👩‍💻IW Weekly #60: RCE from Source Code, Prompt Injection, Information Disclosure, Cache Poisoning to DOS, XSS in WordPress, Source Code Review and many more..

👩‍💻IW Weekly #60: RCE from Source Code, Prompt Injection, Information Disclosure, Cache Poisoning to DOS, XSS in WordPress, Source Code Review and many more..
Photo by Marius Niveri / Unsplash

Unveiling the Power of Prompt Injection: Witness the Game-Changing Proof of Concept by @rez0__, as Theory Becomes Reality in the World of Plugin-Hijacking!

Welcome to the #IWWeekly60 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. Learn how the @Neodyme team found three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game.
  2. Leo Shmelev discovers a critical Remote Code Execution (RCE) flaw in leaked PHP source code, earning a substantial reward for his findings.
  3. @rez0__ explores prompt injection attacks and presents a proof of concept showcasing the severe consequences of indirect prompt injection leading to plugin-hijacking.
  4. @hacker_ shares his discovery of an information disclosure vulnerability in a highly rewarding crypto exchange in this blog post.
  5. @blank_cold reveals how he successfully exploited cache poisoning vulnerability to execute a Denial-of-Service (DOS) attack on a prominent company's homepage.
  1. Discover how @silentgh00st successfully signed up on Jira ServiceDesk and gained access to the victim’s internal dashboard.
  2. @thebinarybot has provided a concise and insightful thread summarizing @hakluke's video on the OSCP 2023 upgrades. Take a look!
  3. @hakluke shares his early bug bounty success, finding an XSS vulnerability in a WordPress host.
  4. @mcipekci shares why he loves Synack on a mega thread for the chance to get an RCE on an enterprise software used by Forbes 500 companies.

📽️ 3 Insightful Videos

  1. How to turn a write-based path traversal into a critical? - a bug bounty case study by @gregxsunday
  2. @InsiderPhD shares valuable insights on information disclosure vulnerabilities in this episode of Bug Bounty Basics presented by @Bugcrowd.
  3. Learn more about source code review in this episode of Critical Thinking - Bug Bounty Podcast by @ctbbpodcast

⚒️ 2 GitHub repositories & Tools

  1. Discover SubreconGTP, an AI-assisted subdomain discovery tool by @Jhaddix.
  2. YEAST Yet Another -template-based- Subdomain Enumeration Tool by @WhoIsSecure

💰1 Job Alert

  1. Aficionado Technologies seeks a Cyber Security Analyst for a full-time position in Hyderabad, Telangana, India. Suitable for individuals with 0-2 years of experience.

📝 3 Infosec Articles

  1. If you’re starting to learn source-code review, here is a fantastic beginner-friendly  pentester’s guide by @cobalt_io.
  2. Have an insight on how @akr3ch found Sql injection on a hidden API endpoint.
  3. “The Developers Console's Power." @jeyabalaji explains how he used the inspect element to discover Account takeover.
  1. For beginners, a must-see. @hakluke provides 10 tips on how to win bug bounties in a thorough thread.
  2. @intigriti comes with an incredible thread that shows how an attacker can take advantage of an XSS case.
  3. @intigriti once again creates a fantastic thread on the basics of file upload vulnerabilities.

📽️ 1 Insightful Video

  1. In this video by @rana__khalil, she guides viewers through Lab #2 of the Directory Traversal Vulnerabilities module in the Web Security Academy.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Ayush Singh, Bhavesh Harmalkar, Tuhin Bose, Shlok and Nithin R.
Newsletter formatting by: Ayush Singh, Nikhil A Memane, Shlok, Abdelrhman Allam and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]