👩‍💻IW Weekly #134: Javascript Vulnerabilities, Microsoft ServiceNow Hacked, Recon Framework, Powershell on Web, Zendesk Vulnerability, Filtering Hostnames and many more…

👩‍💻IW Weekly #134: Javascript Vulnerabilities, Microsoft ServiceNow Hacked, Recon Framework, Powershell on Web, Zendesk Vulnerability, Filtering Hostnames and many more…
Photo by Kasia Derenda / Unsplash

Welcome to the #IWWeekly134 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @0xMaz takes a deep dive into HookChain, a technique aimed at bypassing Endpoint Detection and Response (EDR) solutions.
  2. @moblig_ shares how they were able to access Microsoft’s ServiceNow instance exposing employee emails, chat support transcripts & attachments.
  3. Learn how to debug and test for JavaScript vulnerabilities by @yeswehack.
  4. URLs might not always be what they look like! @garethheyes at @PortSwiggerRes discusses XSS vectors using a URL authentication feature.
  5. @pspaul95 walks us through a CTF challenge they created to demonstrate how CSS Injection can be used to exfiltrate sensitive content from the DOM.
  1. @Bugcrowd goes over a useful feature in the Subfinder tool.
  2. @Jayesh25_ shares how they were able to escalate a logging endpoint disclosure to earn $6000.
  3. SAML can be overwhelming to test! @ngalongc shares an instance where they took over an admin account using a SAML misconfiguration earning them a $10000 bounty.
  4. @ctbbpodcast discusses the details of CVE-2024-20017 by @hyprdude.

📽️ 3 Insightful Videos

  1. Want to level-up your recon game? @NahamSec walks us through useful features of Axiom, a recon framework.
  2. Denial of Service (DoS) attacks are usually out-of-scope on bug bounty engagements. Watch how @0xLupin was able to earn close to $150,000 through DoS bugs over the years.
  3. Catchup on the weekly bug bounty news with the latest episode by @ctbbpodcast.

💼 2 Job Alerts

  1. Meesho is looking to hire a Security Engineer IV, checkout the details here.
  2. Security Lit is hiring for a senior role with experience in infrastructure, application & cloud offensive (red teaming).

🎁 1 Special Item

  1. Ever wanted to experience a live hacking event? @gregxsunday vlogs about his experience at the H1-702 event, hacking Epic Games and TikTok.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Hardik Singh, Nithin R, Shlok.
Newsletter formatting by: Hardik Singh, Nithin R.

Lots of love
Editorial team,

Infosec Writeups

📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe