👩💻IW Weekly #59: Authentication Bypass and multiple RCEs in Sitecore, IDOR while attending school, Directory listing to RCE, Integration misconfiguration to privilege escalation and many more..
@AayushVishnoi10 shows how a simple directory listing can help you gain PII disclosure and Remote code execution
Welcome to the #IWWeekly59 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @assetnote comes with a round 2 of discovering multiple critical vulnerabilities in Sitecore 9.3 including Authentication Bypass, RCEs and many more.
- An amazing IDOR found by @atomiczsec while attending classes at school earned him $1000.
- Learn how to integrate GitLab’s Web API Fuzz Testing and solve security challenges by @gitlab.
- Read on how Amazon Cognito, Tableau and Okta integration misconfigurations allowed @stratumsecurity to carry privilege escalation from a normal user to admin.
- @AayushVishnoi10 shows how a simple directory listing can help you gain PII disclosure and Remote code execution.
🧵4 Trending Threads
- Check how an anonymous researcher converted a one-month subscription into lifetime access, described in a thread by @novasecio!
- Here's a detailed thread for blue teamers on getting started with Infrastructure as Code & Terraform by @maikroservice.
- An insightful thread by @silentgh00st on how he managed to compromise an internal web application using exposed web services endpoints in a private program at @Hacker0x01.
- @HollaWaldfee100 shares the story of his first valid finding on @immunefi through a detailed thread.
📽️ 3 Insightful Videos
- Discover the world of firmware analysis and IoT reverse engineering in this video by @_JohnHammond.
- Learn how you can set up a proxy for Android apps and relay traffic through it by @intigriti
- @LiveOverflow shares his insights on how to prevent prompt injection in this insightful video.
⚒️ 2 GitHub repositories & Tools
- @harshbothra_ interviews Saad Nasir, Red Teamer and Cloud Security Expert, as a part of the Security stories series.
- @pdiscoveryio released version v1.0.2 for cdncheck which is a tool for identifying the technology associated with dns/ip network addresses.
💰1 Job Alert
1. KPMG is looking for a Cloud Security Engineer with 4+ Years of Experience for Mumbai, Bangalore, Gurugram, Ahmedabad, Noida Locations on immediate Basis. Don’t forget to drop your CV.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
📝 3 Infosec Articles
- Response codes 401s and 403s are good signs that you have found something important. Use these techniques to bypass 401 and 403 pages, written by @KlaKlo_ at @vidocsecurity.
- Read how @amjadali110 was able to get a bounty for a hyperlink injection.
- Understanding the application in-depth is a necessary step while looking for bugs, read how @H4cktus was able to escalate a subdomain takeover to an account takeover which bagged him a bounty of $3000.
🧵 2 Trending Threads
- @GodfatherOrwa recently shared his bug bounty toolkit during an interview with @NahamSec, check them out in this thread by @thebinarybot.
- If you want to master SSTI exploitation, read this thread by @intigriti.
📽️ 1 Insightful Video
- With all the hype lately the media indicates that AI will take up all the jobs, @TCMSecurity thinks otherwise. Watch how one could leverage AI to make their work more efficient.
![](https://weekly.infosecwriteups.com/content/images/2023/03/image.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Tuhin Bose, Alvin Mwambi, Shlok
Newsletter formatting by: Nikhil A Memane, Ayush Singh, Hardik Singh, Siddharth, Shlok, Rushi Padhiyar, and Nithin R.
Lots of love
Editorial team,
Infosec Writeups