👩‍💻IW Weekly #47: SSRF to Infrastructure Access, HubSpot Full Account Takeover, RCE to S3 Leak, SQL Injections, Stored XSS, Broken Access Control and many more…
Breaking Boundaries: @basu_banakar uncovers SSRF vulnerability providing access to complete infrastructure and web services.
Welcome to the #IWWeekly47 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- @basu_banakar discovers SSRF vulnerability that enables access to entire infrastructure and web services.
- @OmarHashem666 exposes the risks of a HubSpot Full Account Takeover in his latest article.
- Beanstalk Logic Error Bugfix Review: Keeping Crypto Vulnerabilities at Bay! - @immunefi
- @win3zz takes us through the alarming journey of how a Facebook bug led to code execution and eventually resulted in a data leak on S3.
- @mateocesa2 explains an attack vector discovered during an audit that could be exploited in a message-passing cross-chain scenario.
🧵4 Trending Threads
- @imranparray101 shares a story about executing custom database scripts from an unauthorized role, offering a $10,000 bounty for a privilege escalation exploit.
- This thread features a story type Q&A Session with Mrityunjoy Biswas (@mitunjoy11) written by @harshbothra_.
- @nav1n0x shares their methodology for finding SQL injections, encouraging others to create their own unique approach.
- @imranparray101 shares their experience of discovering a Stored XSS vulnerability that led to a full organizational takeover.
📽️ 3 Insightful Videos
- @DhiyaneshDK guides viewers through creating their first Nuclei template in this informative video.
- @_JohnHammond demonstrates how hackers can bypass security defenses, highlighting the importance of strong security measures to prevent cyber attacks.
- @LiveOverflow provides a comprehensive explanation of VPNs, proxies, and secure tunnels in this deep dive video.
⚒️ 2 GitHub repositories & Tools
- @Six2dez1 announces the release of reconFTW v2.5.2 "conference season", a powerful reconnaissance tool for bug bounty hunters and penetration testers.
- @pry0cc's Not-Axiom is a handy self-management tool for *nix systems, designed to facilitate easy administration via SSH.
đź’°1 Job Alert
- @Qualysec is hiring enthusiastic candidates with an interest in penetration testing and cybersecurity, offering internships and full-time job opportunities for those with little knowledge or experience.
đź“ť 3 Infosec Articles
- Ever been intimidated by topics like prototype pollution? Get started with server side prototype pollution by reading this article by @yeswehack.
- Expanding your attack vectors while bug hunting or pentesting would always give you an upperhand. Learn about LDAP injection from this article written by @harshbothra_ and published by @cobalt_io.
- Learn more about katana, a web crawling tool, by @pdiscoveryio.
🧵 2 Trending Threads
- Different ways to find IDORs all condensed to one thread by @0day_exploit_.
- Broken access control stands at number 1 position on the latest OWASP top 10 list. Learn more about the same from this thread by @PadhiyarRush
📽️ 1 Insightful Video
- It’s a great time to get started with smart contract security given the increasing popularity of blockchain technology. Watch @cyberboyIndia’s talk on getting started with smart contract security.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Ayush Singh, Hardik Singh, and Manan.
Newsletter formatting by: Ayush Singh, Manan, Hardik Singh, Siddharth and Nithin R.
Lots of love
Editorial team,
Infosec Writeups