3 min read

👩‍💻IW Weekly #32: 2FA Bypass, OpenSSL Vulnerabilities, Automated Recon Script, Subdomain Takeovers, DNS Hijacking, and much more…

👩‍💻IW Weekly #32: 2FA Bypass, OpenSSL Vulnerabilities, Automated Recon Script, Subdomain Takeovers, DNS Hijacking, and much more…
Photo by FLY:D / Unsplash

These multiple vulnerabilities led to remote code execution (RCE) on one of the payment service providers.

Hey 👋

Welcome to the #IWWeekly32 - the Monday newsletter that brings the best in Infosec straight to your inbox.

Before we dive in, we’re curious to know if you checked out the speaker line up of IWCON - the world's largest virtual cybersecurity conference and networking event 😍🙌

The dates are 17th-18th December, 2022, and it’s going to be even bigger than the last time🔥

Click here to check out the event details and book your seats before they’re gone! (You really don’t want to miss out)

Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

Excited? Let’s jump in👇

📝 7 Infosec Articles (5+ 2 beginner-friendly)

#1 Akash Hamal shared interesting insights on 2FA bypass due to information disclosure and improper access control.

#2 Wiz published a blog detailing OpenSSL vulnerabilities that we should be aware of. Do give it a read.

#3 Checkout ProjectDiscovery.io's wonderful blog post to build a fast one-shot automated recon script.

#4 Wish to learn more about JavaScript prototype pollution attacks? Appknox got you covered.

#5 Find how Rohit Soni exploited multiple vulnerabilities to get remote code execution (RCE) on one of the payment service providers.

Beginner-friendly -

#1 Read Nynan’s comprehensive analysis of Subdomain Takeovers (SDTO), DNS Hijacking, Dangling DNS, CNAME misconfigurations.

#2 Find what Aditya Singh has to say about using tools to make your recon process easier.  

#1 Emilien Socchi explains how he got AzureAd tenant takeover in one of his web app evaluations.

#2 Md Ismail Sojal shared a list of XSS payloads. Keep them handy when hacking.

#3 If you want to hack smart contracts but aren't sure where to start, check this tweet by Maik Ro's.

#4 Explore this list of bug bounty tips to bypass 2FA by Abhishek.

Beginner-friendly -

#1 Maik Ro’s thread contains a curated list of web3 hacking resources for a deep dive into web3 security.

#2 Do you want to know how to be successful in bug bounty? How should we set our thinking and work on our objectives? Don’t worry as Maik Ro’s got you covered.

📽️ 5 Insightful Videos (3 + 2 beginner-friendly)

#1 The mental outlaw talks about Heartbleed, a vulnerability in one of the most widely used cryptographic libraries, OpenSSL.

#2 Learn about server-side template injection as @_JohnHammond solves a lab based on the same.

#3 GraphQL tends to have lot of implementation discrepancies and bugs, watch @AseemShrey’s video on deep recursion attacks and graphql introspection.


Beginner-friendly -

#1 Watch how @G0LDEN_infosec automates his subdomain enumeration and reconnaissance.

#2 Resume is the first important step towards getting your dream job, @thecybermentor shares some tips on writing better resumes.

⚒️ 2 GitHub repositories & Tools

#1 ezXSS is an easy way for penetration testers and bug bounty hunters to test Blind XSS by elyesa.

#2 Leaky-paths is a collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs, etc. by @_ayoubfathi_.

💰1 Job Alert

#1 Multiple job openings for the role of Information security consultant at A3S Tech & Co (0-2 years of experience).

💸Advertise with us💸

We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.

—----------------------------------------------------------------------------------


That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.

Before we say bye…

If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.

See you again next week.

Lots of love

Editorial team,

Infosec Writeups

This newsletter has been created in collaboration with our amazing ambassadors.

Resource contribution by: Ayush Singh, Hardik Singh, Tuhin Bose, Pramod Kumar Pradhan, Vinay Kumar, Nikhil A Memane, Manikesh Singh and Mohit Khemchandani.


Newsletter formatting by: Hardik Singh, Vinay Kumar, Nithin, Siddharth and Ayush Singh.