👩💻IW Weekly #48: Slack Vulnerability, DOM-XSS on Microsoft, SQL+RCE on University Website, Hacking AWS Cloud, XSS on Google and many more…
@gregxsunday identified an XSS vulnerability in Google's golang/net/html library and was rewarded $3,133.70 as a bounty for his first submission to Google.
Welcome to the #IWWeekly48 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @siratsami71 reveals a slack vulnerability worth $1500 that allows bypassing the invite accept process.
- @Supakiad_Mee shares their experience of discovering and reporting a DOM-Based XSS vulnerability on Microsoft MSRC and the subsequent fix.
- Ali Imani demonstrates the danger of SQL injection and remote code execution by obtaining a shell on his university website.
- @parkerzanta explains the unethical and illegal methods of taking over another user's subdomain name worth $$$$.
- Discover how @SirBagoza utilized JS file inspection and fuzzing techniques to perform administrative and support tasks with ease.
🧵4 Trending Threads
- @maikroservice shares a comprehensive guide on how to begin hacking AWS Cloud.
- @lorenzoromani shares insights on uncovering the actual IP address of a website hidden behind Cloudflare's proxy service.
- Unlock the secrets of XSS - Cross Site Scripting with @PadhiyarRushi's detailed guide for a comprehensive understanding.
- @silentgh00st shares their experience of using a leaked Jira authentication token to SSH into a server in this informative Twitter thread.
📽️ 3 Insightful Videos
- @gregxsunday uncovers a vulnerability in Google's golang/net/html library resulting in an XSS and receives a bounty of $3,133.70 for his first submission to Google.
- @ctbbpodcast reveals critical bugs and discusses CSS injection and PostMessage techniques in this informative episode of Critical Thinking - Bug Bounty Podcast.
- @rana__khalil covers Lab #5 in the Access Control Vulnerabilities module of the Web Security Academy in this informative video.
⚒️ 2 GitHub repositories & Tools
- @xnl_h4ck3r's URL de-cluttering tool based on Somdev Sangwan's uro comes with newly added features such as GUID handling and more customization options.
- @pdiscoveryio's Subfinder has new features, bug fixes, and improvements contributed by users, including a new source, updated dependencies, fixed failing cases, improved queries, statistics, and agent enumeration methods.
💰1 Job Alert
- @CLOUDSUFI is hiring for a full-time Cloud Security Engineer position in Noida, Uttar Pradesh, India, with mid-senior level experience required.
📝 3 Infosec Articles
- Get started with hacking using this step-by-step guide by @hackthebox_eu.
- With recent updates ChatGPT has been limited to what tasks it can do. Read @rez0__’s blog on ideal tasks and use-cases for ChatGPT during hacking.
- GraphQL has inherent issues with authorization, read about hacking GraphQL using the suggestions feature, by @3nc0d3dGuY
🧵 2 Trending Threads
- Different ChatGPT prompts useful for bug bounty by @TakSec.
- @harshbothra_ interviews @zombie007o, the research lead at CredShields, as a part of the SecurityStories series.
📽️ 1 Insightful Video
- @NahamSec talks about the only three fundamental tools required for bug bounty.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Tuhin Bose, Ayush Singh and Manan.
Newsletter formatting by: Manan, Rushi Padhiyar, Hardik Singh and Nithin R.
Lots of love