- Hive Five
- Posts
- π Hive Five 176 - Experts vs. Imitators
π Hive Five 176 - Experts vs. Imitators
Career growth framework, .js Files Are Your Friends, Whatβs Going on With CVE-2024-4577, Roger Federer Commencement address, Exploiting ML models with pickle file attacks, and more...
Bee
June 17, 2024
Hi friends,
Greetings from the hive!
I had another super busy week but was able to recoup over the weekend. To this day, I'm still surprised by the healing powers of family, sun, and water.
Let's take this week by swarm!
π The Bee's Knees
Career growth framework: Avoid performance review surprises by tracking accomplishments year-round. Get in the habit of consistently writing things down, your career depends on it. MORE
NahamCon2024 talk by Zseano: .js Files Are Your Friends. Learn the importance of hunting through .js files to find more endpoints and interesting code that can lead to vulnerabilities. MORE
Legendary tennis player Roger Federer delivered the Commencement address at Dartmouth, sharing insights on achieving success in life. MORE
Whatβs Going on With CVE-2024-4577 (Critical RCE in PHP)? This CVE is a critical argument-injection vulnerability in PHP that affects Windows deployments and leads to remote code execution. MORE
Exploiting ML models with pickle file attacks. An attack that uses malicious pickle files to stealthily compromise ML models and carry out sophisticated attacks against end users. MORE | PART 2
With a modest contribution of just $8.25 per month, youβre not only helping keep Hive Five going, but you're also getting access to a private Discord community, the complete Hive Archive, exclusive & bonus content, and a range of other benefits.
Hive Five is a weekly newsletter with the best of technology and security, thoughtfully curated, read by thousands of hackers. Do you have a product or service to promote? Find out more about advertising in Hive Five.
Hive Five is brought to you by:
 | tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal. Give it a try. |
Table of Contents
π° Updates
π― My work
β Changelog
xnLinkFinder is a Python tool that discovers endpoints, potential parameters, and a target-specific wordlist for a given target. Release v6.3 is the latest version available. MORE
SecLists v2024.3 release is a comprehensive collection of various lists used during security assessments. MORE
WappalyzerGo v0.1.5 is a high performance go implementation of Wappalyzer Technology Detection Library. MORE
RetireJS 5.0.1 is a scanner that detects the use of JavaScript libraries with known vulnerabilities. MORE
v1.2 release of the 'xnldorker' tool allows gathering results from various search engines using dorks. MORE
π News
Gear up for the 2024 Google CTF (June 21-23), a captivating cybersecurity competition that offers a chance to showcase your skills and explore the world of ethical hacking. MORE
Apple is introducing transcripts on Apple Podcasts, making it easier for anyone to access podcasts. MORE
Apple's new "Private Cloud Compute" allows offloading complex tasks like AI to secure cloud devices, raising privacy and security questions. MORE
πΌ Work
π° Career
Asking the right 6 questions during an AppSec interview can showcase your preparation and interest. MORE
Deck gallery is a curated collection of well-designed decks, showcasing innovative and visually appealing outdoor living spaces. MORE
Every conversation with your ideal customer is a chance to improve your product or service, especially when starting out. MORE
Find out how freelancers find work, such as through a service company, networking, or becoming experts in a niche. MORE
T'Vedt went from having no experience to becoming a Systems Engineer by completing a free web dev boot camp with the city of Atlanta, which led to her first tech role. MORE
π Productivity
Find out how hackers use Obsidian and other tools to take notes. MORE
shpool can be thought of as a lighter weight alternative to tmux or GNU screen. Note, shpool only provides persistent sessions. MORE
UnsubBot automates unsubscribing from marketing emails in GSuite by authenticating with Google Cloud credentials, finding and tagging relevant emails. MORE
PDF to Podcast allows you to transform PDF documents into listenable podcasts, offering a unique and effective way to consume content. MORE
Discover what macOS apps people recommend for daily use. MORE
π Community
π Celebrate
β‘οΈ Community
"We need to support our local content dealers. Content creators, newsletters and curators are essential for discovering 'the good stuff'." MORE
Zseano has been injured while speed skating, resulting in damage to his wrist and knee. Get well soon! MORE
As a full-time bug hunter, renniepak still asks "beginner questions" daily, such as how to stay focused, what to learn, and what tools to use. MORE
π Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@djnemec | Nemec | Software dev, interested in programming and OSINT.
@acut3hack | Nicolas Christin | Bug bounty hunter | Former C dev & expert in irrelevant technologies.
@erbbysam | erbbysam | software, cryptography, etc. DEFCON black badge.
@drunkrhin0 | Rami (drunkrhin0) | Hacker Success Manager Bugcrowd | Photographer.
@shailesh4594 | Shailesh Suthar | An independent security researcher.
The Hive Five is for the curious ones. The rebels. The hackers. The ones who see life not as it is, but as it could be.
Share the newsletter with others like us who want to hack a life they love.
β¬οΈ Level up
π° Read
The Wikimedia/svgtranslate 2.0.1 application is vulnerable to remote code execution due to improper input validation in the ApiController.php and Renderer.php files, allowing attackers to execute arbitrary code. MORE
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration. MORE
Valentina Palmiotti, aka chompie, made history by becoming the first female to score a full win at Pwn2Own 2024. MORE
GHSL-2024-001_GHSL-2024-003: Remote DoS and potential authentication bypasses in RubyGems.org - CVE-2024-35221. MORE
Exfiltrating Data from Sandboxed Documents. MORE
π‘ Tips
Unlock your potential by watching this transformative 3-day company offsite by Sahil. Dive deep into a life and business audit, uncover secrets to maximizing the next 365 days for massive growth. MORE
TESS on the importance of note taking. MORE
Four tips for aspiring code reviewers: 1) Focus on understanding, not just searching. 2) Regularly review for CVE updates. 3) Start with simpler codebases. 4) Prioritize thorough review over quick fixes. MORE
When using ffuf, change the user agent string from the default "Fuzz Faster U Fool" as it is commonly blocked. MORE
To become a successful bug bounty hunter, you should have deep domain expertise, develop a unique methodology, be persistent in your approach, and more. MORE
π§ Wisdom
You're fit but you're weak. You're strong but you're unfit. What's the answer? 100 squats. MORE
True experts provide high-quality information, but many impostors claim expertise they lack: "The person with real expertise is often not the person who made the subject popular." MORE
By consuming and supporting certain media, you signal the demand for more of that content and less of other alternatives. Your choices as a subscriber or member have a direct impact on the creation of future media. MORE
Ursula Burns, the first African American woman to lead a Fortune 500 company, shares her story of success and the secrets that helped her achieve this milestone. MORE
7 thought-provoking questions to gain self-understanding and challenge one's worldview. MORE
π Resources
Memorable site for testing clients against bad SSL configs. MORE
Exploring the impact of manipulating the Google search URL's &udm= parameter, which can potentially yield unexpected and curious search results. MORE
Teach your kids how to code with Minecraft Hour of Code tutorials. MORE
GoRedOps is a collection of Golang projects for red teamers and offensive security operations. MORE
This course on security for Rails developers is currently in development. You can pre-purchase it to show support and get a discount, with a full refund available if you're unsatisfied. MORE
π Quote
"Be more concerned with your character than with your reputation, because your character is what you really are, while your reputation is merely what others think you are."
π Explore
π§° Tools
CreepJS is a project that aims to expose weaknesses and privacy leaks in modern anti-fingerprinting extensions and browsers. MORE
sw33tLie/uff is a custom fork of the ffuf tool that uses modified net/http and net/url libraries to bypass strict header and URL parsing, allowing for more flexible input. MORE
Agentic is an open-source LLM vulnerability scanner. MORE
SlackEnum is a tool for enumerating Slack workspaces and extracting valuable information. MORE
Reset Tolkien is an unsecure time-based secret exploitation and sandwich attack implementation. MORE
WAF blocked your Netflix? Get $200 to try DigitalOcean β the go-to for all my recon, automation, and VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
π₯ Watch
Bugs on a Plane: Implementing a Bug Bounty in an Airline IT/OT Environment. MORE
SchmooCon Firetalk: Metabolism Hacking for Fun and Longevity. MORE
After nearly 40 years as an Adobe customer, Mike has finally decided to discontinue their subscription. MORE
A walkthrough of the NahamCon2024 mission, a realistic bug bounty / web CTF challenge. MORE
NahamCon2024 talk: Practical AI for Bounty Hunters by Jason Haddix. Learn how to use AI to streamline your bounty hunting, from reconnaissance to JavaScript analysis. MORE
π΅ Listen
Anand Sanwal joins Sam Parr and Shaan Puri to reveal his playbook for building an insanely profitable data business. MORE
Centre For Information Resilience's Sofia Santos talked about how to get into the industry, providing invaluable tips and resources for beginners. MORE
Cal Newport discusses his planning system for note-taking and time management system. MORE
Dan Abramov discusses his move from Meta to Bluesky, the decentralized social web, and the challenges of product vs framework work. MORE
π Technology
Alternatives to Adobe software. MORE
Decap CMS, previously NetlifyCMS, is an open source content management system that integrates with your Git workflow, providing a static site with a convenient editing interface. MORE
Search engine to find vetted software that Solopreneurs use. MORE
The Microsoft FOSS Fund enables Microsoft engineers to nominate and select open-source projects they care about, providing direct support. MORE
Refer is a Ruby on Rails gem that adds models to track referrals and referral codes, enabling referral system integration in your application. MORE
π Visit
Sofa is an app that allows you to be more intentional with your downtime. Create lists of things to watch, read, play, listen to, and more. MORE
A great conversation requires active listening, finding common ground, and avoiding common pitfalls like dominating the talk. MORE
Solopreneurs share one essential tool they cannot live without. MORE
Enjoy the newsletter? Please forward to a pal. It only takes 16 seconds. Making this one took 16 hours.
New round here? Join the newsletter (it's free).
Until next week, take care of yourself and each other,
β Bee π
This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.