👩💻IW Weekly #59: Authentication Bypass and multiple RCEs in Sitecore, IDOR while attending school, Directory listing to RCE, Integration misconfiguration to privilege escalation and many more..
@AayushVishnoi10 shows how a simple directory listing can help you gain PII disclosure and Remote code execution
Welcome to the #IWWeekly59 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @assetnote comes with a round 2 of discovering multiple critical vulnerabilities in Sitecore 9.3 including Authentication Bypass, RCEs and many more.
- An amazing IDOR found by @atomiczsec while attending classes at school earned him $1000.
- Learn how to integrate GitLab’s Web API Fuzz Testing and solve security challenges by @gitlab.
- Read on how Amazon Cognito, Tableau and Okta integration misconfigurations allowed @stratumsecurity to carry privilege escalation from a normal user to admin.
- @AayushVishnoi10 shows how a simple directory listing can help you gain PII disclosure and Remote code execution.
🧵4 Trending Threads
- Check how an anonymous researcher converted a one-month subscription into lifetime access, described in a thread by @novasecio!
- Here's a detailed thread for blue teamers on getting started with Infrastructure as Code & Terraform by @maikroservice.
- An insightful thread by @silentgh00st on how he managed to compromise an internal web application using exposed web services endpoints in a private program at @Hacker0x01.
- @HollaWaldfee100 shares the story of his first valid finding on @immunefi through a detailed thread.
📽️ 3 Insightful Videos
- Discover the world of firmware analysis and IoT reverse engineering in this video by @_JohnHammond.
- Learn how you can set up a proxy for Android apps and relay traffic through it by @intigriti
- @LiveOverflow shares his insights on how to prevent prompt injection in this insightful video.
⚒️ 2 GitHub repositories & Tools
- @harshbothra_ interviews Saad Nasir, Red Teamer and Cloud Security Expert, as a part of the Security stories series.
- @pdiscoveryio released version v1.0.2 for cdncheck which is a tool for identifying the technology associated with dns/ip network addresses.
💰1 Job Alert
1. KPMG is looking for a Cloud Security Engineer with 4+ Years of Experience for Mumbai, Bangalore, Gurugram, Ahmedabad, Noida Locations on immediate Basis. Don’t forget to drop your CV.
📝 3 Infosec Articles
- Response codes 401s and 403s are good signs that you have found something important. Use these techniques to bypass 401 and 403 pages, written by @KlaKlo_ at @vidocsecurity.
- Read how @amjadali110 was able to get a bounty for a hyperlink injection.
- Understanding the application in-depth is a necessary step while looking for bugs, read how @H4cktus was able to escalate a subdomain takeover to an account takeover which bagged him a bounty of $3000.
🧵 2 Trending Threads
- @GodfatherOrwa recently shared his bug bounty toolkit during an interview with @NahamSec, check them out in this thread by @thebinarybot.
- If you want to master SSTI exploitation, read this thread by @intigriti.
📽️ 1 Insightful Video
- With all the hype lately the media indicates that AI will take up all the jobs, @TCMSecurity thinks otherwise. Watch how one could leverage AI to make their work more efficient.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Tuhin Bose, Alvin Mwambi, Shlok
Newsletter formatting by: Nikhil A Memane, Ayush Singh, Hardik Singh, Siddharth, Shlok, Rushi Padhiyar, and Nithin R.
Lots of love