👩‍💻IW Weekly #37: ChatGPT for Pentesting, Hacking Govt. Website, GraphQl Security Flaws, Bypassing WAF, SSO, MITRE ATT&CK, and much more…

Did you know ChatGPT can help you identify potential vulnerabilities and exploits for pentesting? Read about it here.

Welcome to the #IWWeekly37 - the Monday newsletter that brings the best in Infosec straight to your inbox.

IWCON2.0 is going live this weekend 😍

We have multiple perks in line for you -

1. 50 attendees stand a chance to win 1 Month FREE access to PentesterLab 🔥
2. 5 lucky attendees will win Annual Burp Bounty Pro licenses 🔥
3. @zseano will grace the event with his special presence in live talk/networking session.
4. 20+ hours of learnings, live QnA, and networking sessions.

We have left no stone unturned for this IWCON to be your most memorable event of the year! 🧡

This is the last chance for you to book your seat. Don't miss it.

Get your ticket now.

Now, coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

Excited? Let’s jump in👇

📝 7 Infosec Articles (5+ 2 beginner-friendly)

#1 @Anugrah SR shares how ChatGPT is an invaluable resource for identifying potential vulnerabilities and exploits for Penetration Testers.

#2 @Raavan shares how he hacked a state government website by chaining BAC+IDOR vulnerabilities to access millions of death certificates.

#3 Google’s Threat Analysis Group (TAG) discovered a 0-day vulnerability in late October 2022, embedded in malicious documents exploiting an Internet Explorer 0-day vulnerability in the JScript engine.

#4 @Claroty has developed a generic bypass of industry-leading web application firewalls (WAF) which involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.

#5 @Komal shares everything she has learnt from the widely-recognised and accepted defense framework in Cyber Security - MITRE ATT&CK.

Beginner-friendly -

#1 0xManan shares reconnaissance tools he uses for bug hunting and penetration testing.

#2 @sl4x0 wrote a detailed article on Single-Sign On (SSO) and its related vulnerabilities.

🧵6 Trending Threads (4 + 2 beginner-friendly)

#1 @Zwink shares a P1 bug bounty tip regarding the Broken Access Control vulnerability.

#2 @Cristi showed the GraphQl security flaws and what you should be aware of as a cybersecurity professional.

#3 @GodfatherOrwa shares Bug bounty tips for accessing admin panel through response manipulation.

#4 @Itumeleng_Les wrote a great thread regarding their 1 year experience in hunting security flaws/bugs.

Beginner-friendly -

#1 @Nithin R created a list of OSINT tools that can aid your investigation if you come across a suspicious URL or IP address.

#2 @Steiner254 revealed some of the best tips & references for learning Remote Code Execution (RCE).

📽️ 5 Insightful Videos (3 + 2 beginner-friendly)

#1 Learn and start Kernel hacking with virtualKD by @JohnHammond.

#2 Watch this video to learn about Server Side Template Injection by @PhDSecurity.

#3 Learn how to bypass DEP in part 4 of @GuidedHacking’s binary exploit development series.

Beginner-friendly -

#1 In this video, you’ll learn how to upload a PHP reverse shell to an unsecured WebDAV service and catch the reverse shell in a Netcat listener by @Gary Rudell.

#2 @Cristi talks about multiple ways to bypass Authentication mechanisms.

⚒️ 2 GitHub repositories & Tools

#1 @Raoshaab shares a script to automate the process of installing all necessary tools & tasks for Android Pentesting.

#2 A fast and lightweight Web Application Firewall fingerprinting tool by @Lu1sDV.

💰1 Job Alert

#1 CYFIRMA is hiring for a position of VAPT Researcher.

Location - Bangalore

Experience - 6-10 years.

Apply here.

💸Advertise with us💸

We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world.

If you'd like to advertise to our 27k+ community of cybersecurity enthusiasts, click here to partner with us.

-------------------------------------------------------------------------------

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.

Before we say bye…

If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.

See you again next week.

Lots of love

Editorial team,

Infosec Writeups

This newsletter has been created in collaboration with our amazing ambassadors.

Resource contribution by: Ayush Singh, Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Nithin R, Siddharth, Vinay Kumar, Manikesh Singh, Pramod Kumar Pradhan, and Tuhin Bose.

Newsletter formatting by: Siddharth.