👩‍💻IW Weekly #50: Authentication and Authorization Vulnerabilities in Datahub, Leaky GraphQL, Account Takeover via Preset Passwords, Insecure Deserialization, $10000 Bounty and much more…

@GHSecurityLab discovered authentication and authorization vulnerabilities in DataHub, an open-source metadata platform, potentially allowing unauthorized access to sensitive data stored on the platform.

Welcome to the #IWWeekly50 - the Monday newsletter that brings the best in Infosec straight to your inbox. Thank you for making it so far with us!

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @pwntester shared how The GitHub Security Lab discovered several vulnerabilities in DataHub's authentication and authorization modules.
2. @3nc0d3dGuY shows his recent discovery of exposing the users table through a leaky GraphQL query in this blog post.
3. @omer_kepenek's article recounts the journey of becoming a super admin by exploiting a P1 vulnerability.
4. @a1bi_n_ writes a tutorial on setting up a Discord notification system to alert you of any Server-Side Request Forgery (SSRF) attempts.
5. @nav1n0x details how he exploited a multi-billion dollar retailer's MySQL databases via a straightforward SQL injection.
   

🧵4 Trending Threads

1. @harshbothra_ discusses with @sameer_bhatt5 - our friendly triager from H1 in this amazing Q&A session discussing learning methods, burnouts and many more.
2. @0xblackbird explores the issue of account takeover through the exploitation of preset passwords, which are sent in clear text via email.
3. @Jhaddix provides insights and resources for leveraging the Axiom framework to stealthily and effectively supercharge offensive security testing.
4. Stay vigilant against insecure deserialization - a technique used by attackers to manipulate HTTP requests, warns @AnukulHexx.

📽️ 3 Insightful Videos

1. In this video, @0xTib3rius solves the medium rated “Under Construction” challenge from Hack The Box.
2. @NahamSec reveals how giving up on recon resulted in a $10,000 bounty.
3. @_JohnHammond takes us through the process of dissecting a python-based malware designed to steal Discord tokens.
   

⚒️ 2 GitHub repositories & Tools

1. Recon-ninja by @ArmanSameer95 is a powerful tool for efficient gathering, storing and searching of recon data with a user-friendly UI.
2. A curated list of resources for novice bug bounty hunters, compiled by @NahamSec in this awesome GitHub repository - Resources-for-Beginner-Bug-Bounty-Hunters.
   

💰1 Job Alert

1. SentinelOne has a remote position open in India for the role of Application Security Engineer.
   

📝 3 Infosec Articles

1. Ever found a site running WordPress? Refer to the following guide by @cuncis.
2. A guide to Javascript enumeration by @ScreamZoro.
3. Does your team perform threat modeling to identify potential threats? @TCMSecurity provides some good tips on how to go about doing so.

🧵 2 Trending Threads

1. A detailed guide on understanding race conditions vulnerability by @PadhiyarRushi.
2. Learn all about SSRFs from this thread by @HackenProof.

📽️ 1 Insightful Video

1. Nuclei is a very powerful tool and knowing how to optimize and work with the output is an essential skill, learn more about the same from this video by @pdiscoveryio

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Tuhin Bose, Manikesh Singh, Bimal Kumar Sahoo, Manan, Ayush Singh and  Nithin R.

Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Siddharth, Rushi Padhiyar, and Nithin R.

Lots of love
Editorial team,
Infosec Writeups