👩💻IW Weekly #15: Admin account takeover, IDOR broken authentication, CyberChef alternatives, Dark web access, etc.
Hey 👋
Welcome to the fifteenth edition of Infosec Weekly - the Monday newsletter that brings the best in Infosec straight to your inbox.
In today’s edition, we’ve curated all the amazing Infosec stuff that needs your attention this week in a format of 5 articles, 4 Threads, 3 videos, 2 Github repos and tools, and 1 job alert and Upcoming CTF Events to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s dive in👇
📝 5 Infosec Articles
#1 Check out this detailed article on how @Mahmoud Youssef did admin account takeover via weird Password Reset Functionality.
#2 A complete detailed guide on IDOR - Broken Authentication by @Shay Rand to give you a complete idea for “How to Think and Test” for the same.
#3 @Frans Rosén did a great research on how there still exist numerous methods to steal certain leaked tokens from sign in OAuth-flows. Read about his research here:- Account hijacking using ”dirty dancing” in sign-in OAuth-flows
#4 Do you hunt on old programs? If not, read about how @Zunaid Mehmud was able to find an interesting privilege escalation vulnerability in an old private program.
#5 An Interesting bug chaining leads to PII Disclosure of Apple Users($10k) and how @Ahmad Halabi was able to bypass the Fix by the program.
🧵4 Trending Threads
#1 Ever wondered about good CyberChef tool alternatives? @Matt’s short thread of solid CyberChef alternatives and complementary tools has something for you.
#2 Preparing to work on your source code review skills from the beginning? @Ananda Dhakal’s twitter thread: A thread- Resources for Source Code Review will be a great help for you.
#3 What do you do when a program has a scope like a site.* (es|com|cn...) ? @Philip Delteil shares his take on such a scenario with an informative twitter thread.
#4 @InsiderPhD drops an awesome API mind map in #bugbountytips hashtag to help you get an idea if you are planning to learn about it.
What is an API? What makes them special? And what kind of APIs are out there?
📽️ 3 Insightful Videos
#1 Ever thought about accessing the Dark Web and exploring its secrets and conspiracies? Heath Adams aka @TheCyberMentor uploaded a great video on How to Access the Dark Web Safely in 2022.
#2 Watch this great video interview by @MastersinIT1 on youtube to know more about the The Real World Of Cyber Security | Cyber Security talk with Sainath Volam.
#3 Want to learn Json WebTokens and solve labs with @0xTib3rius?Check out this video by him, Learn and solve labs for JWT:- Web App Wednesday (6/22/22) - Portswigger JWT Labs.
⚒️2 Github repositories & Tools
#1 A well organized github repository with bugbounty write-ups collection sectioned as Owasp top 10 vulnerabilities.
#2 Koh is a C# and a Beacon Object File (BOF) toolset that allows for the capture of user credential material via purposeful token/logon session leakage.
💰1 Job alert ⚠️
#1 QualySec Hiring Penetration Testing Interns
Location: Bhubaneswar
🎮 Upcoming CTF Events
#1 wtfCTF 2022 v2.0 - Jeopardy
https://ctftime.org/event/1693
Fri, July 15, 2022 12:00 UTC+00:00
Weight: 19 points
Duration: 2 days
#2 HTB Business CTF 2022: Dirty Money - Jeopardy
https://www.hackthebox.com/events/htb-business-ctf-2022
https://ctftime.org/event/1685
Fri, July 15, 2022 13:00 UTC+00:00
Weight: 24 points
Duration: 2 days and 6 hours
#3 Crypto CTF 2022 - Jeopardy
https://ctftime.org/event/1573
Fri, July 15, 2022 14:00 UTC+00:00
Weight: 48 points
Duration: 1 day
#4 ImaginaryCTF 2022 - Jeopardy
https://2022.imaginaryctf.org/
https://ctftime.org/event/1670
Fri, July 15, 2022 20:00 UTC+00:00
Weight: 24 points
Duration: 3 days
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
Editorial team,
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Ayush Singh, Manikesh Singh, Vinay Kumar, Bimal K. Sahoo, Mohit Khemchandani, Sai Krishna Kothapalli, and Bhavya Jain.
Newsletter formatting by: Siddharth, Bhavya Jain, and Vinay Kumar.
If you wish to join our Ambassadors channel and contribute to the newsletter, send us a DM on Twitter with your discord username.