👩‍💻IW Weekly #52: Filter chains, Prototype Pollution in Node, Privilege Escalation, Vulnerabilities in ChatGPT, Copy&Paste XSS, Shodan Dorks and many more…

The possibilities allowed by filter chains will never stop amazing us. In this blog Rémi Matasse showcases how it’s used to read files from an error-based Oracle.

Welcome to the #IWWeekly52 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. Rémi Matasse's article explores how PHP filter chains can be used to read files from an error-based Oracle.
2. This article by @pdiscoveryio explains how to integrate Nuclei into your GitLab CI/CD pipeline to scan live web applications.
3. The concept of prototype pollution in Node can be exploited without using the filesystem, as demonstrated by security researcher @garethheyes.
4. @thejulfikar shares an interesting tale on privilege escalation through ID reflection.
5. @M7arm4n discusses the method of account takeover through host header poisoning in the ASDA website.
   

🧵4 Trending Threads

1. Dive deep and explore the tale of 4 ChatGPT vulnerabilities by @_ayoubfathi_.
2. @Jupiter3301 share’s his experience of discovering and exploiting an XSS vulnerability in this informative Twitter thread.
3. Heard about Copy&Paste XSS? Learn more about it in a Twitter thread by @0xblackbird.
4. Discover an interesting case of SQL injection found by @mcipekci and @osiryszzz in their recent black box engagement.
   

📽️ 3 Insightful Videos

1. In latest video, @_JohnHammond shares insights on the recent compromise of linus tech tips' YouTube channel.
2. @ctbbpodcast dropped another episode of critical thinking podcast featuring @Jhaddix where they discuss hacking techniques, reports and much more.
3. Join @NahamSec in his latest video as he delves into the fascinating insights of the veteran hacker, TJ_Null, in the ongoing Hacker Interviews series.

⚒️ 2 GitHub repositories & Tools

1. This GitHub repository by @pdiscoveryio contains updated nuclei templates v9.4.0 with 65 new templates for identifying exposures, CVEs, misconfigurations, and more.
2. The SecurityStories series by @harshbothra_ presents the experience of Vickie Li, a prominent security researcher from the USA.
   

💰1 Job Alert

1. @BugBase is seeking a Senior Security Engineer for an on-site position in Bengaluru, Karnataka, India.
   

📝 3 Infosec Articles

1. Don’t limit your reconnaissance to google dorking, here’s a list of shodan dorks by @_nynan.
2. Host header injection could lead to a plethora of vulnerabilities, read how @Jody ritonga was able to exploit host header injection in this instance.
3. Ever came across a wordpress site? In this article @frost1 walks us through on how to scan wordpress sites for vulnerabilities using WPScan.

🧵 2 Trending Threads

1. Ever wondered what kind of vulnerabilities could occur on a checkout page? Read @intigriti’s thread on most common price manipulation vulnerabilities found in the checkout process.
2. An important part of reconnaissance is finding linked content like javascript files, these could include sensitive endpoints, hardcoded secrets, etc. @HackenProof lists down different ways you could run GoSpider, a web crawling tool.
   

📽️ 1 Insightful Video

1. @rana__khalil walks us through a lab by web security academy on interesting instance of a broken access control bug.
   

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Ayush Singh, Tuhin Bose, Manan and Nithin R.

Newsletter formatting by: Nikhil A Memane, Manan, Hardik Singh, Rushi Padhiyar, and Nithin R.

Lots of love
Editorial team,
Infosec Writeups