👩‍💻IW Weekly #43: $27200 bounty from Facebook, API Misconfigurations, E2E encryption bypass, AzureAd tenant takeover, Billion dollar vulnerability and much more…
Bypass CloudTrail logging for undetected reconnaissance by @Frichette_n
Welcome to the #IWWeekly43 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner in this edition.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- @Frichette_n and team discovered a way to bypass CloudTrail logging, allowing undetected reconnaissance activities in IAM service.
- @IsrewyMohand methodology for finding Error Log File(P4) to Company Account Takeover(P1) and Unauthorized actions on API on his latest target.
- @0xw2w discovers a devastating account takeover technique using brute force to bypass weak password recovery protections.
- @JerryShah33 explains how he managed to access all the user information of any user via API Misconfiguration on Swagger-UI.
- @Melotover demonstrates how to bypass E2E encryption by analyzing an obfuscated javascript file, uncovering multiple high vulnerabilities.
🧵4 Trending Threads
- Learn the step-by-step process of hacking a web application from 0 to RCE with @thehackerish as your guide.
- Expert mobile penetration testing tips by @KishorSec in this curated collection of high-quality blog posts, brought to you by thread author @cyph3r_asr
- Discover the shocking consequences of a web-app assessment as @Emiliensocchi details a complete AzureAd tenant takeover in this thread.
- @0xblackbird presents a comprehensive discussion on Insecure Direct Object References (IDORs) in this mega-thread.
📽️ 3 Insightful Videos
- @NahamSec investigates the effectiveness of subdomain bruteforcing in this informative video.
- @NahamSec dives into the billion dollar vulnerability causing a major fork in the Ethereum chain in this well analyzed video.
- Learn how to identify IDORs with code reviews, presented by @Farah_Hawaa
⚒️ 2 GitHub repositories & Tools
- Optimize your workflow with pdtm - an open-source tool manager for ProjectDiscovery projects by @pdiscoveryio.
- Explore the latest version (v0.0.3) of Katana, a web scraping and automation tool developed by the @pdiscoveryio team.
đź’°1 Job Alert
- @SecureLayer7 has a remote opening for a senior security consultant in India.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
đź“ť 3 Infosec Articles
- The ever famous blind XSS tool xsshunter.com is being deprecated on February 1st 2023, learn how to setup your own instance for blind XSS testing by @AdamJSturge
- Ever found exposed credentials on Github? @IsrewyMohand gives some tips on how to go about reporting leaked credentials.
- An interesting two-factor authentication bypass on Meta (Facebook) which bagged @Gtm0x01 a bounty of $27200.
🧵 2 Trending Threads
- @bytes032 shares a list of CTFs one could do to improve their smart contract hacking skills.
- @0xManan writes a thread on a list of CTFs that would help improve one’s cybersecurity skills.
📽️ 1 Insightful Video
- @NahamSec demonstrates on how to go about doing NS subdomain takeovers.
![](https://weekly.infosecwriteups.com/content/images/2023/01/image.png)
Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.
Check it out here: https://caido.io/
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Manikesh singh, Ayush Singh, Hardik Singh, Bimal Kumar Sahoo and Manan.
Newsletter formatting by: Ayush Singh, Hardik Singh, Manan and Nithin R.
Lots of love
Editorial team,
Infosec Writeups