👩‍💻IW Weekly #64: EPP Servers, MOVEIt Transfer RCE, Password Reset Link to Account Takeover, PII Data Leakage, Dependency Confusion Attack and many more

👩‍💻IW Weekly #64: EPP Servers, MOVEIt Transfer RCE, Password Reset Link to Account Takeover, PII Data Leakage, Dependency Confusion Attack and many more
Photo by Jake Walker / Unsplash

MOVEIt Transfer RCE (CVE-2023-34362) exposes a critical flaw enabling remote code execution within the MOVEIt Transfer platform, as discovered by @assetnote.

Welcome to the #IWWeekly64 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @infosec_au, @samwcyo, @bbuerhaus, and @rhyselsmore delve into the world of hacking by targeting EPP servers and ccTLD zones in their recent research.
  2. MOVEIt Transfer RCE Part Two (CVE-2023-34362) reveals a critical vulnerability allowing remote code execution in MOVEIt Transfer platform - @assetnote.
  3. @ManavBankatwala explores the lucrative vulnerability of copy password reset links, exposing the alarming ease of account takeover.
  4. @ferferof_ delves into the risks of information disclosure in a private program, exploring PII data leakage and the corresponding US$1500 bounty.
  5. Exploring the intricacies of Flutter's reverse engineering and conducting a comprehensive security analysis - @Ostorlab.
  1. @novasecio shares expert insights on mastering Server-Side Request Forgery (SSRF) with 15 valuable resources.
  2. @intigriti shares 4 essential tools for automating JWT attacks, enabling effective security testing and vulnerability identification.
  3. @AseemShrey breaks down the 'dependency confusion' attack targeting @Google, where a malicious package is hosted with the same name as a private python package, leading to potential hacking opportunities for developers who unknowingly download it.
  4. @thebinarybot reveals the top 5 Burp Suite extensions essential for enhancing your hacking skills in 2023.

📽️ 3 Insightful Videos

  1. Unlock the secrets of account takeover with an in-depth analysis of 146 bug bounty reports in this eye-opening video by @gregxsunday.
  2. @LiveOverflow explores a failed security research attempt, unraveling a flawed idea in WordPress involving caching and MD5 collision while sharing valuable lessons learned.
  3. Unleash the power of ChatGPT as Mike Takahashi (@TakSec) demonstrates hacking techniques in this captivating video by @AseemShrey.

⚒️ 2 GitHub repositories & Tools

  1. Surf: A powerful tool to exploit SSRF vulnerabilities in contemporary cloud environments and elevate their impact by @assetnote.
  2. @Daffainfo's NahamCon CTF 2023 writeup: A comprehensive account of their participation with TCP1P team, securing the 6th place among 2518 teams in the CTF competition.

💰1 Job Alert

  1. @panaceainfosec is hiring for an experienced IT security testing/VAPT professional with 2 to 6 years of experience, immediate to 15 days notice period, for a position based in Delhi.

📝 3 Infosec Articles

  1. Learn the essentials of setting up your iOS environment for mobile pentesting with this comprehensive guide by @imorosan.
  2. @inderjeet exposes the vulnerability of Disney's admin panel, allowing unauthorized access to alter movie ticket prices.
  3. @bughunt789 explores the dangerous implications of combining HTML injection with XSS to exploit vulnerabilities and steal cookies.

📽️ 2 Insightful Video

  1. @rana__khalil presents a comprehensive guide in the Long Version of "Directory Traversal - Lab #5," covering file path traversal and start path validation techniques.
  2. Unlock the secrets of web application hacking with @NahamSec as he guides you through step-by-step ethical hacking resources.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Bimal Kumar Sahoo, Vinay Kumar, Tuhin Bose, Manan, Alvin Mwambi and Shlok.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh and Rushi Padhiyar.

Lots of love
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]