with the community. In the coming days, I'll be publishing the extension on the Raycast store, making it easily accessible to all users. Additionally, I'll be writing a blog post detailing the development process, the features, and how to leverage it.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Learn By Building: Language Server Protocol. In this video, TJ builds an entire Language Server from an empty Go project with literally no dependencies. YOUTUBE

2. Unsaflok is a series of serious security vulnerabilities in dormakaba’s Saflok electronic RFID locks, commonly used in hotels and multi-family housing environments. Over three million hotel locks in 131 countries are affected. UNSAFLOK

3. Node.js: The Documentary. Back in 2008, most people thought of JavaScript as just a client-side language. But when Google's V8 appeared, young developer Ryan Dahl made the connection between non-blocking servers, V8, and JavaScript. It was by combining these key elements that he was able to create the now hugely popular Node.js. YOUTUBE

4. NahamSec's 2024 API Hacking Guide, including leveraging application access, analyzing JavaScript files, brute-forcing, and exploiting documentation. YOUTUBE | 5 Week Program

5. Nicholas (Agarri) gave a follow-up talk to his original of 2013: Burp Suite Pro tips and tricks, the sequel. Based on his in-depth knowledge of both Burp Suite and its extensions, this talk aims to provide bug hunters and pentesters with a set of useful strategies. The underlying goal is to increase the efficiency of the testing workflow (in terms of both capabilities and speed). YOUTUBE

🍯 Last week on the Hive

🔥 Buzzworthy

✅ Changelog

1. Caido v0.34.0 introduced "Findings": Flag interesting requests and make your own passive scanner rules. TWITTER

2. Hacker Hideout updated their website. TWITTER

3. Obsidian 1.5.11 release with lots of overdue fixes and performance improvents for mobile and more. TWITTER

4. LazyGit v0.41.0 release is a big one, including a whopping 595 commits from a period of over 7 months, from 40 different contributors. GITHUB

5. DOMPurify v3.0.11 release fixes a conditional bypass caused by Processing Instructions and the regex for HTML Custom Element detection. GITHUB

📅 News

1. AI builders and researchers say that Anthropic surpassed OpenAI in performance. TWITTER

2. Valve announces Steam Families. When you join a Steam Family, you automatically gain access to the shareable games that your family members own and they will also be able to access the shareable titles in your library. STEAM

3. New HackerOne platform standards coming April 2nd: IDORs with unpredictable IDs, System Issues, Leaked Credentials, and Bypassing resolved reports. TWITTER

🎉 Celebrate

1. Nagli turned 26 years old. Happy birthday! TWITTER

2. Alex received some amazing feedback from the Bugcrowd team this month. Well deserved! TWITTER

3. Chompie nailed her first Pwn2Own event and walks away with $15,000 and 3 Master of Pwn points. LFG! TWITTER

4. Renniepak was awarded a $7,500 bounty on HackerOne (for an HTML injection?). Congrats! TWITTER

5. Trash Puppy is starting as a Threat & Attack Simulation intern in May. Yay! TWITTER

💰 Career

1. ChatGPT for Job Seekers: Best (and Worst) Use Cases. Jeff shows you how to streamline your job search. YOUTUBE

2. Aaron got laid off a few weeks ago and created an epic video on what he's doing next. TWITTER

3. Questions Pentesters should ask their prospective employers. TWITTER

4. A recruiter response template by Jay. TWITTER

5. Tib3rius is looking for a remote, US-based, webapp-focused pentesting position. He has over 12 years experience in the industry, plus the ability to effectively communicate with customers in different roles, develop testing tools on the fly, and spread brand awareness on social media / at conferences. TWITTER

⚡️ Community

1. How close will your hotel be to DEF CON? Deviant lists out which hotels are in walking distance to at least one of the entrances to the Las Vegas Convention Center's West Hall. YOUTUBE

2. Godfather Orwa started an AMA of sorts to share knowledge with the community. TWITTER

3. Meet the hacker: HG_Real. He focuses on game hacking, which he considered his dream job: playing games, searching for security vulnerabilities, and getting paid for it. INTIGRITI

4. Corben switched email clients from Superhuman to Shortwave. He says it has a cleaner UI, more AI functionality, and is cheaper. TWITTER

5. If you DM Jason a good recon technique he wasn't already aware of, he'll give you a free seat to his class and cite you in his course. TWITTER

📰 Read

1. Two different IDOR bugs at VvAA[.]nl - What if a ransomware group could exactly see which healthcare provider is insured against ransomware attacks; insurance policies that include a guaranteed payout of paid ransoms? MEDIUM

2. JSON Smuggling: A far-fetched intrusion detection evasion technique. Insignificant whitespaces in the JSON standard can be used to encode data without breaking the format. This could aid malicious actors in covert lateral movement or data exfiltration. MEDIUM

3. Misconfigured API endpoint on portal.skge.nl leaks PII data of registered healthcare providers. MEDIUM

4. Javascript deobfuscation the easy way. The de-obfuscation process can be long and arduous, so the XSSDoctor set out to make it a little easier by writing a script. MEDIUM

5. CVE-2024-25153: Remote Code Execution in Fortra FileCatalyst - CVE-2024-25153, a critical Unsafe File Upload and Directory Traversal vulnerability in Fortra FileCatalyst, allows a remote unauthenticated attacker to gain Remote Code Execution (RCE) on the web server. This affects Fortra FileCatalyst Workflow 5.x, before 5.1.6 Build 114. NETTITUDE

💡 Tips

1. Paul shares his favorite IDOR tip when running into UUIDs. TWITTER

2. Mason on being no different from most beginners 3 years ago. He says that consistency is key. TWITTER

3. Ippsec's favorite book of the year so far: 100 Go Mistakes and How to Avoid Them. "Knowing what didn't work is more valuable as that's where the time is spent fixing things.", he says. TWITTER

4. Nathaniel on keeping it simple, especially for web testing: "[...] you need to get down the basics..." TWITTER

5. How m4ll0k turned 2 out-of-scope XSS into a big XSS win, earning a $70k bounty. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @alxbrsn | Alex Birsan.

2. @0xdabbad00 | Scott Piper | Cloud security historian. Developer, CloudMapper, and Parliament. Founding team for fwdcloudsec.

3. @PascalSec | ΡΛSCΛLSΞC | Hybrid Pentest Manager Intigriti Hacking Content Creator at Hacksplained.

4. @hakluke | hakluke | Bug hunter, pentester. My mission is to improve the marketing of the cybersecurity industry. Founder of: haksecio, hacker_content.

5. @NahamSec | Ben Sadeghipour | Attack surface management & bug bounty. NahamCon organizer, hacker, speaker & content creator. Ex HackerOne

🚀 Productivity

1. Get laser focused for 2024 (in 18 minutes). 5 steps to crush your goals. YOUTU

2. How Danny Writes in Obsidian. He covers Settings and Community plugins, such as Dataview queries, Quick Add, and Metadata Menu. YOUTUBE

3. What is your favorite keybinding you've discovered so far this year? Mine's SHIFT + j for Vim - J joins the line the cursor is on with the line below. TWITTER

4. DuckDB as the New jq. PGRS

5. Mastering Cyber Threat Intelligence with Obsidian. It enables analysts to use private datasets for live correlations, statistics, graph visualizations, and tailored workflows leveraging templates, tags, and community plugins. MEDIUM

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. The 1st Cyber-security Domain-Specific Language: Efficient, Function-level Invocation, Auto-completion, and Advanced Tools. YAKLANG

2. Neuralink recently demonstrated the results of a brainchip installed in their first human patient. Learn how the Neuralink N1 is installed and how it reads brainwaves to perform actions entirely from thoughts. YOUTUBE

3. Psychiatrist and author Peter Kramer discusses his background in psychiatry and psychotherapy. He also talks about how technology, such as ChatGPT, is changing the way we perceive and treat mental health issues, leading to new understandings and categorizations of mental health disorders. YOUTUBE

4. AI Prompt Engineering Is Dead. Long live AI prompt engineering. New research suggests that prompt engineering is best done by the model itself, and not by a human engineer. IEEE

5. SigNoz monitors your applications and troubleshoot problems in your deployed applications, an open-source alternative to DataDog, New Relic, etc. GITHUB

🧠 Wisdom

1. The importance of picking a fight you'll never win. Anything Casey Neistat releases I watch. This time he talks about cinema movies being released straight to Amazon Prime. YOUTUBE

2. Cold Wisdom 75: How the Power Down Ritual Saved Sahil's Work-Life Balance. YOUTUBE

3. Alex on feeling like you never get enough work done. They say it's common with so many high achieving people in security. TWITTER

4. Shaan on the two types of mistakes in a company: error of action and error of inaction. The latter being the dangerous ones. TWITTER

5. Nathaniel on lessons in humility from bug bounty hunters. He brings up instances where people show him critical vulnerabilities in apps he's already tested. TWITTER

💛 Cross-pollination

1. Scott Kelby on using your iPhone as your second camera for travel. He will change how you, as a photographer, think of your iPhone's camera. YOUTUBE

2. "Why Does My ADHD Kid Always Forget?". Dr. K covers Understanding the kid’s experience, Dysregulated limbic system, Habit circuitry, and more. YOUTUBE

3. End the phone-based childhood now. The environment in which kids grow up today is hostile to human development. THEATLANTIC

4. In this most cinematic film ever made about screws, you'll learn how to choose which screws to use. YOUTUBE

5. Things that don't work (or: Things where there's a case worth considering that they don't work all that well for most people.) SUBSTACK

💭 Quote

Subscribe to Premium to read the rest.