👩💻IW Weekly #45: RCE in Avaya Aura Device Services, Bypass Sign-Up Pages, JWT Hacking, Broken Access Control, CSRF Explained and much more…
Read how @iamnoooob and @rootxharsh discovered a remote source code disclosure in PHP Development Server <= 7.4.21
Welcome to the #IWWeekly41 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- PHP Development Server <= 7.4.21 Remote Source Disclosure. Learn how @iamnoooob and @rootxharsh discovered this vulnerability and the potential consequences of source code exposure.
- Read how @kn1ght_yagami uncovered a bug with medium impact, where the facebook page of admin's personal account ID can be leaked through Instant Games.
- Ensure the security of your crypto transactions. Follow this guide by @buketgencaydin and take the necessary steps to protect your transactions from potential threats.
- Learn from @khaledyasse1882 the different techniques to bypass employee sign-up pages and gain access to restricted sites.
- Explore the RCE Vulnerability in Avaya Aura Device Services with @assetnote, demonstrating potential vulnerabilities in WebDAV.
🧵4 Trending Threads
- @Jhaddix has written a detailed thread on quick recon with great coverage.
- @intigriti have shared wonderful resources to master hacking JWT tokens.
- SSRFs are always interesting. Checkout what @CristiVlad25 has to say about exploiting SSRFs via PDF.
- @naglinagli shares an easy alternative to host a redirection machine for whitelisting bypass scenarios.
📽️ 3 Insightful Videos
- @rana__khalil has uploaded another detailed video tutorial. This time, she explains Broken Access Control.
- @intigriti have released a video on setting up and using Caido.
- @0xacb talks on “Fuzzing the Web for Mysterious Bugs” at NahamCon2022EU.
⚒️ 2 GitHub repositories & Tools
- Explore FFuf v2.0 by @joohoi and unleash the full potential of this tool.
- Echidna is a Haskell program designed for fuzzing/property-based testing of Ethereum smart contracts by @trailofbits.
💰1 Job Alert
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
📝 3 Infosec Articles
- Read how @Jhaddix hacked a whole country by accident!
- A step by step guide to getting started with web3 and smart contract hacking in 2023 by @BgxDoc.
- Web cache poisoning is an often overlooked bug class due to some complexities in understanding/exploiting it, @harshbothra_ goes into detail on how to identify and exploit it.
🧵 2 Trending Threads
- @NinadMishra5 talks about @zseano’s methodology, which helped him getting started with bug bounty.
- Learn everything about CSRF condensed to a thread by @0xblackbird.
📽️ 1 Insightful Video
🎁 Latest from team InfoSecWriteups
House of Hackers (HoH) is the one-stop forum for InfoSec. Ask questions to each other on various topics, find resources, talks and other interesting information at houseofhackers.xyz.
Also on HoH-
- IWCON slides of our awesome speakers
- AMA with Harsh Bothra
- IWCON Video Recordings (Coming Soon)
![](https://weekly.infosecwriteups.com/content/images/2023/02/image.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Tuhin Bose, Manan, Alvin and Nithin R.
Newsletter formatting by: Ayush Singh, Hardik Singh, Siddharth and Nithin R.
Lots of love
Editorial team,
Infosec Writeups