👩💻IW Weekly #49: $10000 RCE, Gitpod 0 Day, SQL Injection, Authentication Bypass, API Fuzzing, Payment Bypass, IDOR, Broken Access Control and much more…
@NahamSec shares valuable insights on how to navigate the complex world of bug bounty hunting, including tips on where and how to get started.
Welcome to the #IWWeekly49 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @Kullai12's article details how an account takeover can be carried out without any interaction, solely by having access to someone's email ID.
- @Lev Shmelev received a $10,000 bounty for discovering and exposing a .git vulnerability that allowed remote code execution (RCE).
- @snyksec writes about a 0-day vulnerability in Gitpod that allows for remote code execution via WebSockets.
- @Mayank Gandhi reveals a bug-bounty report where an attacker can take over any account due to misconfiguration of Invite Members.
- @wikidev discusses the dangers of authentication bypass and SQL injection attacks.
🧵4 Trending Threads
- @HackenProof discusses ways to bypass 403 and 401 vulnerabilities in this informative Twitter thread.
- Discover the top 10 free labs to sharpen your web security skills with @beginnbounty's insightful Twitter thread.
- @silentgh00st shares their successful experience discovering multiple Payment Bypass vulnerabilities on a single target.
- @Jhaddix: Code and security literacy are superpowers for hackers and developers in mitigating vulnerabilities. Check out his thread for tips.
📽️ 3 Insightful Videos
- @NahamSec shares valuable insights on how to navigate the complex world of bug bounty hunting, including tips on where and how to get started.
- In this video, @_JohnHammond shares his experience of attempting the HackTheBox Certified Pentester Exam.
- @thecybermentor provides an introductory guide to fuzzing APIs for hacking purposes, in this informative video.
⚒️ 2 GitHub repositories & Tools
- Check out @rs_loves_bugs' fork of XSSHunter - a working and easy to install version of the original repository that fixes deployment issues.
- “DigitalOcean Droplet Proxy for Burp Suite” by @honoki is a plugin that sets up a SOCKS5 proxy on DigitalOcean droplet whenever Burp starts and routes traffic through it.
💰1 Job Alert
- @cyberwarfarelab is looking for a Red/Blue Team Intern to join their team.
📝 3 Infosec Articles
- Checkout this blog by @pdiscoveryio for an an in-depth look at the key reconnaissance techniques used for penetration testing and bug bounty hunting
- Learn how to set up Frida and Objection on an iOS device for mobile pentesting by @mk2011sharma.
- Find out how a simple IDOR impacted the data of thousands of customers of an Indian automotive giant - as exploited by @kushjain0107
🧵 2 Trending Threads
- @harshbothra_ discusses with @Dinosn - an OG hacker from Switzerland on his learning process and continuous education in cybersecurity.
- A detailed guide to IDOR condensed to a thread by @PadhiyarRushi.
📽️ 1 Insightful Video
- @rana__khalil walks us through portswigger’s broken access control lab demonstrating that URL-based access control can be circumvented.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Ayush Singh, Manan.
Newsletter formatting by: Manan, Rushi Padhiyar, Hardik Singh and Nithin R.
Lots of love