- Hive Five
- Posts
- 🐝 Hive Five 195 - A Better Web Is Possible
🐝 Hive Five 195 - A Better Web Is Possible
Leaking Text Nodes with CSS, ZwinK is Back, How Do Browsers Work, Forward-Deployed Engineers, and more...
Hi friends,
Greetings from the hive!
The newsletter's format can sometimes be too chaotic, so I thought I’d try a different approach.
Everything is now divided into three overarching categories: Human, Security, and Tech & AI. The Bees Knees remain unaffected.
Do you love it, or do you hate it? Reply to this email and let me know your thoughts.
Let's take this week by swarm!
🐝 THE BEE'S KNEES
Best known for puncturing blockchain/crypto hype with her Web3 Is Going Just Great project, writer/researcher Molly White believes a better web is possible. MORE
Bench Press: Leaking Text Nodes with CSS. With the rise of XSS mitigations, both on the app and browser/spec side, CSS becomes a more and more helpful tool for client-side web exploits. MORE
ZwinK is back with a new video, exploring manual subdomain reconnaissance techniques, including identifying active subdomains, potential WAF bypasses, and leveraging search engine dorks to uncover more targets. MORE
Web browsers are ubiquitous, but how do they work? This book explains, building a basic but complete web browser, from networking to JavaScript, in a couple thousand lines of Python. MORE
How To Start Working in Tech Jobs Guide, covering mindset, picking a job type, learning skills, networking, and finding work. MORE
Want to sponsor an upcoming issue? Let’s partner up!
Upgrade Yourself →
You're getting the free version. Members get more — including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.
🧠 HUMAN
Community
Naffy would enjoy hearing NahamSec discuss life philosophy and worldviews with hackers, as this could provide insightful perspectives from a unique vantage point. MORE
The Twitter-verse shares their movies with the best soundtracks of all time, such as Tron and Guardians of the Galaxy. MORE
rez0 won a prompt injection prize at the Google VRP's escal8 live hacking event in Malaga. Congrats! MORE
Mikey enjoyed 6 months of full-time bug bounty work and is now thrilled to join the watchTowr team as a Principal Security Researcher. Sweet! MORE
Career
The Most Important Sentence for anyone struggling career or purpose-wise. Everything builds off of how you are useful to the world. MORE
A serial entrepreneur, John Rush, shares strategies and frameworks on building and scaling cash-flowing online directories using AI and SEO as a great side hustle or first online business. MORE
What hiring managers look for: connecting on LinkedIn after the intro, sending thank you after an interview, asking questions during interviews, and more. MORE
TracketPacer discusses the different types of pressure in high-pressure jobs, and that skills don't necessarily transfer between them. MORE
Job searching hack: customized Looms and referrals allow you to bypass the typical recruitment process. MORE
Productivity
What is stopping you from: 1. Screen recording your processes, 2. AI-generating an SOP with Loom, 3. Asking GPT-o1 what can be automated, and 4. Using Cursor to automate those pieces. MORE
Mastering skills through deliberate practice: experts in diverse fields, from chess to swimming, methodically refine techniques, build strength, and increase endurance. Here are alternatives that hackers practice. MORE
How to Stay Productive Anywhere (4 Golden Rules): 1) Define what a win looks like, MORE
Ali discusses how to control one's attention and avoid wasting time, drawing insights from a conversation with author and investor Nir Eyal. MORE
The pain of regret > The pain of discipline. MORE
Health
A physical therapist reviews the Knees Over Toes Guy's workout, evaluating each exercise for safety and effectiveness. MORE
7-Step ATG Mobility Routine (Plus 4-Step Shoulder Routine). MORE
Hesitation is a self-fulfilling prophecy: caution and inaction erode self-esteem, leading to watching others succeed in the opportunities one missed. The solution is to bend towards action. MORE
Interesting
How to build a human infographic: 44 animations that are 9 frames each, 396 sketches total. MORE
The Thule Subterra 2 Powershuttle provides a thoughtful storage solution for small electronics, chargers, cords, and other items. MORE
Family Guy re-uploaders are able to post entire episodes using a technique that shows separate images for scrubbing, evading YouTube copyright. MORE
Building a Minimum Viable Laptop Sticker Business. MORE.
People share their "I can’t believe other people don’t do this" hacks. MORE
🔒 SECURITY
Read
Attacking APIs using JSON Injection. Despite warnings about interoperability, most users of JSON parsers are unaware of these caveats. MORE
This post details the analysis and exploitation of a vulnerability in the ChakraCore JavaScript engine, CVE-2018-3048, in order to achieve arbitrary code execution. MORE
Anthropic recently released Claude Computer Use, a model that allows Claude to control a computer, take screenshots, and run commands - a capability that is both impressive and inherently dangerous due to prompt injection vulnerabilities. MORE
$20,300 Bounties from a 200-Hour Hacking Challenge. MORE
The Diminishing Value of Secure Coding Training. The real challenge in today’s security landscape lies in uncovering the more subtle, complex vulnerabilities that these frameworks do not automatically mitigate. MORE
Tools & Techniques
Get $200 to try DigitalOcean — the go-to for all my recon, automation, and VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
sn0int is a semi-automatic OSINT framework to gather intelligence about a given target or about oneself. MORE
MisconfigMate is a Python port and enhancement of Intigriti's misconfig-mapper, building upon their excellent research and service templates while adding additional features and improvements. MORE
Resources & Learning
This PoC demonstrates exploiting CVE-2024-9264 to perform a DuckDB SQL query and read an arbitrary file on the filesystem using an authenticated user. MORE.
A deeper look into the ability to conceal payloads through credentials, manipulate the username and password properties within anchor elements, and potentially combine this with DOM clobbering. MORE
Private Cloud Compute (PCC) handles computationally intensive tasks for Apple Intelligence. Apple released tooling and documentation making it easier than ever for anyone to not only study but verify PCC’s critical security and privacy features. MORE
Curated list of must-watch movies for aspiring hackers and cyberpunks, drawing from open-source sources. MORE
SQL Injection Polyglots—payloads that allow you to detect variations of the same or different vulnerability with a single request. MORE
Watch & Listen
Nahamsec evaluates Ax, the successor of the Axioms framework, highlighting its potential as a powerful reconnaissance tool. MORE
At RomHack 2024, Alex Plaskett and McCaulay Hudson discuss their journey to hacking automotive devices at Pwn2Own Automotive in Tokyo to win $90,000. MORE
Katies reviews the "This Is How They Tell Me the World Ends" book. MORE
Executive Offense interview with Rodolfo (BruteLogic) Assis, a master of XSS. MORE
🤖 TECH & AI
Read
The Bee Agent Framework makes it easy to build scalable agent-based workflows with your model of choice. The framework is been designed to perform robustly with IBM Granite and Llama 3.x models. MORE
A teenager's tragic death after interacting with an AI chatbot has led to a lawsuit, raising concerns about the need for robust safeguards against suicidal ideation in such tools. MORE
Independent publishing is one important facet of the media ecosystem, and while Molly loves it, she knows it is not the path for everyone. MORE
Nabeel reflects on his time with Palantir as the company recently joined the S&P 500. MORE
What intrigued me was the forward-deployed engineers (FDEs), who were typically expected to ‘go onsite’ to the customer’s offices and work from there 3-4 days per week, which meant a ton of travel.
Tools & Techniques
Now I can finally stop Googling when my jq syntax is inevitably incorrect again.
Slidev aims to provide flexibility and interactivity for developers to make their presentations much more interesting, expressive, and attractive by using technologies they are familiar with. MORE
Resources & Learning
Watch & Listen
How NotebookLM Was Made: How to manage and engineer truly great AI products, why disagreement makes for great podcasts, iterating your way to a viral hit from a "Talk to Small Corpus" side project. MORE
Building AI That Builds Itself: Yohei Nakajima is a venture capitalist by day and a prolific AI tinkerer by night, creating projects like the popular BabyAGI. MORE
Taylor Otwell, the creator of Laravel,talks PHP, Lambos, and VC. MORE
💬 QUOTE
"Don’t worry about people stealing your design work. Worry about the day they stop."
🚀 Learned something?
Upgrade Yourself →
You're getting the free version. Members get more — including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.
Share Hive Five →
Share this newsletter with your friends and colleagues.
1 REFERRAL = 20% OFF EVERYTHING IN THE STORE
Until next week, take care of yourself and each other,
Bee 🐝
This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.