3 min read

👩‍💻Hacking Smart Contracts, Android Vulnerability, RCE, Prototype Poisoning, Anti-Human Server Plugin, and much more…

👩‍💻Hacking Smart Contracts, Android Vulnerability, RCE, Prototype Poisoning, Anti-Human Server Plugin, and much more…

Learn about this anti-human server plugin that kicks human players out of a minecraft server with a new challenge at the end.

Hey 👋

Welcome to the #IWWeekly25 - the Monday newsletter that brings the best in Infosec straight to your inbox.

This week’s NL is brought to you by IWCON - the world's largest virtual cybersecurity conference and networking event.

Yes, we’re sponsoring our own newsletter :)

As you might already know, we’re hosting IWCON2.0 on 17th-18th December this year, and it’s going to be even bigger and better 🔥

We already received so much praise for the speaker line up and session topics. If you haven’t checked them yet, do it now and book your tickets.

Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 GitHub repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

Excited? Let’s dive in👇

📝 7 Infosec Articles (5+ 2 beginner-friendly)

#1 Read How Omar Hashem tested various techniques against file upload functionality to get high severity vulnerability.

#2 @tamir_zb found a pretty unique Android vulnerability, which allowed him to exploit the kernel by using the TrustZone. This helped him bypass all kernel security mitigations and create a super reliable exploit.

#3 Read this interesting analysis on RCE vulnerability affecting Elementor website builder plugin 3.6.0/3.6.2 on WordPress by @crac-learn.

#4 What is improper array deletion? Shashank explains how array deletion works in solidity and the best practices.

#5 In this post, Arbenn explains how he found a blind XXE injection on a PDF generator that was vulnerable to CVE-2019-12154.

Beginner-friendly -

#1 Do you know what prototype poisoning is? Read this detailed article with prototype bugs explained by Christoffer Jerkeby.

#2 Golang introduced support for vulnerability management. Marvin Wendt explained in his article about how to use it, and why it outperforms many other vulnerability checkers for golang projects!

#1 Read a mind-blowing thread on how to hunt on the main application by @tabaahi_.

#2 Have you heard terms like "Proxy" and "Reverse Proxy" in the Bug Bounty space but don't exactly know what they are? Don't worry, Nitin covered them in his thread.

#3 Burp Suite and firefox 🔥🦊 match is made in heaven. Read the shortcomings of in-built browsers and how to make firefox silent by @sec_r0.

#4 See this awesome thread from @sec_r0 about top 10 Burp Suite Extensions for bug hunting.

Beginner-friendly -

#1 New to recon? Nitin made an amazing thread with a curated list of video tutorials to pump up your recon game.

#2 Het Mehta curated a list of Cybersecurity University courses to help you get started in your infosec journey.

📽️ 5 Insightful Videos (3 + 2 beginner-friendly)

#1 @_JohnHammond demonstrates a cool trick shared by @Alh4zr3d to obfuscate the use of the Invoke-Expression command in powershell using DNS records.

#2 @LiveOverflow builds an anti-human server plugin to kick human players out of a minecraft server with a new challenge at the end.

#3 @JSON_SEC shares his experience while preparing for the Certified Red Team Operator course by Zero Point Security.

Beginner-friendly -

#1 @DappUniversity teaches how to hack smart contracts with the self-destruct function.

#2 Follow along with @Tyler_Ramsbey as he goes through the first challenge of the course Malware Analysis & Triage from TCM security and performs static and dynamic analysis on a malicious form of putty.exe.

⚒️ 2 GitHub repositories & Tools

#1 DalFox is a powerful open source XSS scanning tool and parameter analyzer by @hahwul.

#2 userf.py is a user-agent and referer SQL injection tester by @root_tanishq.

💰1 Job Alert

#1 ICE has a security job opening. Click here to know more details.

💸Advertise with us💸

We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.

—----------------------------------------------------------------------------------

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.

Before we say bye…

If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.

See you again next week.

Lots of love

Editorial team,

Infosec Writeups

This newsletter has been created in collaboration wi th our amazing ambassadors.

Resource contribution by: Ayush Singh, Bimal K. Sahoo, Vinay Kumar, Manikesh Singh, Nikhil Memane, Mohit Khemchandani, Bhavesh Harmalkar, Tuhin Bose, and Mohit Khemchandani.
Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth, and Ayush Singh.