👩‍💻IW Weekly #55: CVE-2023-22620, XSSI Vulnerability, Bugs in Pretalx, ChatGPT Plugin Leak, Hacking with MFA, Cloud Hacking, BAC to Account Takeover and Many more…

First part of SecurePwn series by @MrTuxracer uncovers CVE-2023-22620 vulnerability and provides insights on bypassing SecurePoint UTM's authentication.

Welcome to the #IWWeekly55 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @kuldeepdotexe takes readers on a thrilling adventure of holiday hunting with Aquatone, where he finds many vulnerabilities just by running aquatone.
2. @AnkitCuriosity uncovers the dangers of XSSI (Cross Site Script Inclusion) in stealing AccessToken and other sensitive information.
3. @MrTuxracer explores the vulnerability CVE-2023-22620 and details how to bypass SecurePoint UTM's authentication in the first part of their SecurePwn series.
4. @m4cddr shares their experience of discovering Remote Code Execution (RCE) vulnerabilities in over 10 websites and the steps taken to responsibly disclose and patch them.
5. @SonarSource outlines a file vulnerability in pretalx, a conference planning tool, along with a technique to exploit it, and suggests ways to prevent it by reviewing patches.
   

🧵4 Trending Threads

1. Discovering the intriguing security assessment plugin used by @openai in the ChatGPT plugin leak - unraveling its workings! - @rez0__
2. Check out @thebinarybot’s condensed summary of @GodfatherOrwa's super informative talk at IWCON 2.0, which you can read in just 2 minutes!
3. @mcipekci discusses how he exploited an empty page associated with malware to its best use which led to an interesting bug.
4. @hacker_ exploring how a 20-year-old hacker found a vulnerability that led to the largest leak of confidential military information in 10 years.
   

📽️ 3 Insightful Videos

1. Different ways to hack multi-factor authentication by @TCMSecurity.
2. Top bug hunters often write custom nuclei templates to find unique vulnerabilities, learn about the same from this video by @pdiscoveryio.
3. With the increase in reliance on cloud and cloud providers, cloud security has become increasingly important. Learn about cloud hacking from this video by @NahamSec.
   

⚒️ 2 GitHub repositories & Tools

1. A repository of weekly interviews with cyber security professionals by @harshbothra_.
2. The latest release of puredns, a fast domain resolver and subdomain brute forcing tool that filters out wildcard subdomains and DNS poisoned entries, by @d3mondev.
   

💰1 Job Alert

1. @eSecurify has multiple openings for Cyber Security Analyst interns in Ahmedabad.

📝 3 Infosec Articles

1. Different ways to perform reconnaissance effectively by @nimmughal799.
2. Recon helps bug hunters to increase the attack surface, read about one such case by @th3.d1p4k where he was able to compromise the admin panel.
3. Read about an interesting Broken access control bug that allowed account take over of any account, by @ch3tanbug.
   

🧵 2 Trending Threads

1. Thinking of brushing up on skills this week? Watch different videos on SSRF condensed to a thread by @AnukulHexx.
2. Learn all about CSRF through this twitter thread by @intigriti.
   

📽️ 1 Insightful Video

1. Watch the latest episode of the @ctbbpodcast where @Rhynorater and @0xteknogeek interview the latest million dollar hacker @naglinagli.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Ayush Singh, Bhavesh Harmalkar, Nithin R, Tuhin Bose, Manan.

Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, and Nithin R.

Lots of love
Editorial team,
Infosec Writeups