👩💻IW Weekly #41: VueJS XSS, Critical Car-Vulnerabilities, $1000 IAP Proxy Misconfiguration in Google Cloud, Prototype Pollution Attacks, GraphQL Pentesting and much more…
Read how @samwcyo and team were able to hack the giants in automotive industry
Hey 👋
Welcome to the #IWWeekly41 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- From being able to honk multiple scooters at the same time to finding critical vulnerabilities affecting the giants in automotive industry, check out how @samwcyo and team worked to achieve this magnificent task.
- @sid0krypt explains how he was able to get reflected XSS on a VueJS application.
- @LogicalHunter published an excellent article on his $1000 Identity-Aware Proxy misconfiguration vulnerability in Google Cloud.
- @RahulKankrale describes how he was able to turn off message requests for any user in Instagram.
- @harshbothra_ has yet again written a fabulous pentester guide, this time on prototype pollution attacks.
🧵4 Trending Threads
- @maikroservice has crafted a neat twitter thread on how to start purple teaming.
- @hacker_ talks about his story on performing social engineering legally to get AWS console access.
- SSRF bugs are always interesting. Find out what @CristiVlad25 learnt by reading Raymond Lind’s recent article on “SSRF Bug Leads To AWS Metadata Exposure”.
- Checkout how @DhiyaneshDK was able to exploit S3 buckets on Akamai using his Nuclei template.
📽️ 3 Insightful Videos
- Analyzing ClipboardEvent Listeners for XSS, a NahamCon2022EU talk by @spaceraccoonsec.
- @trufflesec shared an interesting attack vector to bypass firewalls using misconfigured CORS on internal applications and typo-squatting.
- @HackerSploit teaches us how to maintain persistence after the initial foothold using SSH Keys, Web Shells & Cron Jobs.
⚒️ 2 GitHub repositories & Tools
- Latest version of nuclei with some fixes and new features, by @pdiscoveryio.
- An info-rich repository by @immunefi that contains all the resources you need to start or expand your knowledge in web3 security.
💰1 Job Alert
- RedHunt Labs have a vacant full-time remote job opening for a Security Researcher.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
📝 3 Infosec Articles
- @cyph3r_asr published the second part of GraphQL pentesting for dummies.
- @ADITYASHENDE17 talks about his approach to find time-based SQLi.
- Find out what @yaseenzubair has to say about his $200 Web-Cache Poisoning vulnerability.
🧵 2 Trending Threads
- @0xManan has shared a list of amazing one-liner recons.
- @thecybertix has tweeted a couple of web paths you can bruteforce to find sensitive information.
📽️ 1 Insightful Video
- @HackerSploit goes over the different ways ChatGPT can be utilized by beginners as well as working security professionals.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWAdvert-2.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Tuhin Bose, Ayush Singh, Hardik Singh, and Siddharth.
Newsletter formatting by: Hardik Singh, Siddharth and Nithin R.
Lots of love
Editorial team,
Infosec Writeups