👩‍💻IW Weekly #50: Authentication and Authorization Vulnerabilities in Datahub, Leaky GraphQL, Account Takeover via Preset Passwords, Insecure Deserialization, $10000 Bounty and much more…

@GHSecurityLab discovered authentication and authorization vulnerabilities in DataHub, an open-source metadata platform, potentially allowing unauthorized access to sensitive data stored on the platform.

Welcome to the #IWWeekly50 - the Monday newsletter that brings the best in Infosec straight to your inbox. Thank you for making it so far with us!

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @pwntester shared how The GitHub Security Lab discovered several vulnerabilities in DataHub's authentication and authorization modules.
  2. @3nc0d3dGuY shows his recent discovery of exposing the users table through a leaky GraphQL query in this blog post.
  3. @omer_kepenek's article recounts the journey of becoming a super admin by exploiting a P1 vulnerability.
  4. @a1bi_n_ writes a tutorial on setting up a Discord notification system to alert you of any Server-Side Request Forgery (SSRF) attempts.
  5. @nav1n0x details how he exploited a multi-billion dollar retailer's MySQL databases via a straightforward SQL injection.
  1. @harshbothra_ discusses with @sameer_bhatt5 - our friendly triager from H1 in this amazing Q&A session discussing learning methods, burnouts and many more.
  2. @0xblackbird explores the issue of account takeover through the exploitation of preset passwords, which are sent in clear text via email.
  3. @Jhaddix provides insights and resources for leveraging the Axiom framework to stealthily and effectively supercharge offensive security testing.
  4. Stay vigilant against insecure deserialization - a technique used by attackers to manipulate HTTP requests, warns @AnukulHexx.

📽️ 3 Insightful Videos

  1. In this video, @0xTib3rius solves the medium rated “Under Construction” challenge from Hack The Box.
  2. @NahamSec reveals how giving up on recon resulted in a $10,000 bounty.
  3. @_JohnHammond takes us through the process of dissecting a python-based malware designed to steal Discord tokens.

⚒️ 2 GitHub repositories & Tools

  1. Recon-ninja by @ArmanSameer95 is a powerful tool for efficient gathering, storing and searching of recon data with a user-friendly UI.
  2. A curated list of resources for novice bug bounty hunters, compiled by @NahamSec in this awesome GitHub repository - Resources-for-Beginner-Bug-Bounty-Hunters.

💰1 Job Alert

  1. SentinelOne has a remote position open in India for the role of Application Security Engineer.

📝 3 Infosec Articles

  1. Ever found a site running WordPress? Refer to the following guide by @cuncis.
  2. A guide to Javascript enumeration by @ScreamZoro.
  3. Does your team perform threat modeling to identify potential threats? @TCMSecurity provides some good tips on how to go about doing so.
  1. A detailed guide on understanding race conditions vulnerability by @PadhiyarRushi.
  2. Learn all about SSRFs from this thread by @HackenProof.

📽️ 1 Insightful Video

  1. Nuclei is a very powerful tool and knowing how to optimize and work with the output is an essential skill, learn more about the same from this video by @pdiscoveryio

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Tuhin Bose, Manikesh Singh, Bimal Kumar Sahoo, Manan, Ayush Singh and  Nithin R.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Siddharth, Rushi Padhiyar, and Nithin R.
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email nithin@infosecwriteups.com

Lots of love
Editorial team,
Infosec Writeups

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.