👩‍💻IW Weekly #57: Misconfiguration in Salesforce, CVE-2023-29007, CVE-2023-29489, CSP Bypass in Piwik PRO, Email Injection, Learning SSTI and Many more…

@0xacb sheds light on the Git Arbitrary Configuration Injection vulnerability (CVE-2023-29007) in a detailed discussion.

Welcome to the #IWWeekly57 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @SynackRedTeam explains the exploitation of permission misconfiguration in Salesforce's JavaScript Remoting tokens utilized for Apex Controllers.
2. @0xacb discusses the Git Arbitrary Configuration Injection vulnerability, identified as CVE-2023-29007.
3. @assetnote discovers a cross-site scripting (XSS) vulnerability (cPanel CVE-2023-29489) affecting over a million websites.
4. @BodhenduPanda's article discusses a bounty of $150 for identifying and reporting CL.0 request smuggling vulnerability.
5. @garethheyes uncovers a hidden CSP bypass in Piwik PRO through AngularJS, leading to potential security vulnerabilities.

🧵4 Trending Threads

1. Getting into web3 security could be overwhelming, read @0xTotem’s interview with @akshaysrivastv, where he shares his journey and some tips.
2. Find out what tools and methodology helped @silentgh00st in taking over the whole company's AWS infrastructure.
3. Learn about email injection from this thread by @HackenProof.
4. @intigriti lists down the methodology to finding Server-side template injection (SSTI) bugs.

📽️ 3 Insightful Videos

1. Watch how @gregxsunday was able to craft a CodeQL query to detect RCE via ZipSlip which bagged him a bounty of $5500.
2. @NahamSec shares valuable insights and tips on How to Bug Bounty in his latest video.  
3. Dive deep into attacks against LLM in this insightful video by @LiveOverflow.

⚒️ 2 GitHub repositories & Tools

1. @harshbothra_ interviews @GodfatherOrwa, a Bugcrowd all time top 50 researcher, as a part of the Security stories series.
2. Dorky is a command-line GitHub and GitLab reconnaissance tool by @codingo_.

💰1 Job Alert

1. @Bugcrowd is hiring a Senior Security Engineer for their India team, with a focus on remote work and mid-senior level experience.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Tuhin Bose and Manan.

Newsletter formatting by: Nikhil A Memane, Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, and Nithin R.

Lots of love
Editorial team,
Infosec Writeups