👩‍💻IW Weekly #48: Slack Vulnerability, DOM-XSS on Microsoft, SQL+RCE on University Website, Hacking AWS Cloud, XSS on Google and many more…

👩‍💻IW Weekly #48: Slack Vulnerability, DOM-XSS on Microsoft, SQL+RCE on University Website, Hacking AWS Cloud, XSS on Google and many more…
Photo by Towfiqu barbhuiya / Unsplash

@gregxsunday identified an XSS vulnerability in Google's golang/net/html library and was rewarded $3,133.70 as a bounty for his first submission to Google.

Welcome to the #IWWeekly48 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @siratsami71 reveals a slack vulnerability worth $1500 that allows bypassing the invite accept process.
  2. @Supakiad_Mee shares their experience of discovering and reporting a DOM-Based XSS vulnerability on Microsoft MSRC and the subsequent fix.
  3. Ali Imani demonstrates the danger of SQL injection and remote code execution by obtaining a shell on his university website.
  4. @parkerzanta explains the unethical and illegal methods of taking over another user's subdomain name worth $$$$.
  5. Discover how @SirBagoza utilized JS file inspection and fuzzing techniques to perform administrative and support tasks with ease.
  1. @maikroservice shares a comprehensive guide on how to begin hacking AWS Cloud.
  2. @lorenzoromani shares insights on uncovering the actual IP address of a website hidden behind Cloudflare's proxy service.
  3. Unlock the secrets of XSS - Cross Site Scripting with @PadhiyarRushi's detailed guide for a comprehensive understanding.
  4. @silentgh00st shares their experience of using a leaked Jira authentication token to SSH into a server in this informative Twitter thread.

📽️ 3 Insightful Videos

  1. @gregxsunday uncovers a vulnerability in Google's golang/net/html library resulting in an XSS and receives a bounty of $3,133.70 for his first submission to Google.
  2. @ctbbpodcast reveals critical bugs and discusses CSS injection and PostMessage techniques in this informative episode of Critical Thinking - Bug Bounty Podcast.
  3. @rana__khalil covers Lab #5 in the Access Control Vulnerabilities module of the Web Security Academy in this informative video.

⚒️ 2 GitHub repositories & Tools

  1. @xnl_h4ck3r's  URL de-cluttering tool based on Somdev Sangwan's uro comes with newly added features such as GUID handling and more customization options.
  2. @pdiscoveryio's Subfinder has new features, bug fixes, and improvements contributed by users, including a new source, updated dependencies, fixed failing cases, improved queries, statistics, and agent enumeration methods.

💰1 Job Alert

  1. @CLOUDSUFI is hiring for a full-time Cloud Security Engineer position in Noida, Uttar Pradesh, India, with mid-senior level experience required.

📝 3 Infosec Articles

  1. Get started with hacking using this step-by-step guide by @hackthebox_eu.
  2. With recent updates ChatGPT has been limited to what tasks it can do. Read @rez0__’s blog on ideal tasks and use-cases for ChatGPT during hacking.
  3. GraphQL has inherent issues with authorization, read about hacking GraphQL using the suggestions feature, by @3nc0d3dGuY
  1. Different ChatGPT prompts useful for bug bounty by @TakSec.
  2. @harshbothra_ interviews @zombie007o, the research lead at CredShields, as a part of the SecurityStories series.

📽️ 1 Insightful Video

  1. @NahamSec talks about the only three fundamental tools required for bug bounty.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Tuhin Bose, Ayush Singh and Manan.

Newsletter formatting by: Manan, Rushi Padhiyar, Hardik Singh and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

Subscribe to The Infosec Newsletter

Sign up now to get access to the library of members-only issues.
Jamie Larson