👩‍💻IW Weekly #45: RCE in Avaya Aura Device Services, Bypass Sign-Up Pages, JWT Hacking, Broken Access Control, CSRF Explained and much more…

👩‍💻IW Weekly #45: RCE in Avaya Aura Device Services, Bypass Sign-Up Pages, JWT Hacking, Broken Access Control, CSRF Explained and much more…
Photo by Pankaj Patel / Unsplash

Read how @iamnoooob and @rootxharsh discovered a remote source code disclosure in PHP Development Server <= 7.4.21

Welcome to the #IWWeekly41 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. PHP Development Server <= 7.4.21 Remote Source Disclosure. Learn how @iamnoooob and @rootxharsh discovered this vulnerability and the potential consequences of source code exposure.
  2. Read how @kn1ght_yagami uncovered a bug with medium impact, where the facebook page of admin's personal account ID can be leaked through Instant Games.
  3. Ensure the security of your crypto transactions. Follow this guide by @buketgencaydin and take the necessary steps to protect your transactions from potential threats.
  4. Learn from @khaledyasse1882 the different techniques to bypass employee sign-up pages and gain access to restricted sites.
  5. Explore the RCE Vulnerability in Avaya Aura Device Services with @assetnote, demonstrating potential vulnerabilities in WebDAV.
  1. @Jhaddix has written a detailed thread on quick recon with great coverage.
  2. @intigriti have shared wonderful resources to master hacking JWT tokens.
  3. SSRFs are always interesting. Checkout what @CristiVlad25 has to say about exploiting SSRFs via PDF.
  4. @naglinagli shares an easy alternative to host a redirection machine for whitelisting bypass scenarios.

📽️ 3 Insightful Videos

  1. @rana__khalil has uploaded another detailed video tutorial. This time, she explains Broken Access Control.
  2. @intigriti have released a video on setting up and using Caido.
  3. @0xacb talks on “Fuzzing the Web for Mysterious Bugs” at NahamCon2022EU.

⚒️ 2 GitHub repositories & Tools

  1. Explore FFuf v2.0 by @joohoi and unleash the full potential of this tool.
  2. Echidna is a Haskell program designed for fuzzing/property-based testing of Ethereum smart contracts by @trailofbits.

💰1 Job Alert

  1. @Securityb0at is hiring people with 1+ YOE for multiple positions.

📝 3 Infosec Articles

  1. Read how @Jhaddix hacked a whole country by accident!
  2. A step by step guide to getting started with web3 and smart contract hacking in 2023 by @BgxDoc.
  3. Web cache poisoning is an often overlooked bug class due to some complexities in understanding/exploiting it, @harshbothra_ goes into detail on how to identify and exploit it.
  1. @NinadMishra5 talks about @zseano’s methodology, which helped him getting started with bug bounty.
  2. Learn everything about CSRF condensed to a thread by @0xblackbird.

📽️ 1 Insightful Video

  1. Learn how to find and exploit NoSQL injections by @TCMSecurity

🎁 Latest from team InfoSecWriteups

House of Hackers (HoH) is the one-stop forum for InfoSec. Ask questions to each other on various topics, find resources, talks and other interesting information at houseofhackers.xyz.

Also on HoH-

  • IWCON slides of our awesome speakers
  • AMA with Harsh Bothra
  • IWCON Video Recordings (Coming Soon)

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Tuhin Bose, Manan, Alvin and Nithin R.

Newsletter formatting by: Ayush Singh, Hardik Singh, Siddharth and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]