👩‍💻IW Weekly #47: SSRF to Infrastructure Access, HubSpot Full Account Takeover, RCE to S3 Leak, SQL Injections, Stored XSS, Broken Access Control and many more…
Breaking Boundaries: @basu_banakar uncovers SSRF vulnerability providing access to complete infrastructure and web services.
Welcome to the #IWWeekly47 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- @basu_banakar discovers SSRF vulnerability that enables access to entire infrastructure and web services.
- @OmarHashem666 exposes the risks of a HubSpot Full Account Takeover in his latest article.
- Beanstalk Logic Error Bugfix Review: Keeping Crypto Vulnerabilities at Bay! - @immunefi
- @win3zz takes us through the alarming journey of how a Facebook bug led to code execution and eventually resulted in a data leak on S3.
- @mateocesa2 explains an attack vector discovered during an audit that could be exploited in a message-passing cross-chain scenario.
🧵4 Trending Threads
- @imranparray101 shares a story about executing custom database scripts from an unauthorized role, offering a $10,000 bounty for a privilege escalation exploit.
- This thread features a story type Q&A Session with Mrityunjoy Biswas (@mitunjoy11) written by @harshbothra_.
- @nav1n0x shares their methodology for finding SQL injections, encouraging others to create their own unique approach.
- @imranparray101 shares their experience of discovering a Stored XSS vulnerability that led to a full organizational takeover.
📽️ 3 Insightful Videos
- @DhiyaneshDK guides viewers through creating their first Nuclei template in this informative video.
- @_JohnHammond demonstrates how hackers can bypass security defenses, highlighting the importance of strong security measures to prevent cyber attacks.
- @LiveOverflow provides a comprehensive explanation of VPNs, proxies, and secure tunnels in this deep dive video.
⚒️ 2 GitHub repositories & Tools
- @Six2dez1 announces the release of reconFTW v2.5.2 "conference season", a powerful reconnaissance tool for bug bounty hunters and penetration testers.
- @pry0cc's Not-Axiom is a handy self-management tool for *nix systems, designed to facilitate easy administration via SSH.
đź’°1 Job Alert
- @Qualysec is hiring enthusiastic candidates with an interest in penetration testing and cybersecurity, offering internships and full-time job opportunities for those with little knowledge or experience.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
đź“ť 3 Infosec Articles
- Ever been intimidated by topics like prototype pollution? Get started with server side prototype pollution by reading this article by @yeswehack.
- Expanding your attack vectors while bug hunting or pentesting would always give you an upperhand. Learn about LDAP injection from this article written by @harshbothra_ and published by @cobalt_io.
- Learn more about katana, a web crawling tool, by @pdiscoveryio.
🧵 2 Trending Threads
- Different ways to find IDORs all condensed to one thread by @0day_exploit_.
- Broken access control stands at number 1 position on the latest OWASP top 10 list. Learn more about the same from this thread by @PadhiyarRush
📽️ 1 Insightful Video
- It’s a great time to get started with smart contract security given the increasing popularity of blockchain technology. Watch @cyberboyIndia’s talk on getting started with smart contract security.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWAdvert-2.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Ayush Singh, Hardik Singh, and Manan.
Newsletter formatting by: Ayush Singh, Manan, Hardik Singh, Siddharth and Nithin R.
Lots of love
Editorial team,
Infosec Writeups