👩‍💻IW Weekly #50: Authentication and Authorization Vulnerabilities in Datahub, Leaky GraphQL, Account Takeover via Preset Passwords, Insecure Deserialization, $10000 Bounty and much more…

@GHSecurityLab discovered authentication and authorization vulnerabilities in DataHub, an open-source metadata platform, potentially allowing unauthorized access to sensitive data stored on the platform.

Welcome to the #IWWeekly50 - the Monday newsletter that brings the best in Infosec straight to your inbox. Thank you for making it so far with us!

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @pwntester shared how The GitHub Security Lab discovered several vulnerabilities in DataHub's authentication and authorization modules.
  2. @3nc0d3dGuY shows his recent discovery of exposing the users table through a leaky GraphQL query in this blog post.
  3. @omer_kepenek's article recounts the journey of becoming a super admin by exploiting a P1 vulnerability.
  4. @a1bi_n_ writes a tutorial on setting up a Discord notification system to alert you of any Server-Side Request Forgery (SSRF) attempts.
  5. @nav1n0x details how he exploited a multi-billion dollar retailer's MySQL databases via a straightforward SQL injection.
  1. @harshbothra_ discusses with @sameer_bhatt5 - our friendly triager from H1 in this amazing Q&A session discussing learning methods, burnouts and many more.
  2. @0xblackbird explores the issue of account takeover through the exploitation of preset passwords, which are sent in clear text via email.
  3. @Jhaddix provides insights and resources for leveraging the Axiom framework to stealthily and effectively supercharge offensive security testing.
  4. Stay vigilant against insecure deserialization - a technique used by attackers to manipulate HTTP requests, warns @AnukulHexx.

📽️ 3 Insightful Videos

  1. In this video, @0xTib3rius solves the medium rated “Under Construction” challenge from Hack The Box.
  2. @NahamSec reveals how giving up on recon resulted in a $10,000 bounty.
  3. @_JohnHammond takes us through the process of dissecting a python-based malware designed to steal Discord tokens.

⚒️ 2 GitHub repositories & Tools

  1. Recon-ninja by @ArmanSameer95 is a powerful tool for efficient gathering, storing and searching of recon data with a user-friendly UI.
  2. A curated list of resources for novice bug bounty hunters, compiled by @NahamSec in this awesome GitHub repository - Resources-for-Beginner-Bug-Bounty-Hunters.

💰1 Job Alert

  1. SentinelOne has a remote position open in India for the role of Application Security Engineer.

📝 3 Infosec Articles

  1. Ever found a site running WordPress? Refer to the following guide by @cuncis.
  2. A guide to Javascript enumeration by @ScreamZoro.
  3. Does your team perform threat modeling to identify potential threats? @TCMSecurity provides some good tips on how to go about doing so.
  1. A detailed guide on understanding race conditions vulnerability by @PadhiyarRushi.
  2. Learn all about SSRFs from this thread by @HackenProof.

📽️ 1 Insightful Video

  1. Nuclei is a very powerful tool and knowing how to optimize and work with the output is an essential skill, learn more about the same from this video by @pdiscoveryio

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Tuhin Bose, Manikesh Singh, Bimal Kumar Sahoo, Manan, Ayush Singh and  Nithin R.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Siddharth, Rushi Padhiyar, and Nithin R.
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Lots of love
Editorial team,
Infosec Writeups

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]