👩💻IW Weekly #51: Server-Side prototype pollution, Pentest mapper, SSRF in Meta, Hacking CI/CD pipelines, AWSScrape, Hacking Android, SQL Injections and much more…
@PortSwigger released a tool for finding server-side prototype pollution bugs and here’s all you need to know about it.
Welcome to the #IWWeekly51 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @PortSwigger released a tool for finding server-side prototype pollution bugs and here’s all you need to know about it.
- @payatulabs published a detailed article on how one can utilize BurpSuite’s pentest mapper plugin to the fullest.
- @SMHTahsin33 wrote an interesting article on bypassing character limit to obtain an XSS using spanned payload.
- @SirBagoza wrote an article on how he was able to get easy $$$ by abusing API params which ultimately lead to bypassing the email verification block.
- Curious to know what’s changed in the OWASP API Top 10 2023 edition compared to 2019? Checkout this well written article by @aktodotio.
🧵4 Trending Threads
- @MeAsHacker_HNA shares how reading robots.txt file got him 4 XSS reports.
- Like ChatGPT, we have our own SecGPT. Find out what @CristiVlad25 has to say about it.
- @kannthu1 has revealed how he was able to get a 5.5K$ bounty for finding SSRF in Meta a year ago.
- @CristiVlad25 has written a thread on how httpaccess rules can be bypassed.
📽️ 3 Insightful Videos
- Ever heard about CI/CD? Learn how to go about hacking CI/CD pipelines by @_JohnHammond.
- Nuclei with all its options could become tedious to add the flags again and again, learn how to write a configuration file for nuclei, by @pdiscoveryio.
- @Rhynorater and @0xteknogeek talk about how CVSS could be flawed in some scenarios and how one could make the most out of it, also discussed were bugs like web cache deception and SSTI on the latest episode of critical thinking podcast.
⚒️ 2 GitHub repositories & Tools
- AWSScrape is a tool designed to scrape SSL certificates from all AWS IP ranges, it searches for specific keywords like Common Name (CN), Organization (O), etc. in the certificate, by @Jhaddix.
- Filter URLs according to the scope using scopy, a python tool, by @manash036.
💰1 Job Alert
- HackerOne has a remote position open for a Security Analyst in India.
📝 3 Infosec Articles
- Learn how to pentest android applications with @mk2011sharma.
- Learn how to effectively perform host and port discovery using tools from @pdiscoveryio’s arsenal of tools.
- iOS testing has certain barriers to entry compared to its web and android counterparts which makes it a less looked at area. Learn about the same from this article by @livelession.
🧵 2 Trending Threads
- A detailed thread on understanding SQL injections by @PadhiyarRushi.
- Learn different techniques to exhaustively test XSS on a file upload feature from this thread by @thebinarybot.
📽️ 1 Insightful Video
- The most commonly asked question - “Does cybersecurity require coding” answered by @nahamsec
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Siddharth, Ayush Singh, Bhavesh Harmalkar, Nithin R, Tuhin Bose, Manan.
Newsletter formatting by: Hardik Singh, Siddharth and Nithin R.
Lots of love