👩‍💻IW Weekly #48: Slack Vulnerability, DOM-XSS on Microsoft, SQL+RCE on University Website, Hacking AWS Cloud, XSS on Google and many more…
@gregxsunday identified an XSS vulnerability in Google's golang/net/html library and was rewarded $3,133.70 as a bounty for his first submission to Google.
Welcome to the #IWWeekly48 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- @siratsami71 reveals a slack vulnerability worth $1500 that allows bypassing the invite accept process.
- @Supakiad_Mee shares their experience of discovering and reporting a DOM-Based XSS vulnerability on Microsoft MSRC and the subsequent fix.
- Ali Imani demonstrates the danger of SQL injection and remote code execution by obtaining a shell on his university website.
- @parkerzanta explains the unethical and illegal methods of taking over another user's subdomain name worth $$$$.
- Discover how @SirBagoza utilized JS file inspection and fuzzing techniques to perform administrative and support tasks with ease.
🧵4 Trending Threads
- @maikroservice shares a comprehensive guide on how to begin hacking AWS Cloud.
- @lorenzoromani shares insights on uncovering the actual IP address of a website hidden behind Cloudflare's proxy service.
- Unlock the secrets of XSS - Cross Site Scripting with @PadhiyarRushi's detailed guide for a comprehensive understanding.
- @silentgh00st shares their experience of using a leaked Jira authentication token to SSH into a server in this informative Twitter thread.
📽️ 3 Insightful Videos
- @gregxsunday uncovers a vulnerability in Google's golang/net/html library resulting in an XSS and receives a bounty of $3,133.70 for his first submission to Google.
- @ctbbpodcast reveals critical bugs and discusses CSS injection and PostMessage techniques in this informative episode of Critical Thinking - Bug Bounty Podcast.
- @rana__khalil covers Lab #5 in the Access Control Vulnerabilities module of the Web Security Academy in this informative video.
⚒️ 2 GitHub repositories & Tools
- @xnl_h4ck3r's  URL de-cluttering tool based on Somdev Sangwan's uro comes with newly added features such as GUID handling and more customization options.
- @pdiscoveryio's Subfinder has new features, bug fixes, and improvements contributed by users, including a new source, updated dependencies, fixed failing cases, improved queries, statistics, and agent enumeration methods.
đź’°1 Job Alert
- @CLOUDSUFI is hiring for a full-time Cloud Security Engineer position in Noida, Uttar Pradesh, India, with mid-senior level experience required.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
đź“ť 3 Infosec Articles
- Get started with hacking using this step-by-step guide by @hackthebox_eu.
- With recent updates ChatGPT has been limited to what tasks it can do. Read @rez0__’s blog on ideal tasks and use-cases for ChatGPT during hacking.
- GraphQL has inherent issues with authorization, read about hacking GraphQL using the suggestions feature, by @3nc0d3dGuY
🧵 2 Trending Threads
- Different ChatGPT prompts useful for bug bounty by @TakSec.
- @harshbothra_ interviews @zombie007o, the research lead at CredShields, as a part of the SecurityStories series.
📽️ 1 Insightful Video
- @NahamSec talks about the only three fundamental tools required for bug bounty.
![](https://weekly.infosecwriteups.com/content/images/2023/02/image-2.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Tuhin Bose, Ayush Singh and Manan.
Newsletter formatting by: Manan, Rushi Padhiyar, Hardik Singh and Nithin R.
Lots of love
Editorial team,
Infosec Writeups