👩💻$7000 Bounty, Web3 Bug Hunting, API Hacking, IDOR, Triggering XSS with emojis, XSS Flyer, and much more…
Planning to jump into Web3 bug hunting? This twitter thread can guide you through to get ready for hunting on Web3 platforms by @Pavel Shabarkin.
Welcome to the #IWWeekly21 - the Monday newsletter that brings the best in Infosec straight to your inbox.
Can’t believe it’s 21st edition already😍
Our relationship is now 21 weeks old. We’re curious, are you loving our weekly Infosec compilation? Let us know on Twitter and tag us @InfoSecComm. It’ll boost the team’s morale and help us work harder to bring the best in Infosec to you every Monday 😊
For now, here are our top picks for this week: 5 articles, 4 Threads, 3 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s dive in👇
📝 5 Infosec Articles
#1 What if you get to know about using emojis to trigger XSS? Read how @Patrik Fabian found an XSS vulnerability via using emojis.
#2 In Browser-powered Desync attack article @James Kettle shows you how to turn your victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites.
#3 Always a cold debate around bug reports of IDORs with IDs which are not predictable. Read about @rez0’s article for why they are valid vulnerabilities and should be fixed.
#4 Read how @KevTheHermit’s team discovered major vulnerabilities in the Control Web Panel including RCE, account hijacking and Injection vulnerability.
#5 @Andri shares his personal notes regarding the unpopular RCE bug in the Jackson data binding library. Read how he earned a $7000 bug bounty from Grab (RCE Unique Bugs).
🧵4 Trending Threads
#1 @Nithin R’s detailed thread about choosing the right bug bounty program. It can be of great help if you’re a beginner or facing problems.
#2 Planning to jump into Web3 bug hunting? This twitter thread can guide you through to get ready for hunting on Web3 platforms by @Pavel Shabarkin.
#3 Here’s the summary of the whole 30-Days AWS vulnerability thread by @Devansh Bordia.
#4 @secr0 shares their XSS flyer along with out of the box XSS bypass filters.
📽️ 3 Insightful Videos
#1 David Bomball interviews Corey Ball aka hAPI_hacker and discusses everything about API hacking and his free API hacking course.
#2 Learn how to hack APIs by Corey Ball.
#3 @Gunnar Andrews shares his personal experience and what he learned talking to top hackers at DEFCON.
⚒️2 Github repositories & Tools
#1 nullt3r’s tool named Jf scan is a wrapper around a super-fast port scanner Masscan and Nmap. It's designed to simplify work when scanning for open ports on targets in a variety of formats.
#2 GraphQuail is a Burp Suite extension that offers a toolkit for testing GraphQL endpoints. Read about the currently implemented features in this tool at Github by @forcesunseen.
💰1 Job alert ⚠️
#1 Anzen Technologies Private Limited hiring for Intern position.
No of positions : 12
Stipend : Yes
💸Advertise with us💸
We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Bimal K. Sahoo, Nikhil Memane, Mohit Khemchandani, Siddharth, Vinay Kumar, Pramod Kumar Pradhan, and Bhavesh Harmalkar.
Newsletter formatting by: Vinay Kumar, Hardik Singh and Siddharth.
If you wish to join our Ambassadors channel and contribute to the newsletter, send us a DM on Twitter with your discord username.