• Hive Five
  • Posts
  • 🐝 Hive Five 200 - A Career Ending Mistake

🐝 Hive Five 200 - A Career Ending Mistake

Mutation XSS Explained, How to Best Start Bug Bounty to Earn $100k in 1 year, Getting started with AI: Good enough prompting, and more...

Author

Bee Gagliardi
December 02, 2024

Hi friends,

Greetings from the hive!

I hope you are doing awesome. Excuse my tardiness. After an eight-hour journey, with a pitstop in the middle, I'm now back on the East Coast.

We went from the Colorado Rocky Mountains via the Prairie State of Illinois to Pennsylvania.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. Justin and Roni dissect an old thread of Justin's talking about how best to start bug bounty to make $100k in the first year. MORE

  2. Mutation XSS: Explained, CVE and Challenge. MORE

"Parsing HTML to remove unsafe elements sounds great, until you look at the HTML specification. Its absurd complexity makes this a daunting task, which is exploited in a field called Mutation XSS."

  1. Exploring the DOMPurify library: Bypasses and Fixes. This article will be part of a two-article series focusing on DOMPurify security. This first article focuses on several DOMPurify bypasses on versions 3.1.0, 3.1.1, and 3.1.2. MORE

  2. Reward Hacking in Reinforcement Learning. MORE

"Reward hacking occurs when a reinforcement learning (RL) agent exploits flaws or ambiguities in the reward function to achieve high rewards, without genuinely learning or completing the intended task."

  1. Getting started with AI: Good enough prompting. MORE

"Your goal is simple: spend 10 hours using AI on tasks that actually matter to you. After that, you'll have a natural sense of how AI fits into your work and life. You'll develop an intuition for effective prompting, and you'll better understand AI's potential. Don't aim for perfection - just start somewhere and learn as you go."

Brought to you by β†’

Hive Store: For Hackers Who Get It

Wear the gear the community is whispering about.

Our merch isn't just clothing - it's a statement piece to show the world that you hack a life you love.

Think witty AI jokes that'll make engineers buy you drinks. Privacy puns so sharp, the EFF would high-five you.

Join the cross-pollinators already flexing these conversation-starting pieces.

Upgrade Yourself β†’

You're getting the free version. Members get more β€” including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.

πŸ“° Updates

🍯 My Work

Building a Beehiiv Newsletter Search Bot: From Idea to Implementation

Transforming three years of carefully curated tech and security content into an instantly searchable Discord resource. A technical journey of combining human curation with machine efficiency.

www.hivefive.community/p/building-a-beehiiv-newsletter-search-bot-from-idea-to-implementation

πŸ—žοΈ News

  1. Bitcoin millionaire hides $2M in treasures across US β€” then leaves mysterious clues on how to find them. MORE

  2. After Elon announced his AI game studio, others shared their thoughts on why this is a prime moment to create games. AAA titles are in a deep slump, and the excitement is around independent games. MORE

  3. George Hotz allegedly deleted all of his tweets after discussing the NSA and government influence in AI and other companies. Others mention Greg Brockman's sabbatical lining up with how long it takes to get secret clearance. MORE

βœ… Changelog

  1. Simon released version 0.19 of LLM, his Python library and CLI utility for working with Large Language Models. MORE

  2. Spiral V2, a tool to automate repetitive creative work, has launched with a new interface, features, and over 200 public Spirals. MORE

πŸ’Ό Work

πŸ’° Career

  1. A career ending mistake. It’s a mistake we’re probably all making right now. And that’s not planning the end of our careers. MORE

  2. Big collection of useful questions to ask potential employers. MORE

  3. Find out How Founders Are Building Wealth in 2024 in this wealth report. MORE

  4. Ways to grow as an engineer without good seniors to learn from: Start contributing to open source, keep a tech journal, and more. MORE

  5. Companies often don't practice the values they preach, but they can fix this by making it easier for employees to do the right thing with support from leaders MORE

πŸš€ Productivity

  1. Learn 11 powerful Google Keep features to transform your digital note-taking and organization. From quick capture shortcuts and advanced search techniques to calendar integration and automated text extraction from images. MORE

  2. This video showcases pro tips to get the most out of the Obsidian note-taking app, including free and paid templates and vaults. The author covers various features such as columns layout and embedded callouts. MORE

  3. Explore these advanced Obsidian formatting techniques to enhance note aesthetics and functionality through CSS snippets. MORE

I'm a bit embarrassed to say this, but I've only just now implemented the above CSS to leverage multi-columns for projects and whatnot.

  1. Redditors share their valuable productivity tips, the most-upvoted one being the idea of 3 daily wins: one physical, one spiritual, and one mental. MORE

  2. How to Build a Business that Lets You Quit Your Job. Ali Abdaal, a doctor and one of the world’s most-followed productivity expert, breaks it down. MORE

🌎 Community

πŸŽ‰ Celebrate

  1. Congrats to @HusseiN98D and all the other winners of the Standoff Hacks event in Hanoi. MORE

  2. @GodfatherOrwa and @Th3G3nt3lman, two bug bounty legends, met up during Black Hat. MORE

πŸ’› Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @r0hack | Ramazan | Researcher in Deteact.

  2. @DfirDiva | DFIR Diva | IR Analyst trying to learn all the things.

  3. @g0tmi1k | g0t mi1k.

  4. @DThompsonDev | Danny Thompson | Went from Frying Chicken to an amazing career as a Software Developer.

πŸ„ Level up

πŸ“° Read

  1. Bypass Apache Superset restrictions to perform SQL injections. MORE

  2. Drilling the redirect_uri in OAuth. Test all OAuth providers exhaustively, across all platforms. Look extra carefully at custom authentication implementations for security gaps. MORE

  3. Introduction to Investigative Journalism: Digital Security by Runa Sandvik. MORE

  4. Cross-Site POST Requests Without a Content-Type Header. MORE

  5. DeepSeek AI: From Prompt Injection To Account Takeover. MORE

πŸ’‘ Tips

  1. An interview with Jonathan Courtney, the co-founder and CEO of AJ&Smart, where he discusses strategies for leveraging Black Friday regardless of the type of business one runs, and how his company generates its entire year's revenue during Black Friday week. MORE

  2. In the Blueprint to Your First $1,000+ Bounty @NahamSec recommends a methodical approach: selecting bounty programs, thoroughly exploring targets, documenting findings, and fostering creativity in testing. By dedicating daily time to practice and skill development, you can transform bug hunting into a viable career path. MORE

  3. Jake Wasserman shared a clever trick where one can connect to a remote DuckDB database using the ATTACH statement and an HTTP or S3 URL. MORE

  4. A strategy by @dropn0w to avoid frustration in bug bounty: "focus on understanding the company’s threat model and target the areas that truly matter to them." MORE

🧠 Wisdom

  1. On sabbaticals: "it’s not about how much time you have but how you choose to use it. Align it with your priorities, honor it, and let it guide you toward what truly matters." MORE

  2. Andrew Wilkinson, a successful entrepreneur, shares his favorite books and services. MORE

  3. Double shipping: If you’ve built, written or created something new, talk about it publicly more than just once. MORE

πŸ“š Resources

  1. Bluesky, a new social platform, has seen a rapid influx of users, including many journalists, researchers, and OSINT experts. Tools and tips for navigating and utilizing Bluesky are explored. MORE

  2. A collection of awesome Proxmox VE documentation, tools, api, blogs, sites. MORE

  3. A list of all known tools available for the Bluesky platform. MORE

  4. Audiobook recommendations to transition from timely podcasts to more timeless audiobooks. MORE

  5. *The Hidden Cost of Technical Debt: A 10-Year Study. Analysis of 500+ engineering teams reveals surprising patterns in how technical debt impacts development velocity, team morale, and business outcomes. Real data, zero fluff. MORE

*A message from our sponsor

πŸ›  Explore

Get $200 to try DigitalOcean β€” the go-to for all my recon, automation, and VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🧰 Tools

  1. Awseye is an open-source intelligence (OSINT) and reconnaissance service that tracks and analyzes publicly accessible AWS data. MORE

  2. ronin-vulns is a Ruby library for blind vulnerability testing, supporting testing for various web vulnerabilities including LFI, RFI, SQLi, XSS, SSTI, and Open Redirects. MORE

  3. PGDSAT is a security assessment tool that checks the PostgreSQL security controls of your clusters, including all recommendations from the CIS compliance benchmark and more. MORE

  4. A powerful bash script for massive XSS scanning leveraging Brute Logic's KNOXSS API. MORE

  5. ScrapeGraphAI is a web scraping python library that uses LLM and direct graph logic to create scraping pipelines for websites and local documents (XML, HTML, JSON, Markdown, etc.). MORE

πŸŽ₯ Watch

  1. In this DEF CON 32 talk, Martin presented two powerful new techniques that exploit RFC ambiguities to bypass the limitations of web cache deception and poisoning attacks: Static Path Deception and Cache Key Confusion. MORE

  2. "An Honest Review of Apple Intelligence ... So Far" provides an in-depth analysis of various features and capabilities introduced by Apple's Intelligence service. MORE

  3. Marcus keynotes HuntersCON 2024, discussing Google's new defense against infostealers and how to bypass it, forcing a necessary change for Blue Teamers. MORE

  4. What could you build in 4 hours with Google Gemini? Zeu Capua, Brian Holt, Sarah Schulte, and Jason Lengstorf took on the Web Dev Challenge to find out. MORE

  5. How Marc Made $4000 with Just 1 Email (No Audience Needed). MORE

🎡 Listen

  1. An interview with John Carmack, a computer programmer, video game developer and engineer. He co-founded id Software and was the lead programmer of its video games Commander Keen, Wolfenstein 3D, Doom, Quake, Rage and their sequels. Currently he is the CTO at Oculus. MORE

  2. In this conversation, Simon Willison discusses the intersection of AI, Open Source, and journalism, emphasizing the importance of tools like Dataset in enhancing data journalism. MORE

  3. Scott Hanselman and Mark Russinovich explore the intriguing world of undocumented APIs, examining both the risks and potential benefits of reverse engineering these obscure interfaces. MORE

  4. This month's Between Two Vulns tackles topics like the plateau of large language models, Microsoft's intriguing memory prototypes, and VulnHuntr's breakthroughsβ€”all against the backdrop of lucrative $3k bug bounties. MORE

  5. Bertcast #650 features hip-hop legends Juvenile & DJ Mannie Fresh discussing the Hot Boys, rappers' real names, favorite clubs, Mannie's cars, and more. MORE

As you know, I'm a hip-hop fan, and this is one cross-over I thought I'd never see. Not knowing what to expect, I enjoyed the listen.

🌐 Technology

  1. Shopify visualized the annual Black Friday and Cyber Monday events with an updated website. MORE

  2. ElevenLabs answer to Google's NotebookLM provides a high-quality audio conversion tool accessible across devices, allowing users to read emails and other text aloud with ease. MORE

  3. The Postiz app provides a platform to schedule and manage social media posts, offering collaboration features, analytics, and more. MORE

It was recommended to me and I've been using it to cross-post to major platforms for free.

  1. Pipes can get "stuck" due to buffering, a niche terminal problem where the command's output is held in a buffer before being displayed, leading to unexpected behavior. MORE

  2. GitHub OAuth for a static site using Cloudflare Workers. MORE

πŸ‘€ Interesting

  1. The Green House on Main Street in Spring Hill is one of Corgi's favorite places and has served so many purposes over the years. MORE

  2. I randomly saw a video of Devon Larratt and just had to look into it further. Born in Victoria, British Columbia, he's the world's no. 1 arm wrestler. MORE

  3. Paper on why Cassava Sciences' simufilam will fail Phase 3 clinical trials, causing the stock to drop to $2. MORE

  4. Ted Turner took over his father's billboard company after his suicide, grew it by buying more companies, and is now considered a real-life American hero, with a new documentary on HBO highlighting his remarkable achievements. MORE

πŸ’­ Quote

❝

"Those who know do not speak. Those who speak do not know."

Lao Tsu

πŸ“ˆ Learned something?

Upgrade Yourself β†’

You're getting the free version. Members get more β€” including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.

Share Hive Five β†’

Share this newsletter with your friends and colleagues.

1 REFERRAL = 20% OFF EVERYTHING IN THE STORE

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.