🐝 Hive Five 190 - Whatever You Think Your Limits Are, You’re Wrong

Hi friends,

Greetings from the hive.

I want to hear from you! I want to know how Hive Five has empowered you to hack a life you love.

So, if you've ever benefitted from the newsletter, let me know 🙏

Let's take this week by swarm!

🐝 The Bee's Knees

1. Beyond XSS: Explore the Web Front-end Security Universe. Apart from the well-known XSS, web front-end security encompasses lesser-known vulnerabilities like prototype pollution, CSS injection, and side-channel attacks, all worth learning about. MORE

2. Using YouTube to Steal your Files is an impressive cross-product chain targeting Google is a great example of keeping track of seemingly useless quirks and behaviors. Perhaps one day they’ll be just the missing piece you need. MORE

3. Refine your recon methods or learn totally new ones as OrwaGodfather shares his approach. He starts off with GitHub and Bing advances search queries. MORE

4. Learn how to set up an iPhone to be minimalist and productive. I'm a big believer in customizing your (digital) workspaces to your liking. The phone is a big part of that. MORE

5. Console Cowboys: Navigating the Modern Terminal Frontier. Check out these CLI tools that'll change the way you approach work, making everything faster, smoother, and more efficient. MORE

📰 Updates

🍯 My work

✅ Changelog

1. Lazygit v0.44.1 comes with numerous changes, including an improved performance with large numbers of untracked or modified files. MORE

2. RetireJS 1.6.4, offers improvements and bug fixes, such as "Add dependencies to CycloneDX". MORE

3. Caido release v0.41.0 introduces a new community plugin store, allowing users to install plugins with a single click, and expands the SDK APIs while fixing important bugs. MORE

💼 Work

💰 Career

1. Adam Gilbert founded MyBodyTutor, a 7-figure fitness business, by providing personalized, consistent support that is often missing from diet and workout plans. MORE

2. The Four Steps to the Epiphany: Successful Strategies for Products that Win. MORE

3. The tech industry offers lucrative opportunities, but many professionals are unaware of how to maximize their earnings. Learn how to avoid being underpaid in your tech job. MORE

4. Redditors discuss productivity hacks for corporate jobs, with tips on optimizing workflow, managing time, and avoiding distractions. MORE

🚀 Productivity

1. The Power of Wasting Time. In today's productivity-obsessed world, even a moment's idleness is seen as a grave sin. We are so driven to stay busy and make constant progress that there is no room left for the simple act of wasting time. MORE

2. Feeling overwhelmed by the present moment? Find a connection to the longer view and a wiser perspective on what matters. MORE

3. Amanda's daily two-do list is a game changer for making progress on big projects, allowing people to complete 10 projects in a week—more than most accomplish in a month. MORE

4. The video shares a 3-step process used to transform one's life in their 20s, including setting non-negotiables and maximizing productivity. The aim is to structure one's day in a way that makes it impossible to fail. MORE

🌎 Community

🎉 Celebrate

1. Valeriy, once doubtful, feels motivated and driven to keep pushing forward after reaching heights he didn't think possible. Let's go! MORE

2. Jensec, a security researcher, received their highest bounty yet ($42,500). Woot! MORE

3. Zseano had a great time in Edinburgh this weekend, he got to hang out with his hacking partner Jonathan and got to see NahamSec again after many years. MORE

4. Endingwithali and Shenetworks launched podcast! This first episode delves into the current tech job landscape, examining the rise in layoffs across major companies. MORE

⚡️ Timeline

1. A controversial repo containing self-hosted bug bounty programs that are considered "scammy" or unethical by the creator. MORE | ITS COUNTERPART

2. There seems to be some beef in the WordPress community: "It has to be said and repeated: WP Engine is not WordPress. My own mother was confused and thought WP Engine was an official thing." MORE

3. DAY[0] is back, testing out a new episode format focusing more on discussion rather than summaries. MORE

4. OpenAI is seemingly banning several security adjacent GPTs from the GPT Store. MORE

5. Neovimconf 2024 speaker applications are now open! MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @tjholowaychuk | TJ Holowaychuk | Mostly film photography.

2. @0xacb | André Baptista | Ethical hacker on a cosmic journey. Co-founder @ethiack.

3. @0xkitty | Christina Camilleri | Trust & Safety lead for @Netflix Games. Prev infosec @RiotGames, @BishopFox. Part cyborg. Enjoys motorcycles, video games, whisky and cats.

4. @ryHanson | Ryan Hanson | Security Researcher. Breaking things at @Atredis.

5. @akita_zen | Akita | Bug Bounty hunter | Zen Monk | alchemist | its time to awake.

🍄 Level up

📰 Read

1. How to leverage nuclei headless mode to detect XSS payloads more easily and accurately, using the waitdialog action. This approach significantly reduces the complexity of matching specific server responses, while maintaining high accuracy. MORE

2. Third-party security scanners often provide non-actionable findings. Google shares tips that will help you distinguish false positives from the real thing when using external scanners, and in turn improve the quality. MORE

3. The Feeld dating app exposed users' sensitive data and nude photos due to poor security controls, highlighting the critical importance of robust backend security for mobile applications. MORE

4. GitHub Actions automates software development workflows, allowing developers to customize and execute them directly in their GitHub repositories. This PoC exploit explores how typosquatting can be leveraged within the GitHub Actions ecosystem. MORE

5. The "real" Ivanti Endpoint Manager (EPM) Pre-Auth RCE CVE-2024-29847 write-up. MORE

💡 Tips

1. Use AI to augment yourself. STÖK likes XXEs, but testing XML parsers using docx files can be quite a tedious task. So he asked ChatGPT o1 to help him create a Python script that automates the process. MORE

2. Setting up a blog on GitHub Pages doesn’t have to be a daunting task. With the right tools, templates, and a bit of guidance, you can have your blog up and running with minimal effort. MORE

3. Review: IFixit’s FixHub May Be The Last Soldering Iron You Ever Buy. MORE

🧠 Wisdom

1. Framing: "Read the paper, things have never been worse. Read history, things have never been better." MORE

2. Learn the basics of Tmux in 100 seconds. Tmux is an open-source terminal multiplexer that can juggle multiple terminal sessions from a single window. MORE

3. Radical Belonging in an Age of Othering. This essay invites us to consider whether we are sick from loneliness or from not belonging — to each other and ourselves — and how gratefulness offers a remedy. MORE

4. Whatever You Think Your Limits Are, You’re Wrong. MORE

5. How to Be Less Self-Critical. If you struggle with being too self-critical, here are 5 ways to start turning things around. MORE

📚 Resources

1. Cursor Rules offers a framework to customize AI behavior, streamline development, and tailor code generation, suggestions, and queries. MORE

2. Spyware Injection Into Your ChatGPT's Long-Term Memory (SpAIware). MORE

3. GitHub's collection of .gitignore file templates populate the template choosers on GitHub.com when creating new repositories and files. MORE

4. Combined exploit for two critical vulnerabilities discovered in VICIdial by KoreLogic: CVE-2024-8503: Unauthenticated SQL Injection (SQLi) and CVE-2024-8504: Authenticated Remote Code Execution (RCE). MORE

5. TJNull has released his pentest template for Obsidian, which includes a better structure, tags, and techniques used in engagements, Hack the Box, and PEN-200. MORE

💭 Quote

🛠 Explore

🧰 Tools

1. 403Bypasser is a simple Caido plugin that lets you bypass 403 status code by transforming HTTP requests with custom templates. MORE

2. Subdominator is a new CLI tool designed to rapidly and accurately detect subdomain takeovers. It aims to be a significant improvement over existing tools, focused on precision and speed. MORE

3. Grimoire is a "REPL for detection engineering" that allows users to generate datasets of cloud audit logs for common attack techniques, currently supporting AWS. MORE

4. This script checks DNS A and CNAME records for a list of domains against AWS IP ranges, helping identify potentially risky or unowned resources in your or your client's cloud infrastructure. MORE

5. Subwiz is a reconnaissance tool that employs AI to forecast subdomains and then returns those that resolve. MORE

🎥 Watch

1. Supercharging Developer Productivity with ChatGPT and Claude with Simon Willison. He shares his favorite prompting and debugging techniques, his strategies for sidestepping the limitations of contemporary models, and more. MORE

2. Why is Vite Everywhere? Evan discusses Vite, a JavaScript build tool that simplifies the process of transforming and bundling code for web applications MORE

3. 8 exercises to address the negative effects of working behind a desk all day. MORE

4. NahamSec demonstrates two methods for hacking GitLab instances for a $5,000 bounty. MORE

5. The Web Dev Challenge tasks a team to create an app that excites people about their local food scene, with only 45 minutes to plan and 4 hours to build. The goal is to see what they can accomplish under tight constraints. MORE

🎵 Listen

1. Robert Greene transitioned from a struggling screenwriter to a bestselling author by mastering the art of storytelling, inspiring entrepreneurs, politicians, and artists alike. How does he do it? MORE

2. The untold story of Casey Neistat: "I was a homeless dad at 15 & had $200k debt!" MORE

3. Robert went from being “a drunk, failed screenwriter” to writing seven bestsellers with millions of copies sold. Entrepreneurs, politicians, and hip-hop artists like 50 Cent all love his work. His secret ingredient? Storytelling. MORE

🌐 Technology

1. Sidekick makes hosting side projects as straightforward, affordable, and production-ready as possible. You'll be surprised how much traffic a $8/month instance on DigitalOcean can handle. MORE

2. Cloudflare's Internet speed test allows you to measure your network performance without annoying ads. MORE

3. The new Stripe Dev website is a fascinating piece of front-end dev work, containing some cutting-edge design and dev work. MORE

4. Uptime Kuma is an easy-to-use, self-hosted monitoring tool that lets you keep track of your website's uptime. MORE

5. The relentless march of AI advancements is a defining characteristic of the technology industry, yet vi, a text editor, endures. Though much changes, some things stay the same. MORE

👀 Interesting

1. The Lighthouse Map website provides an interactive map showcasing the locations of lighthouses around the world, allowing users to explore these important maritime landmarks. MORE

2. Windows Solitaire, a beloved office distraction, was not created by a seasoned employee but by a bored Microsoft intern — a surprising origin for a staple of digital entertainment. MORE

3. Who made the man in the desert? Digital investigator Ben takes a look at the mysterious Marree Man, a giant geoglyph etched into the remote Australian outback. MORE

4. Bonzo, a videographer, shares his journey of starting over from zero, a beautiful and meaningful experience. MORE

5. YouTube Thumbnail Viewer allows one to view the thumbnail of any YouTube video by entering the URL or video ID. MORE

📈 Learned something? Dive deeper.

Until next week, take care of yourself and each other,

Bee 🐝

_{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}