👩💻IW Weekly #60: RCE from Source Code, Prompt Injection, Information Disclosure, Cache Poisoning to DOS, XSS in WordPress, Source Code Review and many more..
Unveiling the Power of Prompt Injection: Witness the Game-Changing Proof of Concept by @rez0__, as Theory Becomes Reality in the World of Plugin-Hijacking!
Welcome to the #IWWeekly60 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- Learn how the @Neodyme team found three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game.
- Leo Shmelev discovers a critical Remote Code Execution (RCE) flaw in leaked PHP source code, earning a substantial reward for his findings.
- @rez0__ explores prompt injection attacks and presents a proof of concept showcasing the severe consequences of indirect prompt injection leading to plugin-hijacking.
- @hacker_ shares his discovery of an information disclosure vulnerability in a highly rewarding crypto exchange in this blog post.
- @blank_cold reveals how he successfully exploited cache poisoning vulnerability to execute a Denial-of-Service (DOS) attack on a prominent company's homepage.
🧵4 Trending Threads
- Discover how @silentgh00st successfully signed up on Jira ServiceDesk and gained access to the victim’s internal dashboard.
- @thebinarybot has provided a concise and insightful thread summarizing @hakluke's video on the OSCP 2023 upgrades. Take a look!
- @hakluke shares his early bug bounty success, finding an XSS vulnerability in a WordPress host.
- @mcipekci shares why he loves Synack on a mega thread for the chance to get an RCE on an enterprise software used by Forbes 500 companies.
📽️ 3 Insightful Videos
- How to turn a write-based path traversal into a critical? - a bug bounty case study by @gregxsunday
- @InsiderPhD shares valuable insights on information disclosure vulnerabilities in this episode of Bug Bounty Basics presented by @Bugcrowd.
- Learn more about source code review in this episode of Critical Thinking - Bug Bounty Podcast by @ctbbpodcast
⚒️ 2 GitHub repositories & Tools
- Discover SubreconGTP, an AI-assisted subdomain discovery tool by @Jhaddix.
- YEAST Yet Another -template-based- Subdomain Enumeration Tool by @WhoIsSecure
💰1 Job Alert
- Aficionado Technologies seeks a Cyber Security Analyst for a full-time position in Hyderabad, Telangana, India. Suitable for individuals with 0-2 years of experience.
![](https://weekly.infosecwriteups.com/content/images/2023/01/IWBeginnersCorner.png)
📝 3 Infosec Articles
- If you’re starting to learn source-code review, here is a fantastic beginner-friendly pentester’s guide by @cobalt_io.
- Have an insight on how @akr3ch found Sql injection on a hidden API endpoint.
- “The Developers Console's Power." @jeyabalaji explains how he used the inspect element to discover Account takeover.
🧵 2 Trending Threads
- For beginners, a must-see. @hakluke provides 10 tips on how to win bug bounties in a thorough thread.
- @intigriti comes with an incredible thread that shows how an attacker can take advantage of an XSS case.
- @intigriti once again creates a fantastic thread on the basics of file upload vulnerabilities.
📽️ 1 Insightful Video
- In this video by @rana__khalil, she guides viewers through Lab #2 of the Directory Traversal Vulnerabilities module in the Web Security Academy.
![](https://weekly.infosecwriteups.com/content/images/2023/03/image.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Ayush Singh, Bhavesh Harmalkar, Tuhin Bose, Shlok and Nithin R.
Newsletter formatting by: Ayush Singh, Nikhil A Memane, Shlok, Abdelrhman Allam and Nithin R.
Lots of love
Editorial team,
Infosec Writeups