👩‍💻IW Weekly #128: Bug Bounty, Cloud Dorking, Asset Discovery, Reconnaissance,Vulnerabilities in the Kakadu JPEG 2000 and in Azure DevOps,VPN Cookies Hijacking, and many more…

Welcome to the #IWWeekly128 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @JoeLeonJr uncovers a critical vulnerability in Azure DevOps involving Cross Fork Object References which allows access to Private Repo Data.
2. Read how @aszx87410’s blog dives deep into advanced  iframe mechanics to solve the ‘srcdoc-memos’ challenge in the idekCTF 2024 writeup.
3. Discover the techniques for hijacking and replaying VPN Cookies in @rotarydrone’s latest article.
4. Explore how Google’s CVR team, @amlweems, @scannell_simon, @epereiralopez and @thatjiaozi uncover the vulnerabilities in the Kakadu JPEG 2000 image library that lead to RCE.
5. Explore the amusing article by @AlizTheHax0r and @benwatchtowr detailing their accidental RCE exploit that granted them admin access to .MOBI.

🧵4 Trending Tweets

1. Check out the bug bounty tips  given by @Jayesh25_ which extracts api endpoints and constructs complex HTTP requests from JS files using AI. 
2. Discover how to find more access control issues in web applications by @snap_sec .
3. Can you spot the XSS vulnerability as posted by @intigriti?
4. @dropn0w shows how a simple DOM XSS vulnerability can evolve into a Stored XSS due to improper sanitization, and showcases the complexity and fun of exploiting intricate bugs in web applications.

📽️ 3 Insightful Videos

1. In the latest episode of Critical Thinking Bug Bounty Podcast, @rhynorater and @0xteknogeek delve into new research on URL validation bypass, the Sanic DNS resolver, xsstools, and Dockerized Orange Confusion Attacks.
2. @Nahamsec on how to use OSINT for reconnaissance and vulnerability assessment, with a focus on API hacking techniques.
3. Explore advanced asset discovery and reconnaissance as we break down the strategic elements of breadth, depth, context, amplification, and focus to enhance your security posture in the episode given by @assetnote2016.

💼 2 Job Alerts

1. Hadrian Security is looking for hackers in India and NL. Do apply.
2. Want to work as a Senior Application Security Engineer at Quince? Let’s go!

🎁 1 Special Item

1. Explore the beta launch of the new web Hackvertor by @garethheyes

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Manan, Shlok.

Newsletter formatting by: Hardik Singh, Nithin R, Samrithi V, Dhakhxayah Senthilkumar

Lots of love
Editorial team,
Infosec Writeups