👩‍💻IW Weekly #132: Account Takeover on Palo Alto Networks, SQLi Cheat Sheet, Pre-Auth SQL Injection in WhatsUp Gold, SSRF Automation, Bypassing Sanitizers using MXSS, and many more…

Welcome to the #IWWeekly132 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @hacks_zach explains how an n-day vulnerability in Palo Alto Networks' Expedition tool was exploited, leading to full system compromise.
2. Dive into the blog by @Stefan Schiller, which highlights how even in hardened environments, unchecked code vulnerabilities can compromise security, stressing the need for strong code security measures at every level.
3. Check the SQL inject cheat sheet by @0xTib3rius which explains about SQL injection techniques, detection methods, exploitation strategies and many more. 
4. Discover OpenBAS, an open-source platform for cyber adversary simulations that allows organisations to execute realistic attack scenarios and enhance incident response strategies through threat intelligence, authored by @Do Son.
5. Check out the blog post by the @Summoning Team, which explores the discovery and analysis of an SQL injection vulnerability (CVE-2024-6670) in WhatsUp Gold, delving into the technical details and its potential exploitation.

🧵4 Trending Tweets

1. Ever wanted to include SSRF in your bug bounty automation? @intigriti shares a tool that could help you do the same.
2. @0xTib3rius talks about a scenario and how one could escalate their privileges in that situation.
3. @stealthybugs talks about an RCE they found, highlighting the importance of enumerating and testing hidden headers and parameters.
4. Ever wanted to bypass a WAF? @bountywriteups talks about a tool that could help you find the origin IP of a target.

📽️ 3 Insightful Videos

1. MXSS in client-side sanitizers is an unsolved problem, @S1r1u5_ goes over the nuances with some examples of past MXSS bypasses.
2. In the latest episode of @ctbbpodcast, @Rhynorater and @0xteknogeek cover SAML XPath confusion, CSP bypass, helpful WAF bypasses, and more.
3. @gregxsunday interviews @Jhaddix and @Blaklis_ where they answer community questions and discuss topics like going full time bug bounty, is bug bounty getting progressively harder, and more.

💼 2 Job Alerts

1. @Winston Howes announces that OpenAI is recruiting security engineers to address significant security challenges.
2. @Amal Murali announces multiple job openings at Bugcrowd for security roles, including Security Engineer (US), Junior Security Engineer (Australia), and Application Security Engineer (Brazil).

🎁 1 Special Item

1. This week’s highlights: Join @Mikhail Shcherbakov's challenge to exploit a JavaScript code snippet from a thesis on attacks, allowing participants to trigger the pipelineHandler by passing any string in req.body.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Tuhin Bose, Manan, Samrithi V

Newsletter formatting by:Hardik Singh, Manan, Dhakhxayah Senthilkumar, Eeshan V, Siddhesh Prakash Patil

Lots of love
Editorial team,
Infosec Writeups