👩‍💻IW Weekly #105: XZ Utils Backdoor, DOMPurify Bypass, Secondary Context Bugs, Hacking ISPs, Email Verification Bypass, Gesture Jacking and many more…

Welcome to the #IWWeekly93 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @a_greenberg and @mattburgess1 from @WIRED go into the details of the XZ Utils backdoor which could have compromised a sizable amount of machines worldwide.
2. @ryotkak goes over inconsistencies in parsing HTML and XML and how they bypassed DOMPurify’s protections using the same.
3. @akrachliy shares a simple yet effective email verification bypass which bagged them $1200.
4. @ericlaw writes about “Gesture Jacking”, an extension to a previous blog post by @PaulosYibelo.
5. @jorge_ctf from @GHSecurityLab discusses how Github could be a one-stop-shop for security research.

🧵4 Trending Tweets

1. @ctbbpodcast highlights the importance of having knowledge of both browser and desktop application behaviour. 
2. @Securrtech shares a list of methods to test JWT as well as some tools and extensions for the same.
3. It can be tedious to analyse JavaScript files, @intigriti lists out a few tools for parsing and analysing JavaScript files.
4. Checkout some reset password testing techniques by @Securrtech.

📽️ 3 Insightful Videos

1. @ctbbpodcast brings on @samwcyo for their latest podcast episode, where they discuss secondary context bugs, mind maps, note-taking, back-end traversals, hacking ISPs and much more.
2. @NahamSec discusses different approaches to find critical vulnerabilities.
3. @_JohnHammond goes over how an attacker can obfuscate powershell code using environment variables.

💼 2 Job Alerts

1. Dezerv is seeking a Security Engineer specialising in DevSecOps.
2. Greytip Software is seeking a Security Analyst.

🎁 1 Special Item

1. Planning on switching to @CaidoIO? @monkehack has developed a tool to migrate Burpsuite HTTP history to Caido.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Hardik Singh, Ayush Singh, Manikesh Singh,Tuhin Bose, Manan

Newsletter formatting by: Hardik Singh, Ayush Singh, Manan, Shlok.

Lots of love
Editorial team,
Infosec Writeups