👩‍💻IW Weekly #117: API Hacking, Hacking Large Corporations, CrushFTP Exploit, NextJS & Cache Poisoning, Prototype Pollution, Nested Deserialization and many more…

Welcome to the #IWWeekly93 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @zhero___ has found a very interesting Cache Poisoning vulnerability in the NextJS framework.
2. This wonderfully written blog posted by @assetnote shows us why nested deserialization is harmful by presenting the case of an XXE in Magento.
3. Here’s an ultimate guide to prototype pollution vulnerability published by @NetSPI 
4. @aszx87410 have shared their insights on the many security issues in Polyfill and why we should stop using it.
5. Checkout the first part of the ORM leak vulnerabilities series published by @elttam and understand how to attack the Django ORM to leak sensitive data.

🧵4 Trending Tweets

1. @xchopath has written a fantastic thread on how they were able to get an RCE using the public CVE - CrushFTP exploit.
2. @sw33tLie has shared the recent updates on their “uff” tool. A must check out.
3. @ctbbpodcast have posted on 8 things to match and replace in your next bug hunt.
4. Uncover hidden gems on websites using Google Dorking as written by @vidocsecurity

📽️ 3 Insightful Videos

1. Checkout @NahamSec’s favourite API vulnerabilities. There’s a lot to learn from this.
2. @NahamSec shows us how to hack large corporations using fantastic recon techniques.
3. Watch “The Secret to Finding Numerous Criticals”  by Alex Chapman, posted by @gregxsunday.

💼 2 Job Alerts

1. Bugcrowd is hiring for multiple positions in India, Australia and the United States.
2. Scrut Automation is hiring for a security engineer in India. Checkout roles and responsibilities before applying.

🎁 1 Special Item

1. Try to find the vulnerability in this code as shared by @bountywriteups

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Nithin R,Shlok, Rachit Arora

Newsletter formatting by: Nithin R, Rachit Arora, Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,
Infosec Writeups