👩‍💻IW Weekly #113: Subdomain Takeovers to Credential Leaks, Stored XSS to RCE, VSCode SFTP File Exposure, $203K Bounties for Bugs in Azure Health Bot and many more…

👩‍💻IW Weekly #113: Subdomain Takeovers to Credential Leaks, Stored XSS to RCE, VSCode SFTP File Exposure, $203K Bounties for Bugs in Azure Health Bot and many more…
Photo by Clint Patterson / Unsplash

Welcome to the #IWWeekly113 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. Cache Me If You Can: An analysis of local privilege escalation vulnerability in Zscaler Client Connector (CVE-2023-41973) by @spaceraccoonsec.
  2. @retr0reg uncovers a critical stored XSS vulnerability in Electron's Math Note app, enabling remote code execution by bypassing node integration through the use of preload.js.
  3. @albinowax explores how to refine your HTTP perspective using bambdas in this insightful article.
  4. @JoeLeonJr teaches how subdomain takeovers can lead to credential leaks and the security measures to prevent them.
  5. Learn how to efficiently dump a database using an AI chatbot in this guide by @kuldeepdotexe.
  1. @vidocsecurity discusses the risks of exposed .env files, containing crucial service credentials, and offers strategies for detecting and finding them at scale.  
  2. Discover the hidden risks of VSCode SFTP file exposure through simple Google Dorking techniques in this mini thread by @vidocsecurity
  3. @ctbbpodcast dives into IPv6 parsing challenges with @slonser_'s eye-opening research, revealing the need for a nuanced approach to address specifications.
  4. Read about the buzz around @CaidoIO as @ramirezVII explores its potential to challenge the reigning king, @Burp_Suite, in the realm of interception proxies

📽️ 3 Insightful Videos

  1. @GodfatherOrwa unveils the art of Shodan & WAF evasion techniques in #NahamCon2024 by @NahamSec.
  2. The evolution of web applications, from traditional architectures to modern paradigms, exploring API-driven dynamics and essential insights on OWASP's API Security Top 10 risks, in this talk by @bsidesahmedabad.
  3. @gregxsunday explains how he earned $203,000 worth of bounties by uncovering 4 critical bugs in Azure Health Bot, including 2x RCE, path traversal, and a memory leak.

💼 2 Job Alerts

  1. Join Castellum Labs in Hyderabad, India, as an Application Security Intern/Trainee to dive into the dynamic realm of cybersecurity under expert guidance.
  2. Jio seeks an Information Security Analyst to safeguard digital assets and ensure data integrity in Navi Mumbai, Maharashtra, India.

🎁 1 Special Item

  1. Get ready to tackle the Windows 12 Dojo Challenge #33 by @yeswehack for a chance to snag exclusive swag with your top-notch reports!

Want a byte-sized version of Hacker News? Try TLDR’s free daily newsletter.

TLDR covers the most interesting tech, science, and coding news in just 5 minutes.

No sports, politics, or weather.

Subscribe for free!

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bhavesh Harmalkar, Bimal Kumar Sahoo,Tuhin Bose, Manan, Siddhesh Prakash Patil
Newsletter formatting by: Hardik Singh, Nithin R, Manan, Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,

Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]