👩‍💻IW Weekly #42: $1M bounty explained, GCP takeover, iOS pentesting, Smart Contract vulnerabilities, API security checklist and much more…
Take a look at how @kl_sree managed to takeover your GCP projects.
Welcome to the #IWWeekly42 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a separate beginner’s corner in this issue.
Read, upskill yourself and spread love to the community đź’ť
Excited? Let’s jump in 👇
đź“ť 5 Infosec Articles
- Checkout how @kl_sree uncovers a SSRF vulnerability in Google Cloud's Vertex AI - giving attackers the key to take over your GCP projects.
- In this article, @realgmhacker analyzes the exploited vulnerability in the Nomad bridge’s Replica contract that led to the $190m hack in 2022.
- Bypass WAFs with ease using @hakluke’s latest tool to discover origin host behind reverse proxy.
- @emil.lerner walks you over through an exploit that achieves code execution in the Redis server via a memory corruption issue.
- @sockpuppets has written an article on identifying coin scammers with wallet-tracker.
🧵4 Trending Threads
- Penetration testing just got real. Join @hetmehtaa on a journey to master the tools, methodologies and attack vectors for each OSI layer!
- Learn the art of iOS penetration testing with the help of @0ctac0der's in-depth and informative thread.
- This thread features a story type Q&A Session with Sumit Grover (@sumgr0) written by @harshbothra_.
- @maikroservice shares his debugging thought process to resolve an issue with a locally hosted and built Angular and TypeScript application, involving FTP directory listings.
📽️ 3 Insightful Videos
- @NahamSec records an adversaries approach to analyzing and potentially exploiting vulnerabilities in smart contracts with security expert @Hackermate_.
- @gregxsunday discusses on the $1 Million bounty in Aurora blockchain for no input sanitization bug with lead offensive security engineer Michal Bajor.
- @HusseiN98D’s shares his approach to wide scoped bug bounty programs at NahamCon2022EU.
⚒️ 2 GitHub repositories & Tools
- Shieldfy's API Security Checklist: A comprehensive guide to designing, testing and releasing secure APIs.
- Latest release of katana, a crawling and spidering framework by @pdiscoveryio, with new features and fixes.
đź’°1 Job Alert
- SecureLayer7 has a remote opening for a senior security consultant in India.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
đź“ť 3 Infosec Articles
- A beginners guide to business logic bugs by @sl4x0.
- @andika shares how a business logic bug helped her bag a bounty of $1000.
- Parameters contain user controllable data which opens up a huge attack surface, read @grahamzemel’s article on how to use different injection techniques on parameters.
🧵 2 Trending Threads
- @0xManan writes a thread on common mistakes beginner bug bounty hunters can avoid.
- Approaching bug bounties could be tough for beginners due to various learning paths one could take, @0x_Havoc his two cents on how to go about doing bug bounties.
📽️ 1 Insightful Video
- @lsecqt teaches you how to enumerate and exploit unconstrained delegation in AD.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWAdvert-2.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Nithin R, Mohit Khemchandani and Manan.
Newsletter formatting by: Ayush Singh, Hardik Singh, Manan and Nithin R.
Lots of love
Editorial team,
Infosec Writeups