👩💻IW Weekly #41: VueJS XSS, Critical Car-Vulnerabilities, $1000 IAP Proxy Misconfiguration in Google Cloud, Prototype Pollution Attacks, GraphQL Pentesting and much more…
Read how @samwcyo and team were able to hack the giants in automotive industry
Hey 👋
Welcome to the #IWWeekly41 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- From being able to honk multiple scooters at the same time to finding critical vulnerabilities affecting the giants in automotive industry, check out how @samwcyo and team worked to achieve this magnificent task.
- @sid0krypt explains how he was able to get reflected XSS on a VueJS application.
- @LogicalHunter published an excellent article on his $1000 Identity-Aware Proxy misconfiguration vulnerability in Google Cloud.
- @RahulKankrale describes how he was able to turn off message requests for any user in Instagram.
- @harshbothra_ has yet again written a fabulous pentester guide, this time on prototype pollution attacks.
🧵4 Trending Threads
- @maikroservice has crafted a neat twitter thread on how to start purple teaming.
- @hacker_ talks about his story on performing social engineering legally to get AWS console access.
- SSRF bugs are always interesting. Find out what @CristiVlad25 learnt by reading Raymond Lind’s recent article on “SSRF Bug Leads To AWS Metadata Exposure”.
- Checkout how @DhiyaneshDK was able to exploit S3 buckets on Akamai using his Nuclei template.
📽️ 3 Insightful Videos
- Analyzing ClipboardEvent Listeners for XSS, a NahamCon2022EU talk by @spaceraccoonsec.
- @trufflesec shared an interesting attack vector to bypass firewalls using misconfigured CORS on internal applications and typo-squatting.
- @HackerSploit teaches us how to maintain persistence after the initial foothold using SSH Keys, Web Shells & Cron Jobs.
⚒️ 2 GitHub repositories & Tools
- Latest version of nuclei with some fixes and new features, by @pdiscoveryio.
- An info-rich repository by @immunefi that contains all the resources you need to start or expand your knowledge in web3 security.
💰1 Job Alert
- RedHunt Labs have a vacant full-time remote job opening for a Security Researcher.
📝 3 Infosec Articles
- @cyph3r_asr published the second part of GraphQL pentesting for dummies.
- @ADITYASHENDE17 talks about his approach to find time-based SQLi.
- Find out what @yaseenzubair has to say about his $200 Web-Cache Poisoning vulnerability.
🧵 2 Trending Threads
- @0xManan has shared a list of amazing one-liner recons.
- @thecybertix has tweeted a couple of web paths you can bruteforce to find sensitive information.
📽️ 1 Insightful Video
- @HackerSploit goes over the different ways ChatGPT can be utilized by beginners as well as working security professionals.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Tuhin Bose, Ayush Singh, Hardik Singh, and Siddharth.
Newsletter formatting by: Hardik Singh, Siddharth and Nithin R.
Lots of love
Editorial team,
Infosec Writeups