👩‍💻IW Weekly #42: $1M bounty explained, GCP takeover, iOS pentesting, Smart Contract vulnerabilities, API security checklist and much more…
Take a look at how @kl_sree managed to takeover your GCP projects.
Welcome to the #IWWeekly42 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a separate beginner’s corner in this issue.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- Checkout how @kl_sree uncovers a SSRF vulnerability in Google Cloud's Vertex AI - giving attackers the key to take over your GCP projects.
- In this article, @realgmhacker analyzes the exploited vulnerability in the Nomad bridge’s Replica contract that led to the $190m hack in 2022.
- Bypass WAFs with ease using @hakluke’s latest tool to discover origin host behind reverse proxy.
- @emil.lerner walks you over through an exploit that achieves code execution in the Redis server via a memory corruption issue.
- @sockpuppets has written an article on identifying coin scammers with wallet-tracker.
🧵4 Trending Threads
- Penetration testing just got real. Join @hetmehtaa on a journey to master the tools, methodologies and attack vectors for each OSI layer!
- Learn the art of iOS penetration testing with the help of @0ctac0der's in-depth and informative thread.
- This thread features a story type Q&A Session with Sumit Grover (@sumgr0) written by @harshbothra_.
- @maikroservice shares his debugging thought process to resolve an issue with a locally hosted and built Angular and TypeScript application, involving FTP directory listings.
📽️ 3 Insightful Videos
- @NahamSec records an adversaries approach to analyzing and potentially exploiting vulnerabilities in smart contracts with security expert @Hackermate_.
- @gregxsunday discusses on the $1 Million bounty in Aurora blockchain for no input sanitization bug with lead offensive security engineer Michal Bajor.
- @HusseiN98D’s shares his approach to wide scoped bug bounty programs at NahamCon2022EU.
⚒️ 2 GitHub repositories & Tools
- Shieldfy's API Security Checklist: A comprehensive guide to designing, testing and releasing secure APIs.
- Latest release of katana, a crawling and spidering framework by @pdiscoveryio, with new features and fixes.
đź’°1 Job Alert
- SecureLayer7 has a remote opening for a senior security consultant in India.
đź“ť 3 Infosec Articles
- A beginners guide to business logic bugs by @sl4x0.
- @andika shares how a business logic bug helped her bag a bounty of $1000.
- Parameters contain user controllable data which opens up a huge attack surface, read @grahamzemel’s article on how to use different injection techniques on parameters.
🧵 2 Trending Threads
- @0xManan writes a thread on common mistakes beginner bug bounty hunters can avoid.
- Approaching bug bounties could be tough for beginners due to various learning paths one could take, @0x_Havoc his two cents on how to go about doing bug bounties.
📽️ 1 Insightful Video
- @lsecqt teaches you how to enumerate and exploit unconstrained delegation in AD.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Nithin R, Mohit Khemchandani and Manan.
Newsletter formatting by: Ayush Singh, Hardik Singh, Manan and Nithin R.
Lots of love
Editorial team,
Infosec Writeups