👩‍💻IW Weekly #109: Hacking Telegram, Raining IDORs and BACs, Microsoft Graph Logging Bypass, HTMX Bugs, Wordlist for CI/CD Hacking and many more…

👩‍💻IW Weekly #109: Hacking Telegram, Raining IDORs and BACs, Microsoft Graph Logging Bypass, HTMX Bugs, Wordlist for CI/CD Hacking and many more…
Photo by FlyD / Unsplash

Welcome to the #IWWeekly109 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @D0loresH4ze and their friend hacked a voice communications company and found multiple vulnerabilities such as IDORs and BACs.
  2. @kresec hacked HackerOne and got a fantastic bounty for being able to perform an IDOR on the report summary feature.
  3. Read @TrustedSec’s well explained post on the recent patch to Microsoft Graph which was vulnerable to a logging bypass attack.
  4. @rebane2001 found a way to hack another person’s telegram account in just 10 seconds, provided they have access to the victim’s device. Incredible! 
  5. @j0nathanj shares an insight on how they were able to find a huge vulnerability in VirtualBox VM which allowed guest-to-host escape.
  1. @Bugcrowd shares 19 questions @JR0ch17 asks himself when looking through requests in order to identify and document potential vulnerabilities.
  2. Exploring HTMX bugs: @ctbbpodcast delves into the nuances of hx-disable functionality amid syntax shifts, courtesy of @avlidienbrunn's discoveries.
  3. Unveiling the solution to a challenge in circumventing XSS blockage by PHP's header() CSP, with insights from @pilvar222.
  4. Learn Client-side Template Injection vulnerabilities beyond AngularJS with @intigriti, offering 5 essential resources for understanding and exploiting CSTI flaws!

📽️ 3 Insightful Videos

  1. Join @NahamSec as they demonstrate how to craft a potent wordlist for CI/CD hacking, leveraging the power of AI.
  2. @davidbombal dives into the life of @Farah_Hawaa on her journey from mass media studies to cybersecurity at Meta, exploring bug bounty programs, industry insights, and valuable advice for aspiring hackers.
  3. @ctbbpodcast goes through @joaxcar's bug bounty journey, exploring his discoveries including a GitHub CSP bypass and a critical GitLab pipeline flaw. Discover his strategies for navigating CSP-rich environments, his transition to full-time bug hunting, and his focus on ReDoS and OAuth vulnerabilities.

💼 2 Job Alerts

  1. Github Security is hiring a Remote Threat Intelligence Security Analyst, in the UK. 
  2. Honeywell is actively recruiting cyber security engineers with 2 to 6 years of experience in Systems, Network, Cloud and Application penetration testing.

🎁 1 Special Item

  1. Challenge time by @joaxcar: Hunt for the flag hidden within the URL fragment and trigger an alert – no spoilers in the thread.

A word from our sponsor!

Eliminate repetitive typing and mistakes with Text Blaze’s 100% free chrome extension.

You get easy-to-use templates with endless customization and powerful automation.

Now, you no longer need to type out repetitive stuff every time the need arises. With Text Blaze, you can do it with a single click!

Get Text Blaze today: https://blaze.today/?ref=UYH72QXL

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Manikesh Singh, Shlok
Newsletter formatting by: Hardik Singh, Nithin R, Manan, Shlok,Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,

Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]