👩‍💻IW Weekly #111: SSRF in NextJS, Blind SSRF on WordPress, ChatGPT Rate Limit Bypass, IDOR at Swiggy and many more...

Welcome to the #IWWeekly111 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. The team at @assetnote discusses their approach to finding an SSRF in NextJS (CVE-2024-34351).
2. @bajajkrrish11 talks about an IDOR they found in the food delivery app - Swiggy.
3. @dhakal_ananda at @patchstackapp dives into the still-unpatched WordPress Core Unauthenticated Blind SSRF, where they show how some plugins are vulnerable to a full read SSRF.
4. Learn how @mchklt was able to find an RCE using reconnaissance.
5. @DanHMcInerney at @huntr_ai talks about a rate-limit bypass they found in OpenAI ChatGPT using HTTP Request Tunneling.

🧵4 Trending Tweets

1. @trufflesec shared a tweet stating that symmetric key JWTs are not secure, revealing that they were able to guess over 1.2% of production JWT keys.
2. @ctbbpodcast shared a tweet by @joaxcar about finding CSP bypasses in highly restrictive environments, focusing on hijacking selectors, frameworks, script gadgets, and custom listeners.
3. Here are the top 3 tools for automating the detection and prevention of CSRF vulnerabilities shared by @intigriti.
4. @bugcrowd shares @insiderphd's 4 essential Burp Suite extensions.

📽️ 3 Insightful Videos

1. John Hammond shared an insightful YouTube video on achieving automated cloud security with just one click.
2. Discover hidden web hacking techniques in Philippe Dourassov's article, "Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks."
3. Check out the latest episode from CriticalThinkingPodcast: "More VDP Chats & AI Bias Bounty Strategies with Keith Hoodlet (Ep. 71)."

💼 2 Job Alerts

1. Payatu is hiring for multiple roles like Security Engineer, IOT Hardware Security Researcher, and more.
2. Groww is looking for someone to fill in the role for Product Security Engineer.

🎁 1 Special Item

1. Try your hand at the latest XSS challenge by @kevin_mizu.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bhavesh Harmalkar

Newsletter formatting by: Hardik Singh, Nithin R, Shlok, Rachit Arora, Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,
Infosec Writeups