👩💻IW Weekly #31: $5000 from Apple, AWS RCE, DOM Clobbering Attack, Chrome Exploit, SSRF Tips and much more...
Apple paid $5000 for stored XSS. Read about the findings here.
Hey 👋
Welcome to the #IWWeekly31 - the Monday newsletter that brings the best in Infosec straight to your inbox.
Before we dive in, did you know we're organizing IWCON2022 - the world's largest virtual cybersecurity conference and networking event?😍🙌
The dates are 17th-18th December, 2022, and it’s going to be even bigger than the last time🔥
Click here to check out the event details and book your seats before they’re gone! (You really don’t want to miss out)
Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 GitHub repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s jump in👇
📝 7 Infosec Articles (5+ 2 beginner-friendly)
#1 Apple paid $5000 for stored XSS. Want to know how Hamzadzworm found it? Read it here.
#2 By abusing Apache Spark SQL, a Stratum Security researcher found remote code execution during a security evaluation.
#3 Do you know what DOM clobbering attack is? Read its detailed explanation by 0xgodson.
#4 In one of India's major trading firms, Avinash escalated an AWS SSRF to remote code execution (RCE).
#5 Checkout Jack Halon's excellent research work on exploiting Chrome browser.
Beginner-friendly -
#1 Read about Raymond's discovery of a simple stored XSS in a bug bounty program.
#2 Do you know how to create high-quality bug bounty reports? Read Graham Zemel's article to amp up your report writing skills.
🧵6 Trending Threads (4 + 2 beginner-friendly)
#1 Have you ever considered making your own bug bounty automation tool to automate your tasks? Maik Ro included everything needed to build your automation tool in this thread.
#2 Intigriti created a fantastic thread on 12 must know bug bounty tips.
#3 Need a checklist to keep in hand when performing web security testing? Rhynorater got you covered.
#4 Haxor31337 shared how spring boot actuator misconfigurations can help you earn big rewards 🤑
Beginner-friendly -
#1 What does it take to be a mobile penetration tester in 2022? Abhishek Meena shared a thread with a list of resources for learning android penetration testing.
#2 Checkout ShreKy's thread on testing SSRF in bug bounty programs.
📽️ 5 Insightful Videos (3 + 2 beginner-friendly)
#1 Watch this amazing DEFCON talk on iPhone Lightning and JTAG hacking by @ghidraninja.
#2 Threat hunting for malicious account usage using the windows event log by @insaneforensics.
#3 Ever wondered what goes on behind the scenes of a bug bounty program? Watch @RazorpayEngg's talk on a blue team’s perspective on running a bug bounty program.
Beginner-friendly -
#1 @gregxsunday analyzed 124 public bug bounty reports and goes into detail on how hunters have been able to exploit SSRF.
#2 @NahamSec talks about different ways you could gather ASN numbers to widen your attack surface of a bug bounty program.
⚒️ 2 Github repositories & Tools
#1 Metlo is an open-source API security platform which helps you maintain an inventory of your APIs and proactively test them before they go into production.
#2 A simple dockerize application that shows how to exploit the CVE-2022-42889 vulnerability by @AkshayIthape02.
💰1 Job Alert
#1 Job opening for the role Lead Blockchain Security engineer (fully remote) at Technology Group Inc. (US)
💸Advertise with us💸
We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.
—----------------------------------------------------------------------------------
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
Editorial team,
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Ayush Singh, Hardik Singh, Siddharth, Bimal Kumar Sahoo, Nikhil Memane, Pramod Kumar Pradhan, and Mohit Khemchandani.
Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth, Nithin, and Ayush Singh.