👩‍💻Roadmap to Cybersecurity in 2022, Full-Read SSRF, IDOR in GraphQL, GCP Pentesting, and much more...

Watch this talk about $25 billion+ of value, locked in the practical attacks against bridges.

Hey 👋

Welcome to the #IWWeekly28 - the Monday newsletter that brings the best in Infosec straight to your inbox.

Before we dive in, have you got yourself a ticket to IWCON - the world's largest virtual cybersecurity conference and networking event?

If not, get them here. (You won't regret it 😉)

Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 GitHub repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

Excited? Let’s jump in👇

📝 7 Infosec Articles (5+ 2 beginner-friendly)

#1 @Sonar discovered and disclosed a critical vulnerability resulting in gaining control of Packagist, a central component of the PHP supply chain, to help secure developer tools.

#2 Find out how @Cloudsek reported Full-Read SSRF vulnerabilities on the exposed instances of Appsmith, an open-source low-code tool that helps developers build dashboards and admin panels very quickly.

#3 @Omar Hashem shares a great writeup where he exploited the emerge login panel, later gaining admin access and was able to control the whole building of the company including elevators.

#4 WordPress plugins are often overlooked but paying attention to these can provide critical bounties with Plugin 0/N-days. Checkout this great research by @Michael Ness.

#5 Informative writeup by @Ahmed Qaramany where he shares his methodology to bypass the WAF block to exploit error-based SQL injection.

Beginner-friendly -

#1 Segev Eliezer (@0xd4y) has shared his detailed notes for GCP penetration testing.

#2 A great writeup on how @Inderjeet Singh found IDOR in a GraphQL query leaking private photos of a million $ app.

🧵6 Trending Threads (4 + 2 beginner-friendly)

#1 @Begin n Bounty shares a useful thread regarding the top burp suite extensions you must give a try while testing.

#2 @Rushab Vyas has curated all the presentation slides presented by the speakers at Bsides Ahmedabad in a single thread.

#3 Learn how to test for XSS step by step on real bug bounty programs in this "Bug Testing Methodology Series" by @Shrekysec

#4 Summary Of "Bug Bounty on Steroids" presented at @bsidesahmedabad by @Hussein Daher

Beginner-friendly -

#1 @Shrekysec shares a detailed thread on the complete roadmap to get into cybersecurity in 2022 for beginners.

#2 @Nithin R has written a thread on cookies in their ongoing series of “Understanding the Internet”.

📽️ 5 Insightful Videos (3 + 2 beginner-friendly)

#1 New to web assembly? Check out @areyou1or0’s talk on reversing web assembly at NahamCon 2022.

#2 Bridges help transfer funds across blockchains and have more than $25 billion dollars of value locked in them. Watch @pwnfooo’s talk on practical attacks against bridges at NullCon 2022.

#3 @_JohnHammond explores the new Havoc framework built by @C5pider, a modern and malleable post-exploitation command and control framework.

Beginner-friendly -

#1 @davidbombal interviews @vickieli7, the author of Bug Bounty bootcamp, where they talk about the book and bug bounty in general.  

#2 @hakluke hints a better approach to bug bounty automation by reducing the amount of duplicates in his talk at NahamCon 2022.

⚒️ 2 Github repositories & Tools

#1  Ghauri is an advanced tool that automates the process of detecting and exploiting SQL injection by r0oth3x49.

#2 Asnmap is a Go based CLI and library for quickly mapping organization network ranges using ASN information by @pdiscoveryio.

💰1 Job Alert

#1 Payatu is hosting a hiring CTF. Apply now.

💸Advertise with us💸

We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.

—----------------------------------------------------------------------------------

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.

Before we say bye…

If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.

See you again next week.

Lots of love

Editorial team,

Infosec Writeups

This newsletter has been created in collaboration with our amazing ambassadors.

Resource contribution by: Ayush Singh, Bimal K. Sahoo, Manikesh Singh, Nikhil Memane, Mohit Khemchandani, and Tuhin Bose.

Newsletter formatting by: Nithin R, Hardik Singh, Vinay Kumar, Siddharth, and Ayush Singh.