👩‍💻IW Weekly #115: Abusing Auto-Mail Responders, $25,000 Github Takeover, AI in Bug Hunting, RCE on Tenda AC8 Router, GraphQL Hacking and many more…

👩‍💻IW Weekly #115: Abusing Auto-Mail Responders, $25,000 Github Takeover, AI in Bug Hunting, RCE on Tenda AC8 Router, GraphQL Hacking and many more…
Photo by Nahel Abdul Hadi / Unsplash

Welcome to the #IWWeekly115 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @rikeshbaniya discusses a cool technique using auto-mail responders to get access to internal workspaces, inspired by the research done by @securinti.
  2. @retr0reg talks about how they found an RCE on Tenda AC8 router using ROP (Return Oriented Programming).
  3. @grumpzsux writes about an XSS they found in a WYSIWYG Editor affecting more than 10000 applications.
  4. @pranshux0x goes into details on why OAST Blind SQLi payloads are better than time based ones, using which they made $20000 in bounties.
  5. Checkout the weekly anecdotal findings by @OphionSecurity, where hardcoded JWTs and unauthenticated GraphQL endpoints led to mass PII leakage.
  1. Want to find XSS vulnerabilities using Burpsuite? Try Reflector by @elk0kc, a user-friendly Burpsuite extension that helps you find XSS.
  2. Do you skip testing GraphQL targets? You might be missing out on bounties! If GraphQL targets challenge you, check out this article by @intigriti on easy ways to hack GraphQL APIs.
  3. Check out BadDNS by @paulmmueller, a Python DNS auditing tool for subdomain takeover detection, zone transfers, and NSEC walking.
  4. Have you tried xnLinkFinder by @xnl_h4ck3r? This Python tool discovers endpoints, finds parameters, and generates target-specific wordlists.

📽️ 3 Insightful Videos

  1. @zseano explores JavaScript files at NahamCon2024, revealing hidden endpoints and sensitive data, emphasizing manual exploration and tools like XKeys and Secret Finder.
  2. This video by @gregxsunday examines web app security vulnerabilities with examples like a $25,000 GitHub takeover and a CTF challenge, covering CSRF, HEAD method misuse, HTML sanitization nuances.
  3. @Jhaddix explores AI applications in bug hunting at NahamCon2024, showcasing tools like Subdomain Ninja and Arcanum for recon and XSS detection, emphasizing AI's role in bypassing filters and automating vulnerability identification and fixes.

💼 2 Job Alerts

  1. Astra Security is looking to fill a remote Penetration Tester role.
  2. Accenture is seeking a Security Architect in the Mumbai region.

🎁 1 Special Item

  1. Take part in the latest edition of Google CTF and win rewards totaling up to $20000.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bimal Kumar Sahoo, Manan, Shlok, Siddhesh Prakash Patil
Newsletter formatting by: Hardik Singh, Nithin R, Shlok, Eeshan V,Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,

Infosec Writeups

📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe