👩‍💻IW Weekly #57: Misconfiguration in Salesforce, CVE-2023-29007, CVE-2023-29489, CSP Bypass in Piwik PRO, Email Injection, Learning SSTI and Many more…

👩‍💻IW Weekly #57: Misconfiguration in Salesforce, CVE-2023-29007, CVE-2023-29489, CSP Bypass in Piwik PRO, Email Injection, Learning SSTI and Many more…
Photo by Markus Spiske / Unsplash

@0xacb sheds light on the Git Arbitrary Configuration Injection vulnerability (CVE-2023-29007) in a detailed discussion.

Welcome to the #IWWeekly57 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @SynackRedTeam explains the exploitation of permission misconfiguration in Salesforce's JavaScript Remoting tokens utilized for Apex Controllers.
  2. @0xacb discusses the Git Arbitrary Configuration Injection vulnerability, identified as CVE-2023-29007.
  3. @assetnote discovers a cross-site scripting (XSS) vulnerability (cPanel CVE-2023-29489) affecting over a million websites.
  4. @BodhenduPanda's article discusses a bounty of $150 for identifying and reporting CL.0 request smuggling vulnerability.
  5. @garethheyes uncovers a hidden CSP bypass in Piwik PRO through AngularJS, leading to potential security vulnerabilities.
  1. Getting into web3 security could be overwhelming, read @0xTotem’s interview with @akshaysrivastv, where he shares his journey and some tips.
  2. Find out what tools and methodology helped @silentgh00st in taking over the whole company's AWS infrastructure.
  3. Learn about email injection from this thread by @HackenProof.
  4. @intigriti lists down the methodology to finding Server-side template injection (SSTI) bugs.

📽️ 3 Insightful Videos

  1. Watch how @gregxsunday was able to craft a CodeQL query to detect RCE via ZipSlip which bagged him a bounty of $5500.
  2. @NahamSec shares valuable insights and tips on How to Bug Bounty in his latest video.  
  3. Dive deep into attacks against LLM in this insightful video by @LiveOverflow.

⚒️ 2 GitHub repositories & Tools

  1. @harshbothra_ interviews @GodfatherOrwa, a Bugcrowd all time top 50 researcher, as a part of the Security stories series.
  2. Dorky is a command-line GitHub and GitLab reconnaissance tool by @codingo_.

💰1 Job Alert

  1. @Bugcrowd is hiring a Senior Security Engineer for their India team, with a focus on remote work and mid-senior level experience.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Tuhin Bose and Manan.
Newsletter formatting by: Nikhil A Memane, Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]