👩‍💻IW Weekly #49: $10000 RCE, Gitpod 0 Day, SQL Injection, Authentication Bypass, API Fuzzing, Payment Bypass, IDOR, Broken Access Control and much more…
@NahamSec shares valuable insights on how to navigate the complex world of bug bounty hunting, including tips on where and how to get started.
Welcome to the #IWWeekly49 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- @Kullai12's article details how an account takeover can be carried out without any interaction, solely by having access to someone's email ID.
- @Lev Shmelev received a $10,000 bounty for discovering and exposing a .git vulnerability that allowed remote code execution (RCE).
- @snyksec writes about a 0-day vulnerability in Gitpod that allows for remote code execution via WebSockets.
- @Mayank Gandhi reveals a bug-bounty report where an attacker can take over any account due to misconfiguration of Invite Members.
- @wikidev discusses the dangers of authentication bypass and SQL injection attacks.
🧵4 Trending Threads
- @HackenProof discusses ways to bypass 403 and 401 vulnerabilities in this informative Twitter thread.
- Discover the top 10 free labs to sharpen your web security skills with @beginnbounty's insightful Twitter thread.
- @silentgh00st shares their successful experience discovering multiple Payment Bypass vulnerabilities on a single target.
- @Jhaddix: Code and security literacy are superpowers for hackers and developers in mitigating vulnerabilities. Check out his thread for tips.
📽️ 3 Insightful Videos
- @NahamSec shares valuable insights on how to navigate the complex world of bug bounty hunting, including tips on where and how to get started.
- In this video, @_JohnHammond shares his experience of attempting the HackTheBox Certified Pentester Exam.
- @thecybermentor provides an introductory guide to fuzzing APIs for hacking purposes, in this informative video.
⚒️ 2 GitHub repositories & Tools
- Check out @rs_loves_bugs' fork of XSSHunter - a working and easy to install version of the original repository that fixes deployment issues.
- “DigitalOcean Droplet Proxy for Burp Suite” by @honoki is a plugin that sets up a SOCKS5 proxy on DigitalOcean droplet whenever Burp starts and routes traffic through it.
đź’°1 Job Alert
- @cyberwarfarelab is looking for a Red/Blue Team Intern to join their team.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
đź“ť 3 Infosec Articles
- Checkout this blog by @pdiscoveryio for an an in-depth look at the key reconnaissance techniques used for penetration testing and bug bounty hunting
- Learn how to set up Frida and Objection on an iOS device for mobile pentesting by @mk2011sharma.
- Find out how a simple IDOR impacted the data of thousands of customers of an Indian automotive giant - as exploited by @kushjain0107
🧵 2 Trending Threads
- @harshbothra_ discusses with @Dinosn - an OG hacker from Switzerland on his learning process and continuous education in cybersecurity.
- A detailed guide to IDOR condensed to a thread by @PadhiyarRushi.
📽️ 1 Insightful Video
- @rana__khalil walks us through portswigger’s broken access control lab demonstrating that URL-based access control can be circumvented.
![](https://weekly.infosecwriteups.com/content/images/2023/03/image.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Ayush Singh, Manan.
Newsletter formatting by: Manan, Rushi Padhiyar, Hardik Singh and Nithin R.
Lots of love
Editorial team,
Infosec Writeups