3 min read

👩‍💻IW Weekly #34: Attacking SAML 2.0, Kubernetes Security, RCE, Hacking File Upload, Recon Tools and Methodology, and much more…

👩‍💻IW Weekly #34: Attacking SAML 2.0, Kubernetes Security, RCE, Hacking File Upload, Recon Tools and Methodology, and much more…
Photo by FLY:D / Unsplash

@Redhuntlabs conducted a mass scan on ~40000 Firebase subdomains to understand their state of security. Read their findings here.

Hey {first_name, "there"}👋

Welcome to the #IWWeekly34 - the Monday newsletter that brings the best in Infosec straight to your inbox.

This week’s NL is brought to you by Zero-Point Security.

Here's a word from our sponsor:

"We're making Red Teaming knowledge and skillsets more accessible and affordable by providing high-quality training materials and lab environments in a scalable, online format – therefore enabling businesses and industries to improve their cyber defense capabilities and adversarial resilience. Click here to know more about our training."

Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

Excited? Let’s dive in👇

📝 7 Infosec Articles (5+ 2 beginner-friendly)

#1  SAML is outdated. But we still find SAML vulnerabilities in large application products. Here's detailed research on how to attack the SAML 2.0 security by @paper_seebug.

#2 After part 1, @jack_halon has come with a 2nd part on Chrome browser exploitation where the topics such as V8’s bytecode, code compilation and code optimization are discussed.

#3 @Redhuntlabs recently conducted a mass scan on a sample of ~40000 Firebase subdomains to understand their state of security. Read about their findings from the scan regarding data breaches.

#4 A detailed article on how @Bipin Jitiya exploited Remote Command Execution (RCE) with the help of the Vulnerability Chain.

#5 Everybody on Infosec twitter seemed to be jumping ship to the Infosec.exchange Mastodon server. Here’s how @garethheyes could steal credentials on Infosec Mastodon with a HTML injection, without needing to bypass CSP.


Beginner-friendly -

#1 @Edward Litchner shares how you can fuzz a signed JWT to obtain its encryption password.

#2 @Agent47_2458 shares his recon tools and methodology in this detailed article..

#1 APIs are used everywhere for applications to communicate, but to see how you can HACK them, refer to this great thread by @Intigriti.

#2 Read this interesting thread by @AppSecEngineer to get you going with the basics of kubernetes security: All about K8s Authorization (AuthZ).

#3 @Maik Ro shares another detailed thread over the SIEM series where he shows how to build custom Kibana widgets for your ELK SIEM.

#4 Do you want to hack file upload functionality? Read this thread by @Steiner245.

Beginner-friendly -

#1 @ReconOne shares the best practices about using the GF tool to avoid typing common, complex and long patterns.

#2 @Intigriti talks about the power of Google dorks through crucial 9 dorking tips that every hacker should know.

📽️ 5 Insightful Videos (3 + 2 beginner-friendly)

#1 Watch this video to learn what is IPFS and how attackers leverage it to deliver malware by @dafthack.

#2 @NahamSec walks you through one of the challenges from the Snyk CTF.

#3 Azure Backdoors: How to Hide Them, How to Find Them, a talk by @_wald0.


Beginner-friendly -

#1 @Farah_Hawaa shares some great resources to learn secure code review.

#2 Bounty posts circulating on infosec Twitter might get overwhelming for beginners as well as for some seasoned hunters. @gregxsunday shares his journey with ups and downs on pursuing full-time bug bounty hunting.

⚒️ 2 GitHub repositories & Tools

#1 A tool to detect MitM attacks by @Arijit_Dir.

#2 Csprecon is a tool to discover new domains for a target using Content Security Policy by @edoardottt2.

💰1 Job Alert

#1 Payatu is on a hiring marathon with more than 20 security positions open.

Apply here.

💸Advertise with us💸

We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world. If this sounds like you, click here to partner with us.

—----------------------------------------------------------------------------------


That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.

Before we say bye…

If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.

See you again next week.

Lots of love

Editorial team,

Infosec Writeups

This newsletter has been created in collaboration with our amazing ambassadors.

Resource contribution by: Ayush Singh, Hardik Singh, Pramod Kumar Pradhan, Nikhil A Memane, Manikesh Singh, Bhavesh Harmalkar, Sai Krishna Kothapalli, and Bimal Kumar Sahoo.


Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth and Ayush Singh.