👩‍💻IW Weekly #43: $27200 bounty from Facebook, API Misconfigurations, E2E encryption bypass, AzureAd tenant takeover, Billion dollar vulnerability and much more…

Bypass CloudTrail logging for undetected reconnaissance by @Frichette_n

Welcome to the #IWWeekly43 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @Frichette_n and team discovered a way to bypass CloudTrail logging, allowing undetected reconnaissance activities in IAM service.
   
2. @IsrewyMohand methodology for finding Error Log File(P4) to Company Account Takeover(P1) and Unauthorized actions on API on his latest target.
   
3. @0xw2w discovers a devastating account takeover technique using brute force to bypass weak password recovery protections.
   
4. @JerryShah33 explains how he managed to access all the user information of any user via API Misconfiguration on Swagger-UI.
   
5. @Melotover demonstrates how to bypass E2E encryption by analyzing an obfuscated javascript file, uncovering multiple high vulnerabilities.

🧵4 Trending Threads

1. Learn the step-by-step process of hacking a web application from 0 to RCE with @thehackerish as your guide.
   
2. Expert mobile penetration testing tips by @KishorSec in this curated collection of high-quality blog posts, brought to you by thread author @cyph3r_asr
   
3. Discover the shocking consequences of a web-app assessment as @Emiliensocchi details a complete AzureAd tenant takeover in this thread.
   
4. @0xblackbird presents a comprehensive discussion on Insecure Direct Object References (IDORs) in this mega-thread.

📽️ 3 Insightful Videos

1. @NahamSec investigates the effectiveness of subdomain bruteforcing in this informative video.
   
2. @NahamSec dives into the billion dollar vulnerability causing a major fork in the Ethereum chain in this well analyzed video.
   
3. Learn how to identify IDORs with code reviews, presented by @Farah_Hawaa

⚒️ 2 GitHub repositories & Tools

1. Optimize your workflow with pdtm - an open-source tool manager for ProjectDiscovery projects by @pdiscoveryio.
   
2. Explore the latest version (v0.0.3) of Katana, a web scraping and automation tool developed by the @pdiscoveryio team.

💰1 Job Alert

1. @SecureLayer7 has a remote opening for a senior security consultant in India.

📝 3 Infosec Articles

1. The ever famous blind XSS tool xsshunter.com is being deprecated on February 1st 2023, learn how to setup your own instance for blind XSS testing by @AdamJSturge
   
2. Ever found exposed credentials on Github? @IsrewyMohand gives some tips on how to go about reporting leaked credentials.
   
3. An interesting two-factor authentication bypass on Meta (Facebook) which bagged @Gtm0x01 a bounty of $27200.

🧵 2 Trending Threads

1. @bytes032 shares a list of CTFs one could do to improve their smart contract hacking skills.
   
2. @0xManan writes a thread on a list of CTFs that would help improve one’s cybersecurity skills.

📽️ 1 Insightful Video

1. @NahamSec demonstrates on how to go about doing NS subdomain takeovers.

Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.

Check it out here: https://caido.io/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Manikesh singh, Ayush Singh, Hardik Singh, Bimal Kumar Sahoo and Manan.

Newsletter formatting by: Ayush Singh, Hardik Singh, Manan and Nithin R.

Lots of love
Editorial team,
Infosec Writeups