👩💻IW Weekly #14: $1M bounty, bug bounty tips, upcoming CTF events, API attacks, bypassing .NET, autofill credentials stolen, and much more.
Hey 👋
Welcome to the fourteenth edition of Infosec Weekly - the Monday newsletter that brings the best in Infosec straight to your inbox.
In today’s edition, we’ve curated all the amazing Infosec stuff that needs your attention this week in a format of 5 articles, 4 Threads, 3 videos, 2 Github repos and tools, and 1 job alert, to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
New Section Added: Upcoming CTF Events 🔥
Excited? Let’s dive in👇
📝 5 Infosec Articles
#1 Dhakal_Bibek wrote about access control bug worth $2000 where he shared his methodologies towards the access control vulnerabilities.
#2 A lot of web application security testers don’t know about some simple yet helpful bug hunting features. Here’s a detailed blog post by 0xblackbird on how to look for bugs right from your web browsers.
#3 Bypassing .NET Serialization Binders: Case studies for DevExpress (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) by @mwulftange.
#4 Read How @PwningEth protected Moonbeam network by disclosing a critical design flaw, safeguarding more than $100M assets at risk in various DeFi projects and was awarded $1M and a $50k bonus.
#5 Did you know your browser’s Autofill Credentials could be stolen via Cross-Site Scripting (XSS)?. The GoSecure Titan Labs team has demonstrated it in this blog.
🧵4 Trending Threads
#1 Bhagavan Bollina shares his tips about how he gets debug parameters.
#2 Have a look at SM9l’s Tweet about fully automatic one-liner to test for SSRF using @pdiscoveryio 's interactsh.
#3 Are you an API pentester or starting to become one? Abhay Bhargav shares a great Thread about underrated #API Attacks and defense that you don’t want to miss.
#4 Ever thought how bug hunters are able to write their own security checks and always a step ahead from others?
@Jason Haddix shares a deep informative thread about the secrets of automation-kings in bug bounty.
📽️ 3 Insightful Videos
#1 See how Ben Sadeghipour explains about one of the current hot topics in InfoSec i.e attack surface management (ASM) when it comes down to Data gathering.
#2 Checkout the practical phishing assessment course by Graham Helton Part - 1 made free.
#3 Jhaddix has uploaded a video on how to use the waymore tool effectively. Check it out.
⚒️2 Github repositories & Tools
#1 Discover hidden endpoints & parameters from historical content discovery using @xnl_h4ck3r 's WayMore tool. The best tool for this type of content discovery during web assessments.
#2 @AnubhavSingh_ made a curated list of Android Security materials and resources for pentesters and bug hunters. This repository will guide you on how to start with Android pentesting from scratch.
💰1 Job alert ⚠️
# Opening for Security engineer at Emirates NBD.
Location: Dubai
🎮 Upcoming CTF Events
#1 Hacky Holidays - Unlock the City Jeopardy
https://ctftime.org/event/1687
Fri, July 08, 2022 10:00 UTC+00:00
Weight: 0 points
Duration: 18 days
#2 Faust CTF 2022 - Attack-Defense
https://ctftime.org/event/1598
Sat, July 09, 2022 12:00 UTC+00:00
Weight: 99 points
Duration: 9 hours
#3 vsCTF 2022 - Jeopardy
https://ctftime.org/event/1658
Sat, July 09, 2022 16:00 UTC+00:00
Weight: 0 points
Duration: 1 day
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
Editorial team,
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Nithin R (thebotsite.me), Ayush Singh, Manikesh Singh, Vinay Kumar, Bimal K. Sahoo, Mohit Khemchandani and Pramod Kumar Pradhan.
Newsletter formatting by: Nithin R, Bhavya Jain, Vinay Kumar and Siddharth.
If you wish to join our Ambassadors channel and contribute to the newsletter, DM us on Twitter @InfoSecComm with your discord username.