👩💻IW Weekly #13: 1000s of user tokens exposed, pre-auth RCEs in Oracle, AWS Misconfigurations, IDOR, Open redirects, Nmap tutorial, and much more.
Welcome to the thirteenth edition of Infosec Weekly - the Monday newsletter that brings the best in Infosec straight to your inbox.
The Infosec world is continuously evolving with newer finds and features coming up every single day. Not able to catch up with the changes? Don’t worry. In today’s edition, we’ve curated all the amazing Infosec stuff that needs your attention, in a format of 5 articles, 4 Threads, 3 videos, 2 Github repos and tools, and 1 job alert, to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Sounds interesting? Let’s dive in👇
📝 5 Infosec Articles
#1 Team Nautilus at Aquasec found tens of thousands of user tokens exposed via the Travis CI API, which allows anyone to access historical clear-text logs.
#2 An article by Slowmist describes how a White hat group, United Global Whitehat Security Team(UGWST) was able to discover the browser extension-only vulnerability which allowed attackers to deceive users into sending crypto-assets without them realizing it.
#3 Peterjson & Jang ended up with multiple pre-auth RCEs in many products inside Oracle Middleware.
Read more about this cool exploit story here.
#4 Dhiyaneshwaran shared a detailed blog on various scenarios for AWS Misconfigurations starting from basics.
#5 Portswigger has improved the DOM invader tool to make finding C-SPP (client-side prototype pollution) as easy as a couple of clicks.
🧵4 Trending Threads
#1 @LazySaad explained how to find IDORs and how we can use user_id to verify if the IDOR exists or not.
#2 @tabaahi_ explains how beginners can look for open redirects, what tools to use, how to go about finding them and where one should report open redirects. Check it out here. It’s a great starting point for newbies in Infosec.
#3 A great thread from Hossein NafisiAsl where he explains how an HTTP Request smuggling turns into mass account takeover and shares a great GitHub repository where he collected amazing write-ups & tips.
#4 @hakluke’s “Become an Nmap pro in 30 seconds Thread” shows an amazing full tutorial for Nmap where he has shared all about the Nmap features you don’t want to miss.
📽️ 3 Insightful Videos
#1 Rana Khalil’s next video is out for the 2nd lab of command injection module by the Web Security Academy, where she used both manual and automated approach using python to solve the same.
#2 A great video from Patrick Collins about auditing smart contracts, where he explained the audit process, the basics of how to conduct one, and how to interact with auditors.
#3 Laluka has gathered lots of RCEs that wander in nature and has decided to present at the conference as a part of the HitchHack produced by Laluka. Watch the video here.
⚒️2 Github repositories & Tools
#1 Xnl-h4ck3r has launched their python tool named xnLinkFinder similar to their Burp extension called GAP. It helps to discover endpoints for a given target using the Regex. Similar but advanced to a tool named LinkFinder.
#2 A very detailed Ethereum smart contract auditor roadmap shared by Razzorsec on their github repo. Find it here.
💰1 Job alert ⚠️
#1 A great Internship opportunity by Cybertix for everyone who wants professional experience and wants to upskill themselves.
Last date to apply for Internship: 15th July 2022
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Nithin R (thebotsite.me), Ayush Singh, Vinay Kumar, Hardik Singh, Bimal K. Sahoo, Mohit Khemchandani and Pramod Kumar Pradhan.
Newsletter formatting by: Nithin R, Bhavya Jain, Vinay Kumar and Siddharth.
If you wish to join our Ambassadors channel and contribute to the newsletter, reply to this email with your discord username.