👩‍💻IW Weekly #63: Account Takeover on Tiktok, MOVEiT Transfer RCE, Godaddy Hack, CSP bypass, Uncovering power of Nuclei and many more..

👩‍💻IW Weekly #63: Account Takeover on Tiktok, MOVEiT Transfer RCE, Godaddy Hack, CSP bypass, Uncovering power of Nuclei and many more..
Photo by NordWood Themes / Unsplash

Unveiling TikTok's hack : How @mrhavit cracked the code and uncovered an account takeover vulnerability in a thrilling bug bounty adventure!

Welcome to the #IWWeekly63 - the monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @mrhavit explains in detail how he found an amazing account takeover on Tiktok, one of the most popular short video platforms.
  2. @PortSwigger comes with an awesome writeup on how to bypass CSP via DOM clobbering by @garethheyes
  3. Now, uncover vulnerabilities in TCP, DNS ,files and more. @hakluke provides an excellent writeup on how to use @pdiscoveryio’s Nuclei beyond HTTP requests.
  4. From exposed git directory to securing data of 100k users, @bishal0x01 shares his journey of ethically hacking Godaddy.
  5. The team at @assetnote has come up with detailed steps of reproduction for Progress MOVEIt Transfer RCE (CVE-2023-34362).
  1. Learn how to escalate a no rate limiting bug on an email endpoint from this thread by @shubham_srt.
  2. Learn about content-type and why XSS isn’t possible in some cases from this thread by @intigriti.
  3. Read on how @silentgh00st was able to get an RCE on a well vetted bug bounty program.
  4. Read @AseemShrey’s twitter thread on finding more subdomains using subfinder.

📽️ 3 Insightful Videos

  1. @_JohnHammond discusses and uncovers the infamous Lockbit ransomware in his amazing detailed video.
  2. Bypassing android root detection using Frida hooking and APK patching by @intigriti.
  3. The latest video from @thecybermentor makes it simple for you to learn Blind SQL injection.

⚒️ 2 GitHub repositories & Tools

  1. Team @pdiscoveryio introduces Nuclei Version 2.9.5: Exciting Updates Include Max-Requests Counter, Payload Support in DNS Protocol, and more enhanced features!
  2. Team @pdiscoveryio released Nuclei template version 6.9.5 which introduces addition of new CVEs and templates like: CVE-2023-32243, CVE-2023-29923, CVE-2023-2825 and many more.

💰1 Job Alert

  1. Hamlyn Williams is seeking a Penetration Tester to join their team in the United States (Remote), offering a salary range of $90000-$120000.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Manikesh Singh, Bhavesh Harmalkar, Pramod Kumar Pradhan, Nithin R, Tuhin Bose, Shlok
Newsletter formatting by: Hardik Singh, Siddharth, Shlok and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]