👩‍💻IW Weekly #114: 4-Step Bug Hunting Methodology, CVE-2024-4358, Reflector, Bypass SSL Pinning, GraphQL API Vulnerabilities and many more…

👩‍💻IW Weekly #114: 4-Step Bug Hunting Methodology, CVE-2024-4358, Reflector, Bypass SSL Pinning, GraphQL API Vulnerabilities and many more…
Photo by Jefferson Santos / Unsplash

Welcome to the #IWWeekly114 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @sawmcyo reveals a modem hack via a Cox Business API flaw, exposing remote access to countless devices.
  2. @sanjaith3hacker exploits an IDOR for vertical privilege escalation, demonstrating how unpredictable user IDs led to moderator access.
  3. @sinsinology's post uncovers an authentication bypass exploiting CVE-2024-4358, transforming a deserialization vulnerability into unauthenticated RCE
  4. Check out @0xLupin's article uncovering a cache poisoning attack on the npm registry.
  5. @abc_sup and @vxradius delve into Android's Binder IPC vulnerabilities, showcasing exploits like CVE-2019-2025 and CVE-2022-20421, leading to root access.
  1. @Bugcrowd shared the importance of having a structured approach to bug hunting. Check out @InsiderPhD's 4-step methodology for beginners.
  2. Reflector by @elk0kc is a user-friendly Burpsuite extension designed to help you identify reflections and test for XSS vulnerabilities!
  3. In a recent post, @swaroopsy provided a quick guide on bypassing SSL pinning for Android applications. 
  4. @clintgibler announced a new Python DNS auditing tool that detects subdomain takeovers, performs zone transfers, and conducts NSEC walking.

📽️ 3 Insightful Videos

  1. @Brumens2 discusses bypassing WAFs at NahamCon2024 emphasising blind spots, techniques like filter collision and payload transformation
  2. In the "Supply Chain Attack Primer" episode of Critical Thinking - Bug Bounty Podcast, @0xlupin discusses supply chain attacks, dependency confusion, and bug bounty complexities.
  3. @0xlupin discusses GraphQL API vulnerabilities at NahamCon2024, details a privilege escalation flaw, introduces "inpi" for vulnerability search, and explains a CSRF vulnerability with web sockets and cookie-based auth.

💼 2 Job Alerts

  1. Deutsche Bank is seeking an Information Security Specialist for the role of Regulatory & Client Response, based in Mumbai, India.
  2. NielsenIQ is hiring a Senior Engineer in Cybersecurity for the position of Cyber Security Engineer.

🎁 1 Special Item

  1. Get ready to tackle the Windows 12 Dojo Challenge #33 by @yeswehack for a chance to snag exclusive swag with your top-notch reports!

Send an e-mail to [email protected] to know more about partnering with InfosecWriteups

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bhavesh Harmalkar, Bimal Kumar Sahoo, Manan
Newsletter formatting by: Bhavesh Harmalkar, Manan, Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,

Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]