👩‍💻IW Weekly #55: CVE-2023-22620, XSSI Vulnerability, Bugs in Pretalx, ChatGPT Plugin Leak, Hacking with MFA, Cloud Hacking, BAC to Account Takeover and Many more…

👩‍💻IW Weekly #55: CVE-2023-22620, XSSI Vulnerability, Bugs in Pretalx, ChatGPT Plugin Leak, Hacking with MFA, Cloud Hacking, BAC to Account Takeover and Many more…
Photo by Kenny Eliason / Unsplash

First part of SecurePwn series by @MrTuxracer uncovers CVE-2023-22620 vulnerability and provides insights on bypassing SecurePoint UTM's authentication.

Welcome to the #IWWeekly55 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @kuldeepdotexe takes readers on a thrilling adventure of holiday hunting with Aquatone, where he finds many vulnerabilities just by running aquatone.
  2. @AnkitCuriosity uncovers the dangers of XSSI (Cross Site Script Inclusion) in stealing AccessToken and other sensitive information.
  3. @MrTuxracer explores the vulnerability CVE-2023-22620 and details how to bypass SecurePoint UTM's authentication in the first part of their SecurePwn series.
  4. @m4cddr shares their experience of discovering Remote Code Execution (RCE) vulnerabilities in over 10 websites and the steps taken to responsibly disclose and patch them.
  5. @SonarSource outlines a file vulnerability in pretalx, a conference planning tool, along with a technique to exploit it, and suggests ways to prevent it by reviewing patches.
  1. Discovering the intriguing security assessment plugin used by @openai in the ChatGPT plugin leak - unraveling its workings! - @rez0__
  2. Check out @thebinarybot’s condensed summary of @GodfatherOrwa's super informative talk at IWCON 2.0, which you can read in just 2 minutes!
  3. @mcipekci discusses how he exploited an empty page associated with malware to its best use which led to an interesting bug.
  4. @hacker_ exploring how a 20-year-old hacker found a vulnerability that led to the largest leak of confidential military information in 10 years.

📽️ 3 Insightful Videos

  1. Different ways to hack multi-factor authentication by @TCMSecurity.
  2. Top bug hunters often write custom nuclei templates to find unique vulnerabilities, learn about the same from this video by @pdiscoveryio.
  3. With the increase in reliance on cloud and cloud providers, cloud security has become increasingly important. Learn about cloud hacking from this video by @NahamSec.

⚒️ 2 GitHub repositories & Tools

  1. A repository of weekly interviews with cyber security professionals by @harshbothra_.
  2. The latest release of puredns, a fast domain resolver and subdomain brute forcing tool that filters out wildcard subdomains and DNS poisoned entries, by @d3mondev.

💰1 Job Alert

  1. @eSecurify has multiple openings for Cyber Security Analyst interns in Ahmedabad.

📝 3 Infosec Articles

  1. Different ways to perform reconnaissance effectively by @nimmughal799.
  2. Recon helps bug hunters to increase the attack surface, read about one such case by @th3.d1p4k where he was able to compromise the admin panel.
  3. Read about an interesting Broken access control bug that allowed account take over of any account, by @ch3tanbug.
  1. Thinking of brushing up on skills this week? Watch different videos on SSRF condensed to a thread by @AnukulHexx.
  2. Learn all about CSRF through this twitter thread by @intigriti.

📽️ 1 Insightful Video

  1. Watch the latest episode of the @ctbbpodcast where @Rhynorater and @0xteknogeek interview the latest million dollar hacker @naglinagli.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Ayush Singh, Bhavesh Harmalkar, Nithin R, Tuhin Bose, Manan.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]