👩💻IW Weekly #56: Admin Panel Takeover, $10,000 Bounty, Caches & Firewalls for XSS, Telegram Vulnerabilities, Kubernetes Hacking, RCE using Log Poisoning and many more…
@anandpraka_sh shares their experience of finding a vulnerability in LinkedIn that enabled the deletion of any post, resulting in a $10,000 bounty.
Welcome to the #IWWeekly56 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @nanwinata reports on a company admin panel being taken over, resulting in a $4500 bounty.
- @anandpraka_sh explores the story of how they discovered a vulnerability that allowed the deletion of any LinkedIn post and was rewarded with a $10,000 bounty.
- @snoopy shares their experience of hacking the hackers in the Voorivex Hunt Event.
- Learn about how to bypass caches and firewalls for XSS attacks with this article by @SynackRedTeam.
- @davtur19 explores various security vulnerabilities discovered in Telegram, including RCE, privacy issues, and IP leaks, and how they were discovered through bug bounties.
🧵4 Trending Threads
- With all the AI buzz going around, learn more about Prompt Injection Attacks in this Twitter thread by @rez0__.
- Learn how @ronenshh and team gained unauthorized access to Alibaba Cloud.
- A story about a fresh new CVE in the packages advisory tool of @snyksec by @WeizmanGal.
- Here’s how @silentgh00st found SQL injection and possible RCE via recon and dorking.
📽️ 3 Insightful Videos
- @NahamSec provides useful techniques and advice for discovering your first valid bug in his latest video.
- @_JohnHammond delves into the world of Kubernetes hacking, providing insights in his latest video.
- @gregxsunday covers how you can set up your web3 testing environment with a few clicks.
⚒️ 2 GitHub repositories & Tools
- @diego95root's HackerOne Templates browser extension improves the reporting process on HackerOne by offering useful tools and templates.
- Check out @amalmurali47's Github repository "swagroutes" - a command-line utility for extracting and listing API routes from Swagger files in YAML or JSON format.
💰1 Job Alert
- @PayPal is seeking a Security Engineer(Sailpoint) for their India Remote team to manage identity and access management solutions.
📝 3 Infosec Articles
- Found a Local File Inclusion (LFI)? Learn how to escalate it to a Remote code execution (RCE) using log poisoning, by @josewice7.
- Different ways to bypass rate-limiting by @heydc7.
- Learn about SMTP injection from this article by @deep_marketer_.
🧵 2 Trending Threads
- A compilation of a few awesome Burpsuite extensions, by @intigriti.
- A great tool to use while mobile pentesting is MobSF, learn about the different features of the same by @TakSec.
📽️ 1 Insightful Video
- Learn about access control bugs from @InsiderPhD’s bug bounty basics video series.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Nithin R, Vinay Kumar, Tuhin Bose, Manan.
Newsletter formatting by: Nikhil A Memane, Manan, Ayush Singh, Hardik Singh, Siddharth, Rushi Padhiyar, and Nithin R.
Lots of love