👩‍💻IW Weekly #44: Google Cloud BI Hack, 0xbaDc0dE MEV Bot Hack, CSS Injection, Car Company Hack, Hacking Military System, DOM XSS in jQuery Selector Sink and much more…
Uncover the captivating tale of @GodfatherOrwa's Google Cloud BI hack and the critical bug discovery, in this must-read blog post.
Welcome to the #IWWeekly44 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- Discover the incredible story of how @GodfatherOrwa hacked Google Cloud BI and uncovered a critical bug, in this insightful blog post.
- Dive into the intricate details of the 0xbaDc0dE MEV Bot hack with expert analysis by @realgmhacker.
- Streamline your GitHub CI/CD pipelines with Nuclei, as demonstrated by @pdiscoveryio and @harshbothra_.
- Unlock the full potential of CSS injection as a key to accessing internal APIs with @SanderWind's in-depth blog post.
- Explore the technique of masking DLL loads from ETWTI Stack Tracing with @NinjaParanoid's.
🧵4 Trending Threads
- Get a glimpse into the hacking experience of @hacker_ as they reveal their successful infiltration into a car company, exposing all customers' personal information
- @Jhaddix shares their workflow for effective JavaScript analysis in security and appsec testing, revealing hidden endpoints and parameters.
- Follow along with @hacker_ as they share their legal hacking experience and method used to access a military information system in this thread.
- @Jhaddix shares lessons learned from legally hacking into several prisons in a Twitter thread for security testers and cyber security professionals.
📽️ 3 Insightful Videos
- Insights into pentesting, smart contract audits, and bug bounties by @NahamSec and @cyberboyindia in a YouTube video.
- Learn about the security risks of DOM XSS in jQuery Selector Sink using a Hashchange Event, presented by @intigriti in this educational video.
- Exploit Server-Side Request Forgery (SSRF) vulnerabilities with @TCMSecurity.
⚒️ 2 GitHub repositories & Tools
- Optimize your workflow with pdtm - an open-source tool manager for ProjectDiscovery projects by @pdiscoveryio.
- Explore the latest version (v0.0.3) of Katana, a web scraping and automation tool developed by the @pdiscoveryio team.
đź’°1 Job Alert
- @aroraabhi is looking for a smart and innovative engineer, ready to take on challenges and think outside the box at CloudDefense.ai.
đź“ť 3 Infosec Articles
- @Supakiad_Mee writes about the reflected XSS they found on Microsoft forms which bagged them a bounty of $3000.
- @sl4x0 shows the importance of fuzzing parameters which lead them to discovering a reflected XSS.
- @rootxharsh from the @pdiscoveryio team goes into deep analysis of how a remote source code disclosure was fixed in later releases of PHP.
🧵 2 Trending Threads
- @chrisdior777 lists down the resources to get started with Web3 security.
- Different ways of incorporating authentication on APIs by @Aktodotio.
📽️ 1 Insightful Video
- Watch @rana__khalil’s video on Broken Access Control.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Bimal Kumar Sahoo, Manan, Steiner and Nithin R.
Newsletter formatting by: Manan, Hardik Singh, Siddharth and Nithin R.
Lots of love
Editorial team,
Infosec Writeups