👩💻IW Weekly #50: Authentication and Authorization Vulnerabilities in Datahub, Leaky GraphQL, Account Takeover via Preset Passwords, Insecure Deserialization, $10000 Bounty and much more…
@GHSecurityLab discovered authentication and authorization vulnerabilities in DataHub, an open-source metadata platform, potentially allowing unauthorized access to sensitive data stored on the platform.
Welcome to the #IWWeekly50 - the Monday newsletter that brings the best in Infosec straight to your inbox. Thank you for making it so far with us!
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @pwntester shared how The GitHub Security Lab discovered several vulnerabilities in DataHub's authentication and authorization modules.
- @3nc0d3dGuY shows his recent discovery of exposing the users table through a leaky GraphQL query in this blog post.
- @omer_kepenek's article recounts the journey of becoming a super admin by exploiting a P1 vulnerability.
- @a1bi_n_ writes a tutorial on setting up a Discord notification system to alert you of any Server-Side Request Forgery (SSRF) attempts.
- @nav1n0x details how he exploited a multi-billion dollar retailer's MySQL databases via a straightforward SQL injection.
🧵4 Trending Threads
- @harshbothra_ discusses with @sameer_bhatt5 - our friendly triager from H1 in this amazing Q&A session discussing learning methods, burnouts and many more.
- @0xblackbird explores the issue of account takeover through the exploitation of preset passwords, which are sent in clear text via email.
- @Jhaddix provides insights and resources for leveraging the Axiom framework to stealthily and effectively supercharge offensive security testing.
- Stay vigilant against insecure deserialization - a technique used by attackers to manipulate HTTP requests, warns @AnukulHexx.
📽️ 3 Insightful Videos
- In this video, @0xTib3rius solves the medium rated “Under Construction” challenge from Hack The Box.
- @NahamSec reveals how giving up on recon resulted in a $10,000 bounty.
- @_JohnHammond takes us through the process of dissecting a python-based malware designed to steal Discord tokens.
⚒️ 2 GitHub repositories & Tools
- Recon-ninja by @ArmanSameer95 is a powerful tool for efficient gathering, storing and searching of recon data with a user-friendly UI.
- A curated list of resources for novice bug bounty hunters, compiled by @NahamSec in this awesome GitHub repository - Resources-for-Beginner-Bug-Bounty-Hunters.
💰1 Job Alert
- SentinelOne has a remote position open in India for the role of Application Security Engineer.
📝 3 Infosec Articles
- Ever found a site running WordPress? Refer to the following guide by @cuncis.
- Does your team perform threat modeling to identify potential threats? @TCMSecurity provides some good tips on how to go about doing so.
🧵 2 Trending Threads
- A detailed guide on understanding race conditions vulnerability by @PadhiyarRushi.
- Learn all about SSRFs from this thread by @HackenProof.
📽️ 1 Insightful Video
- Nuclei is a very powerful tool and knowing how to optimize and work with the output is an essential skill, learn more about the same from this video by @pdiscoveryio
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Tuhin Bose, Manikesh Singh, Bimal Kumar Sahoo, Manan, Ayush Singh and Nithin R.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Siddharth, Rushi Padhiyar, and Nithin R.
Lots of love