👩‍💻IW Weekly #53: Privilege Escalation, Authentication Bypass Vulnerability, CRLF, JSON Based SQL, Local File Inclusion, Broken Authentication Vulnerability, and many more…

In this week’s newsletter read about the wide exploration of authentication bypass vulnerability, leading to a critical security issue by ASWIN K V.

Welcome to the #IWWeekly53 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. A curl quirk exposed Burp Suite and Google Chrome to a bug that allowed attackers to intercept and modify web traffic by @PortSwigger.
  2. A simple privilege escalation vulnerability allowed an attacker to gain root access on a server and earn a bug bounty by @Manthan_Mahale.
  3. @crypt0g30rgy discusses on the journey to discovering and reporting a vulnerability in a popular software product.
  4. An authentication bypass vulnerability allowed an attacker to take over an admin account, leading to a critical security issue by @ASWIN K V.
  5. A broken authentication vulnerability led to a privilege escalation attack, demonstrating the importance of proper authentication and authorization mechanisms by @V3D.
  1. Find out the different areas to look at for CRLF in this Twitter thread by @AnukulHexx.
  2. During a recent security assessment @xshebix, found an interesting XSS in a URL parameter.
  3. @hillai shares his research on how he hacked Bing CMS that allowed him to alter search results and take over millions of Office365 accounts.
  4. Look at the most common mistakes developers make when setting up CORS policies in this informative Twitter thread by @intigriti.

📽️ 3 Insightful Videos

  1. Learn how you can detect server side prototype pollution and the pros and cons of each technique in this talk by @garethheyes.
  2. @_JohnHammond share insights and analysis on the recent 3CX supply chain attack.
  3. Gain valuable insights into the world of SQL injections as Noam Moshe shares his research on exploiting JSON-based SQL queries in this informative video.

⚒️ 2 GitHub repositories & Tools

  1. @harshbothra_ discusses Michael Blake's journey from being an aspiring actor to becoming a renowned cybersecurity professional and CISO.
  2. @pdiscoveryio’s new tool for scanning and enumeration of AIX (IBM Unix) systems.

💰1 Job Alert

  1. Critical Fault is hiring for US-based junior pentesters!

📝 3 Infosec Articles

  1. Security researcher @hackXadi describes their discovery of a Local File Inclusion (LFI) vulnerability and the process they followed to exploit and report it.
  2. The fifth installment in @pdiscoveryio Reconnaissance Series covers additional active reconnaissance techniques for discovering vulnerabilities and misconfigurations.
  3. An introduction to reverse engineering mobile applications, including common tools and techniques used by researchers by @Dhanesh_Dodia.
  1. Ever wondered what kind of vulnerabilities could occur on a checkout page? Read @intigriti’s thread on most common price manipulation vulnerabilities found in the checkout process.
  2. An important part of reconnaissance is finding linked content like javascript files, these could include sensitive endpoints, hardcoded secrets, etc. @HackenProof lists down different ways you could run GoSpider, a web crawling tool.

📽️ 1 Insightful Video

  1. @Farah_Hawaa teaches how to avoid false positive reports in bug bounty.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Bimal Kumar Sahoo, Nithin R, Tuhin Bose, Manan, Alvin Mwambi.
Newsletter formatting by: Nikhil A Memane, Manan, Ayush Singh, Hardik Singh, Siddharth, Rushi Padhiyar, and Nithin R.

Lots of love 💝
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]