Sign in Subscribe
By IW Team

👩‍💻IW Weekly #59: Authentication Bypass and multiple RCEs in Sitecore, IDOR while attending school, Directory listing to RCE, Integration misconfiguration to privilege escalation and many more..

👩‍💻IW Weekly #59: Authentication Bypass and multiple RCEs in Sitecore, IDOR while attending school, Directory listing to RCE, Integration misconfiguration to privilege escalation and many more..
Photo by Joan Gamell / Unsplash

@AayushVishnoi10 shows how a simple directory listing can help you gain PII disclosure and Remote code execution

Welcome to the #IWWeekly59 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @assetnote comes with a round 2 of discovering multiple critical vulnerabilities in Sitecore 9.3 including Authentication Bypass, RCEs and many more.
  2. An amazing IDOR found by @atomiczsec while attending classes at school earned him $1000.
  3. Learn how to integrate GitLab’s Web API Fuzz Testing and solve security challenges by @gitlab.
  4. Read on how Amazon Cognito, Tableau and Okta integration misconfigurations allowed @stratumsecurity to carry privilege escalation from a normal user to admin.
  5. @AayushVishnoi10 shows how a simple directory listing can help you gain PII disclosure and Remote code execution.
  1. Check how an anonymous researcher converted a one-month subscription into lifetime access, described in a thread by @novasecio!
  2. Here's a detailed thread for blue teamers on getting started with Infrastructure as Code & Terraform by @maikroservice.
  3. An insightful thread by @silentgh00st on how he managed to compromise an internal web application using exposed web services endpoints in a private program at @Hacker0x01.
  4. @HollaWaldfee100 shares the story of his first valid finding on @immunefi through a detailed thread.

📽️ 3 Insightful Videos

  1. Discover the world of firmware analysis and IoT reverse engineering in this video by @_JohnHammond.
  2. Learn how you can set up a proxy for Android apps and relay traffic through it by @intigriti
  3. @LiveOverflow shares his insights on how to prevent prompt injection in this insightful video.

⚒️ 2 GitHub repositories & Tools

  1. @harshbothra_ interviews Saad Nasir, Red Teamer and Cloud Security Expert, as a part of the Security stories series.
  2. @pdiscoveryio released version v1.0.2 for cdncheck which is a tool for identifying the technology associated with dns/ip network addresses.

💰1 Job Alert

1. KPMG is looking for a Cloud Security Engineer with 4+ Years of Experience for Mumbai, Bangalore, Gurugram, Ahmedabad, Noida Locations on immediate Basis. Don’t forget to drop your CV.

📝 3 Infosec Articles

  1. Response codes 401s and 403s are good signs that you have found something important. Use these techniques to bypass 401 and 403 pages, written by @KlaKlo_ at @vidocsecurity.
  2. Read how @amjadali110 was able to get a bounty for a hyperlink injection.
  3. Understanding the application in-depth is a necessary step while looking for bugs, read how @H4cktus was able to escalate a subdomain takeover to an account takeover which bagged him a bounty of $3000.
  1. @GodfatherOrwa recently shared his bug bounty toolkit during an interview with @NahamSec, check them out in this thread by @thebinarybot.
  2. If you want to master SSTI exploitation, read this thread by @intigriti.

📽️ 1 Insightful Video

  1. With all the hype lately the media indicates that AI will take up all the jobs, @TCMSecurity thinks otherwise. Watch how one could leverage AI to make their work more efficient.
House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Tuhin Bose, Alvin Mwambi, Shlok
Newsletter formatting by: Nikhil A Memane, Ayush Singh, Hardik Singh, Siddharth, Shlok, Rushi Padhiyar, and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe