👩‍💻IW Weekly #114: 4-Step Bug Hunting Methodology, CVE-2024-4358, Reflector, Bypass SSL Pinning, GraphQL API Vulnerabilities and many more…

Welcome to the #IWWeekly114 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @sawmcyo reveals a modem hack via a Cox Business API flaw, exposing remote access to countless devices.
2. @sanjaith3hacker exploits an IDOR for vertical privilege escalation, demonstrating how unpredictable user IDs led to moderator access.
3. @sinsinology's post uncovers an authentication bypass exploiting CVE-2024-4358, transforming a deserialization vulnerability into unauthenticated RCE
4. Check out @0xLupin's article uncovering a cache poisoning attack on the npm registry.
5. @abc_sup and @vxradius delve into Android's Binder IPC vulnerabilities, showcasing exploits like CVE-2019-2025 and CVE-2022-20421, leading to root access.

🧵4 Trending Tweets

1. @Bugcrowd shared the importance of having a structured approach to bug hunting. Check out @InsiderPhD's 4-step methodology for beginners.
2. Reflector by @elk0kc is a user-friendly Burpsuite extension designed to help you identify reflections and test for XSS vulnerabilities!
3. In a recent post, @swaroopsy provided a quick guide on bypassing SSL pinning for Android applications. 
4. @clintgibler announced a new Python DNS auditing tool that detects subdomain takeovers, performs zone transfers, and conducts NSEC walking.

📽️ 3 Insightful Videos

1. @Brumens2 discusses bypassing WAFs at NahamCon2024 emphasising blind spots, techniques like filter collision and payload transformation
2. In the "Supply Chain Attack Primer" episode of Critical Thinking - Bug Bounty Podcast, @0xlupin discusses supply chain attacks, dependency confusion, and bug bounty complexities.
3. @0xlupin discusses GraphQL API vulnerabilities at NahamCon2024, details a privilege escalation flaw, introduces "inpi" for vulnerability search, and explains a CSRF vulnerability with web sockets and cookie-based auth.

💼 2 Job Alerts

1. Deutsche Bank is seeking an Information Security Specialist for the role of Regulatory & Client Response, based in Mumbai, India.
2. NielsenIQ is hiring a Senior Engineer in Cybersecurity for the position of Cyber Security Engineer.

🎁 1 Special Item

1. Get ready to tackle the Windows 12 Dojo Challenge #33 by @yeswehack for a chance to snag exclusive swag with your top-notch reports!

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bhavesh Harmalkar, Bimal Kumar Sahoo, Manan

Newsletter formatting by: Bhavesh Harmalkar, Manan, Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,
Infosec Writeups