👩‍💻IW Weekly #64: EPP Servers, MOVEIt Transfer RCE, Password Reset Link to Account Takeover, PII Data Leakage, Dependency Confusion Attack and many more

MOVEIt Transfer RCE (CVE-2023-34362) exposes a critical flaw enabling remote code execution within the MOVEIt Transfer platform, as discovered by @assetnote.

Welcome to the #IWWeekly64 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @infosec_au, @samwcyo, @bbuerhaus, and @rhyselsmore delve into the world of hacking by targeting EPP servers and ccTLD zones in their recent research.
2. MOVEIt Transfer RCE Part Two (CVE-2023-34362) reveals a critical vulnerability allowing remote code execution in MOVEIt Transfer platform - @assetnote.
3. @ManavBankatwala explores the lucrative vulnerability of copy password reset links, exposing the alarming ease of account takeover.
4. @ferferof_ delves into the risks of information disclosure in a private program, exploring PII data leakage and the corresponding US$1500 bounty.
5. Exploring the intricacies of Flutter's reverse engineering and conducting a comprehensive security analysis - @Ostorlab.
   

🧵4 Trending Threads

1. @novasecio shares expert insights on mastering Server-Side Request Forgery (SSRF) with 15 valuable resources.
2. @intigriti shares 4 essential tools for automating JWT attacks, enabling effective security testing and vulnerability identification.
3. @AseemShrey breaks down the 'dependency confusion' attack targeting @Google, where a malicious package is hosted with the same name as a private python package, leading to potential hacking opportunities for developers who unknowingly download it.
4. @thebinarybot reveals the top 5 Burp Suite extensions essential for enhancing your hacking skills in 2023.

📽️ 3 Insightful Videos

1. Unlock the secrets of account takeover with an in-depth analysis of 146 bug bounty reports in this eye-opening video by @gregxsunday.
2. @LiveOverflow explores a failed security research attempt, unraveling a flawed idea in WordPress involving caching and MD5 collision while sharing valuable lessons learned.
3. Unleash the power of ChatGPT as Mike Takahashi (@TakSec) demonstrates hacking techniques in this captivating video by @AseemShrey.

⚒️ 2 GitHub repositories & Tools

1. Surf: A powerful tool to exploit SSRF vulnerabilities in contemporary cloud environments and elevate their impact by @assetnote.
2. @Daffainfo's NahamCon CTF 2023 writeup: A comprehensive account of their participation with TCP1P team, securing the 6th place among 2518 teams in the CTF competition.

💰1 Job Alert

1. @panaceainfosec is hiring for an experienced IT security testing/VAPT professional with 2 to 6 years of experience, immediate to 15 days notice period, for a position based in Delhi.

📝 3 Infosec Articles

1. Learn the essentials of setting up your iOS environment for mobile pentesting with this comprehensive guide by @imorosan.
2. @inderjeet exposes the vulnerability of Disney's admin panel, allowing unauthorized access to alter movie ticket prices.
3. @bughunt789 explores the dangerous implications of combining HTML injection with XSS to exploit vulnerabilities and steal cookies.

📽️ 2 Insightful Video

1. @rana__khalil presents a comprehensive guide in the Long Version of "Directory Traversal - Lab #5," covering file path traversal and start path validation techniques.
2. Unlock the secrets of web application hacking with @NahamSec as he guides you through step-by-step ethical hacking resources.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Bimal Kumar Sahoo, Vinay Kumar, Tuhin Bose, Manan, Alvin Mwambi and Shlok.

Newsletter formatting by: Manan, Ayush Singh, Hardik Singh and Rushi Padhiyar.

Lots of love
Editorial team,
Infosec Writeups