👩‍💻IW Weekly #119: Universal Code Execution, Evernote RCE, Multiple ServiceNow CVEs, Escalating XSS Using Password Managers, DOMPurify Bug, CSS Injections and many more…

👩‍💻IW Weekly #119: Universal Code Execution, Evernote RCE, Multiple ServiceNow CVEs, Escalating XSS Using Password Managers, DOMPurify Bug, CSS Injections and many more…
Photo by sebastiaan stam / Unsplash

Welcome to the #IWWeekly119 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. Learn about browser extension security from this article by @spaceraccoonsec where they manage to achieve universal code execution.
  2. @Doyensec goes over some inherent database issues which lead to data races.
  3. Read how @retr0reg was able to achieve a Remote Code Execution on Evernote.
  4. @realansgar dives deep into DOM Clobbering while also finding a bug in the DOMPurify library, all whilst solving an XSS challenge.
  5. @assetnote discovers multiple issues on ServiceNow which lead to full database credentials compromised, read more about it here.
  1. Feeling stuck in your bug bounty journey? Get inspired with these 6 practical tips to stay motivated from @Bugcrowd
  2. @Securrtech shows you how to secure your Solidity smart contracts with SafeMath
  3. Learn how to escalate XSS vulnerabilities to high-severity issues using a browser-based password manager in this detailed guide by @ArmanSameer95
  4. Discover why a career in smart contract development could be your next big move in this insightful thread by @Securrtech

📽️ 3 Insightful Videos

  1. Explore @NahamSec’s recorded live stream where he performs recon on Dell’s Bug Bounty Program, discusses Recon data insights, and engages viewers in real-time bug bounty hunting strategies.
  2. Dive deep into the evolving world of CSS injection vulnerabilities and font ligature exploits in web security with insights from @ctbbpodcast.
  3. Dive into the world of Bug Bounty with insights on hacking Tinder's bug bounty program, custom reconnaissance tools, cookie injection exploits, and more in this dynamic session with @Rhynorater on @NahamSec’s new video.

💼 2 Job Alerts

  1. Adobe is looking for someone to fill in the role of Senior Red Team Engineer.
  2. Secureu is seeking a Security Engineering intern.

🎁 1 Special Item

  1. @MtnBer talks about a Client-side Template Injection (CSTI) bug which allowed them to trick owners into selling NFTs for a low price.

A word from our sponsor!

Want a byte-sized version of Hacker News? Try TLDR’s free daily newsletter.

TLDR covers the most interesting tech, science, and coding news in just 5 minutes.

No sports, politics, or weather.

Subscribe for free here!


That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bhavesh Harmalkar, Manan
Newsletter formatting by: Hardik Singh, Nithin R, Manan, Eeshan V, Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,

Infosec Writeups

📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe