👩💻IW Weekly #60: RCE from Source Code, Prompt Injection, Information Disclosure, Cache Poisoning to DOS, XSS in WordPress, Source Code Review and many more..
Unveiling the Power of Prompt Injection: Witness the Game-Changing Proof of Concept by @rez0__, as Theory Becomes Reality in the World of Plugin-Hijacking!
Welcome to the #IWWeekly60 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- Learn how the @Neodyme team found three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game.
- Leo Shmelev discovers a critical Remote Code Execution (RCE) flaw in leaked PHP source code, earning a substantial reward for his findings.
- @rez0__ explores prompt injection attacks and presents a proof of concept showcasing the severe consequences of indirect prompt injection leading to plugin-hijacking.
- @hacker_ shares his discovery of an information disclosure vulnerability in a highly rewarding crypto exchange in this blog post.
- @blank_cold reveals how he successfully exploited cache poisoning vulnerability to execute a Denial-of-Service (DOS) attack on a prominent company's homepage.
🧵4 Trending Threads
- Discover how @silentgh00st successfully signed up on Jira ServiceDesk and gained access to the victim’s internal dashboard.
- @thebinarybot has provided a concise and insightful thread summarizing @hakluke's video on the OSCP 2023 upgrades. Take a look!
- @hakluke shares his early bug bounty success, finding an XSS vulnerability in a WordPress host.
- @mcipekci shares why he loves Synack on a mega thread for the chance to get an RCE on an enterprise software used by Forbes 500 companies.
📽️ 3 Insightful Videos
- How to turn a write-based path traversal into a critical? - a bug bounty case study by @gregxsunday
- @InsiderPhD shares valuable insights on information disclosure vulnerabilities in this episode of Bug Bounty Basics presented by @Bugcrowd.
- Learn more about source code review in this episode of Critical Thinking - Bug Bounty Podcast by @ctbbpodcast
⚒️ 2 GitHub repositories & Tools
- Discover SubreconGTP, an AI-assisted subdomain discovery tool by @Jhaddix.
- YEAST Yet Another -template-based- Subdomain Enumeration Tool by @WhoIsSecure
💰1 Job Alert
- Aficionado Technologies seeks a Cyber Security Analyst for a full-time position in Hyderabad, Telangana, India. Suitable for individuals with 0-2 years of experience.
📝 3 Infosec Articles
- If you’re starting to learn source-code review, here is a fantastic beginner-friendly pentester’s guide by @cobalt_io.
- Have an insight on how @akr3ch found Sql injection on a hidden API endpoint.
- “The Developers Console's Power." @jeyabalaji explains how he used the inspect element to discover Account takeover.
🧵 2 Trending Threads
- For beginners, a must-see. @hakluke provides 10 tips on how to win bug bounties in a thorough thread.
- @intigriti comes with an incredible thread that shows how an attacker can take advantage of an XSS case.
- @intigriti once again creates a fantastic thread on the basics of file upload vulnerabilities.
📽️ 1 Insightful Video
- In this video by @rana__khalil, she guides viewers through Lab #2 of the Directory Traversal Vulnerabilities module in the Web Security Academy.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Ayush Singh, Bhavesh Harmalkar, Tuhin Bose, Shlok and Nithin R.
Newsletter formatting by: Ayush Singh, Nikhil A Memane, Shlok, Abdelrhman Allam and Nithin R.
Lots of love