👩💻IW Weekly #33: 15,000 Sites Hacked, $70,000 Bounty, API Injection Vulnerabilities, IDOR, Template Injection in 100 seconds, and much more…
This Google Pixel lock screen bypass made $70,000 bounty 😮
Hey 👋
Welcome to the #IWWeekly33 - the Monday newsletter that brings the best in Infosec straight to your inbox.
Barely a month is left for IWCON - the world's largest virtual cybersecurity conference and networking event 😍🙌
Have you booked your ticket?
If not, click here to book it now before we sell out.
It’s going to be even more fun and amazing than the last time, promise ;)
Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s jump in👇
📝 7 Infosec Articles (5+ 2 beginner-friendly)
#1 Read how David Schütz bypassed the Google Pixel lock screen and received a $70,000 bounty.
#2 Chaining path traversal with SSRF to disclose internal git repo data in a Bank Asset by nikhil(niks).
#3 Exploring ZIP mark-of-the-web bypass vulnerability (CVE-2022-41049) by @mrgretzky.
#4 15,000 sites hacked for massive Google SEO poisoning campaign.
#5 @rahulraz and his friends hacked into and destroyed a fraudsters' webpage.
Beginner-friendly -
#1 Amin Nasiri wrote an excellent blog about identifying IDOR vulnerabilities and providing tips for developers on how to fix them.
#2 Agent472458 published a blog post on his recon process and the tools he uses in Bug Bounty.
🧵6 Trending Threads (4 + 2 beginner-friendly)
#1 Rapid API shared a curated list of API injection vulnerabilities on Twitter.
#2 Rez0 posted a fantastic thread with bug bounty tips and mini-write-ups.
#3 Maik Ro shares how to set up Active Directory in your home lab.
#4 ReconOne posted a thread about using Project Discovery's Katana web crawler tool in detail.
Beginner-friendly -
#1 Maik Ro talks about creating our own SIEM for your home lab.
#2 Steiner covers several vulnerabilities that might affect a web application's Registration/Sign-Up Page.
📽️ 5 Insightful Videos (3 + 2 beginner-friendly)
#1 @_JohnHammond converses with @LikelyMalware on cybercrime and dark web.
#2 @ippsec walks you through the “Moderators” machine on Hack The Box where you’d learn about bypassing file upload filters, and much more.
#3 @xdavidhu accidental Google pixel lock screen bypass bagged him a $70K bounty.
Beginner-friendly -
#1 @gregxsunday shares some amazing tips on better report writing and maximizing your bounties.
#2 @intigriti covers Server-side template injection in 100 seconds.
⚒️ 2 GitHub repositories & Tools
#1 Katana by @pdiscoveryio is a crawling and spidering framework based on Go.
#2 FirebaseExploiter is a vulnerability discovery tool that discovers Firebase databases which are open and exploitable by @thesecurebinary.
💰1 Job Alert
#1 Payatu has job openings for the role of Security Consultant (Remote).
💸Advertise with us💸
We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.
—----------------------------------------------------------------------------------
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
Editorial team,
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Ayush Singh, Hardik Singh, Pramod Kumar Pradhan, Nikhil A Memane, Manikesh Singh, Mohit Khemchandani, Bhavesh Harmalkar, and Bimal Kumar Sahoo.
Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth and Ayush Singh.