👩💻 $600k Bounty, Jetty Features, Response Queue Poisoning, Bypass SSRF Protections, XSS Payloads, and much more…
This simple business logic flaw in smart contracts resulted in a $600K bounty.
Welcome to the #IWWeekly26 - the Monday newsletter that brings the best in Infosec straight to your inbox.
Before we dive in, we’re curious to know if you checked out the speaker line up of IWCON - the world's largest virtual cybersecurity conference and networking event 😍🙌
The dates are 17th-18th December, 2022, and it’s going to be even bigger than the last time🔥
Click here to check out the event details and book your seats before they’re gone! (You really don’t want to miss out)
Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s jump in👇
📝 7 Infosec Articles (5+ 2 beginner-friendly)
#1 Sam Curry has detailed some of his amazing findings from auditing the Next.js ecosystem.
#2 Learn how to use the jetty features to achieve RCE on the web apps by Mikhail Klyuchnikov.
#3 Read this in-depth article about the different techniques to pentest Cisco networks if they’re not set up perfectly, by Magama Bazarov.
#4 Francesco Mariani and his friend Jacopo Tediosi made an interesting discovery about an Akamai misconfiguration that made them more than $46,000.
#5 Find how James kettle turned HTTP header injection into critical by response queue poisoning.
#1 Luke Stephens outlines what the SSRF vulnerability is, the places they’re most commonly found, and how you can bypass SSRF protections.
#2 Do you know about DNS takeover? Read this amazing article from ProjectDiscovery.io to find out.
🧵6 Trending Threads (4 + 2 beginner-friendly)
#1 Check out this API security and hacking tips by @steiner254.
#2 @Mustafa Can İPEKÇİ shares his experience about the Live hacking event at Bug Bash by Bugcrowd where he earned 6 figures bounties in total.
#3 Damanpreet Singh shared interesting techniques and strategies on how to bypass admin panels.
#4 Read this highly informative SSRF story shared by zerc0de.
#1 sec_r0 shared a curated list of XSS payloads which don't contain parentheses.
#2 Check out this list of tools used for OSINT by Osint for all.
📽️ 5 Insightful Videos (3 + 2 beginner-friendly)
#1 Watch all the Black Hat Asia conference 2022 talks here.
#2 @stokfredrik talks about how @detectify’s crowdsource could help you turn your bugs into passive income.
#3 @Nahamsec collaborated with @HalbornSecurity where they discussed lending, borrowing and collateral in smart contracts and how a business logic flaw resulted in a $600K bounty.
#1 @Jhaddix gives a talk on the updated version of his long running Bug hunter’s methodology.
#2 Watch this amazing talk on fuzzing XSS sanitizers for fun and profit by @TomAnthonySEO.
⚒️ 2 Github repositories & Tools
#1 Take a look at @C0d3Cr4zy’s github repository consisting of various resources for attacking clouds.
#2 PE-bear is a multiplatform reversing tool for portable executable files by @hasherezade.
💰1 Job Alert
#1 Koo has open positions for security roles.
Requires 1-3 years of experience.
💸Advertise with us💸
We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
This newsletter has been created in collaboration wi th our amazing ambassadors.
Resource contribution by: Ayush Singh, Bimal K. Sahoo, Vinay Kumar, Manikesh Singh, Nikhil Memane, Mohit Khemchandani, Bhavesh Harmalkar, and Pramod Kumar Pradhan.
Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth, and Ayush Singh.