👩💻IW Weekly #16: AWS Vulnerability, Threat Hunting, Reflected XSS, Pentesting Resource, Command Injection and much more…
Hey 👋
Welcome to the sixteenth edition of Infosec Weekly - the Monday newsletter that brings the best in Infosec straight to your inbox.
So many new things are happening in the cybersecurity world that it’s difficult to keep up! 🥲
We’ve done all the hardwork for you by selecting the most top-notch Infosec stuff that caught our attention this week. The format is: 5 articles, 4 Threads, 3 videos, 2 Github repos and tools, 1 job alert and Upcoming CTF Events to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s dive in👇
📝 5 Infosec Articles
#1 @Gafnit Amiga explains about three vulnerabilities detected in the AWS IAM Authenticator where all of them were caused by the same code line.
#2 @OriginalSicksec’s new blog talks about how you can find and abuse URL shorteners to ATO or Information disclosure.
#3 @dajon shares a detailed blog to make you go from Null to Bug Hunter for IDOR Vulnerability.
#4 A vulnerability was identified by @GoSecure_Inc within the Tableau Server that could allow malicious actors to extract sensitive data from the application through Reflected XSS.
#5 @David French shares some threat hunting and security monitoring tips to help defensive practitioners protect their Okta environments from attack.
🧵4 Trending Threads
#1 @sec_r0 shares his latest Security zine on 6 different types of network attack in one shot like Botnet, MITM, DNS Spoofing, etc.
#2 @Brute Logic humorously shares an updated and fresh XSS Polyglot in a tweet reply along with his Building XSS Polyglots blog.
#3 Starting in Pentesting? Here’s a detailed thread by @Brandon Rossi to Get started in the pentesting field.
#4 You will love this Quick One liner to find Reflected XSS at scale by @ReconOne.
📽️ 3 Insightful Videos
#1 @Z-winK has uploaded a new video in his Bug Bounty Bootcamp series - Working with a Real Target where he takes a look at Zseano's FastFoodHackings website with 15 vulnerabilities.
#2 @PwnFunction’s new video named How to Predict Random Numbers is up where he'll break the Math.random method in JavaScript with z3.
#3 @rana__khalil’s new long version video is up regarding the Lab#5 command injection with out-of-band data exfiltration
⚒️2 Github repositories & Tools
#1 DBNS (DataBase Nuclei Scanner) by FleexSecurity allows you to keep track of your Nuclei scans in a simple way by saving the results in a database,
#2 Apkleaks by @dwisiswant0 scans APK files for URIs, endpoints & secrets.
💰1 Job alert ⚠️
#1 Check out the job roles posted by Aujas CyberSecurity.
Required experience: 2 to 4 years.
Apply here:- Web app Security - Mobile app security - Code review
🎮 Upcoming CTF Events
A jeopardy-style CTF for professional hackers, students and cyber security enthusiasts.
https://ctftime.org/event/1699
Wed, July 20, 2022 15:00 UTC+00:00
Weight: 0 points
Duration: 1 day
#2 Lexington Informatics Tournament CTF 2022 - Jeopardy
A beginner friendly jeopardy-style CTF hosted by Lexington High School
https://ctftime.org/event/1694
Fri, July 22, 2022 15:00 UTC+00:00
Weight: 23 points
Duration: 2 days and 12 hours
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
Editorial team,
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Ayush Singh, Vinay Kumar, Bimal K. Sahoo, Mohit Khemchandani, Hardik Singh, and Pramod Kumar Pradhan.
Newsletter formatting by: Siddharth and Hardik Singh.
If you wish to join our Ambassadors channel and contribute to the newsletter, send us a DM on Twitter with your discord username.