👩💻IW Weekly #100🎉Server-Side Prototype Pollution, Zero-Click ATO Exploit, SSRF Bugs, GRX Interface address using TCP, GraphQL API Schemas, XSS for ATO, IDOR, Unicode Normalization and many more…
This is the 100th issue of #IWWeekly - the Monday newsletter that brings the best in Infosec straight to your inbox.
Thank you for being with us on this journey and celebrating this major milestone with us. The past 100 weeks haven't been easy, for sure, but your support has made it all worthwhile!
If you're from India, we have a special surprise for you. An opportunity to win bounty money of upto 10 lakhs!
Read on until the end to discover what it is.
In this issue, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- Explore the exploits of @0xLupin, @rez0__, and @Rhynorater as they hack Google A.I. at LLM bugSWAT event.
- Check out @Doyensec's article on Server-Side Prototype Pollution Gadgets Scanner, a Burp Suite plugin to detect server-side prototype pollution vulnerabilities.
- Learn about @samiparyal_'s latest discovery: A zero-click Account Takeover exploit on Facebook.
- Discover how a simple edit to Terraform state can lead to a potential takeover of your CI/CD pipeline in @dagrz's insightful article.
- Check Out @TheDIFRReport's Investigation on how downloading a file from a SEO-Poisoned search result led to gootloader infection
🧵4 Trending Tweets
- Discover key features within your target app to uncover vulnerabilities, potentially earning you over $1000 through SSRF bugs, curated by @thebinarybot.
- @haxrob reveals a potential method of exploiting an infected host's GRX interface address using TCP packets. Explore the thread for deeper insights.
- Advance your bug bounty skills with @thebinarybot's insights on leveraging XSS vulnerabilities for Account Takeover (ATO) and unlocking higher rewards
- Discover Clairvoyance and GraphQL Voyager, essential tools for exploring GraphQL API schemas, and many more in the latest episode of @ctbbpodcast.
📽️ 3 Insightful Videos
- @NahamSec hosts a live hacking event featuring top hacker @naglinagli, who demonstrates uncovering a $20,000 bounty bug through OAuth attack vectors and effectively exploits an open redirect vulnerability.
- Check out @Intigriti's latest video exploring the February challenge by @GoatSniff,which involves Unicode Normalisation, XSS and Cookie Manipulation.
- @NahamSec's latest video delves into IDOR (Insecure Direct Object References) vulnerabilities, demonstrating how manipulating IDs in APIs can result in unauthorized data access or modification.
💼 2 Job Alerts
- Flipkart is hiring for Security Engineers and Senior Security Engineers.
- ShieldByte Infosec is looking for a full-time Cyber Security Analyst - VAPT in Mumbai
🎁 1 Special Item
- @thebinarybot has launched "Thebinarybot's Guide to API Hacking" which is on a huge sale right now. Grab the comprehensive guide at a even lower cost using discount code "thebotswarm".
And now, let's talk about the surprise we promised at the start of this newsletter!
📢Attention Bug Bounty Hunters and CTF Players based in India📍
🔎Here's a chance for you to play a part in keeping critical infrastructure secure and also win bounty up to 10 Lakhs INR in return 💰
NCIIPC live hacking event happening this month.
All interested participants are requested to send an email with your name and Hackerone/BugCrowd/Blog link to [email protected], and we'll get back to you 🚀
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week, hacker. Until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Tuhin Bose
Newsletter formatting by: Hardik Singh, Nithin R, Eeshan V, AnuPallavi, Pawan Gambhir
Lots of love
Editorial team,
Infosec Writeups