👩‍💻IW Weekly #65: FotiNAC RCE, Supply chain Attackers Hijacks S3 Buckets, Exposed PII, Power of Shodan, Waf bypass to XXE Injection, Git directory leak and Many more…

Discover the latest Hijacking Technique employed by Supply Chain Attackers targeting S3 Buckets in this insightful article by @Checkmarx.

Welcome to the #IWWeekly65 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. Unveiling the FortiNAC RCE Vulnerability by @frycos.
2. Learn how Supply Chain Attackers unleash new Hijacking Technique on S3 Buckets in this article by @Checkmarx.
3. @0xA1MN shares how he Exposed PII data for all buyers’.
4. Explore the untapped potential and advantages of custom nuclei templates by @pdiscoveryio.
5. @ADITYASHENDE17 shares his valuable insights on Exploiting Exposed Tokens and API Keys.

🧵4 Trending Threads

1. Don't worry if you missed this year's Nahamcon; @thebinarybot has provided an incredible thread on The Power of Shodan: A 20 min Talk by @GodFatherOrwa into an amazing 2 min read.
2. On this week’s #hacktuesday thread, @AseemShrey discusses how an exposed git directory leaked multiple sensitive data.
3. The nightmare of hardcoded credentials in android application and its possible exploitation by @integriti.
4. Last month, @irsdl cracked the code on bypassing a Web Application Firewall (WAF) for XXE injection. Get ready for the captivating story from his thread!

📽️ 3 Insightful Videos

1. In this episode 24 of the Bug bounty Podcast, @ctbbpodcast discusses the role of AI in hacking with @rez0__ & @DanielMiessler.
2. How google dorking can be used for efficient hacking by @Nahamsec.
3. Unveiling a Major Vulnerability: @FlashbackPwn infiltrates a financial institution's systems, revealing how they exploit ManageEngine ADSelfService Plus GINA agent to gain a pre-authentication SYSTEM shell.

⚒️ 2 GitHub repositories & Tools

1. jsluice is a Go package and command-line tool for extracting URLs, paths, secrets, and other interesting data from JavaScript source code. Created by @bishopfox.
2. Surf: A powerful tool to exploit SSRF vulnerabilities in contemporary cloud environments and elevate their impact by @assetnote.
   

💰1 Job Alert

@Securityb0at is hiring Security Consultants (2-4 yrs exp) and Cybersecurity Sales Pros (0-1 yrs exp) in Pune.

📝 3 Insightful Videos

1. In this latest video by @thecybermentor, get hands on working of Wordpress and how you can attack a Wordpress target.
2. In this @Intigriti’s Android hacking series, learn how to hunt for Weak Authentication bugs on Android Application.
3. Get to know about the only path into Ethical Hacking by @thecybermentor.

🧵 2 Infosec Articles

1. Gain insights from @atomiczsec as he reveals his eventful journey during the final 15 days of #30daysofbugbounty.
2. Uncover how @YoKoAcc could alter victim’s account data.
   
   

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: @NikhilMemane09, @AyushSingh1098, @bhavesharmalkar, @srb1mal, @thebinarybot, @R007_BR34K3R, @tuhin1729_

Newsletter formatting by: @NikhilMemane09, @AyushSingh1098, @Kxddah, @0xManan, @PadhiyarRushi, @Huh0x01

Lots of love
Editorial team,
Infosec Writeups