👩💻IW Weekly #40: Open Redirection Vulnerability, Misconfigured Jira, Bugs in Red Bull, ChatGPT for Security, OSCP Guide for Beginners, Bypass Authentication, and much more…
Disclosing this vulnerability in Google Smart speakers bagged the author a bounty of $100k 😲
Welcome to the #IWWeekly40 - the Monday newsletter that brings the best in Infosec straight to your inbox.
We wish you a prosperous and productive new year 😊 May you find amazing bugs, earn bounties, and make cyberspace safe for everyone 🤗
To help you out, we have shared 7 articles, 6 Threads, 5 videos, 2 GitHub repos and tools, 1 job alert in today’s newsletter. We’re sure they’ll help you maximize the benefit and take a massive jump ahead in your career.
Excited? Let’s jump in 👇
📝 7 Infosec Articles (5+ 2 beginner-friendly)
#1 @cankat shows how he found an open redirection vulnerability at Apple’s subdomain using the dot character.
#2 @MRD7 shares how a misconfigured Jira instance allowed the access of all the security reports [Fixed / Non-Fixed] bugs submitted to a company.
#3 @Sudhanshu Rajbhar shares a greatly detailed article about his findings related to ESI (Edge Side Include) Injection on a private bug bounty program.
#4 Read how @Bergee was able to find multiple critical bugs in Red Bull including auth misconfiguration, LFI, SQLi, etc.
#5 @Matt explains how he responsibly disclosed a vulnerability in Google Smart speakers that could turn them into wiretaps which gets him a bounty of around $100k.
Beginner-friendly -
#1 @John Jackson shares a revamped OSCP guide for beginner hackers to get started in their learning journey.
#2 @Heli9 shares tips for Bug bounty reflected XSS(Cross–site scripting) exploitation for beginners.
🧵6 Trending Threads (4 + 2 beginner-friendly)
#1 ChatGPT can be used for offensive security, beautifully explained by @sec_r0.
#2 Preparing for a cyber security interview? Read this thread by @Maik Ro on how to rock your cyber interviews.
#3 @sec_r0 shares a list of all the Free training /courses /blogs /forums that may help boost your security skills or can get you started quickly.
#4 @Cristi shares 6 reasons to ditch your third-party password manager and avoid data breaches like LastPass.
Beginner-friendly -
#1 @Cristi enlists 5 methods to bypass authentication as explained in AnonYogi’s video.
#2 @Harsh Bothra shares an interview thread of his Security Stories series where he interviewed @Ahmet GÜREL.
📽️ 5 Insightful Videos (3 + 2 beginner-friendly)
#1 @LiveOverflow uses joern — a platform for analyzing source code, bytecode, and binary executables to find GraphQL authorization issues.
#2 Learn how a Local File Inclusion (LFI) can be turned into Remote Code Execution (RCE) using a weird PHP Filter by @0xTib3rius.
#3 @ProgrammerSmart walks us through on how to steal all the funds from a contract using a class of bug called re-entrancy.
Beginner-friendly -
#1 @_JohnHammond shows us a cool trick to bypass file upload restrictions through one of the NahamconEU CTF challenges.
#2 @Hackersploit explains the process of how to use ChatGPT for Cybersecurity.
⚒️ 2 GitHub repositories & Tools
#1 Coinspect Security has created a collection of Foundry tests that includes attacks, bug bounty claims, and potential vulnerabilities on EVM chains.
#2 Immunefi's collaborative repository aims to provide all of the material you need to begin or expand your understanding of online security.
💰1 Job Alert
#1 Acme Services is looking for someone with experience in Vulnerability Assessment and Penetration Testing (VAPT). Check out the details here.
💸Advertise with us💸
We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world.
If you'd like to advertise to our 27k+ community of cybersecurity enthusiasts, click here to partner with us.
—----------------------------------------------------------------------------------
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
Editorial team,
Infosec Writeups
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Vinay Kumar, Ayush Singh, Hardik Singh, and Siddharth.
Newsletter formatting by: Hardik Singh and Siddharth.