👩‍💻IW Weekly #66: Citrix Gateaway-XSS, Web cache Deception, DNS Analyzer, ATO to XSS in GarphQL API, AWS S3 Bucket Leaks, $250K Coinbase API Hack and many more…

Unveil the power of Account Takeover (ATO) via Stored XSS vulnerability in a GraphQL API, explored in this enlightening bug writeup by @pmnh_.

Welcome to the #IWWeekly66 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. @assetnote dives deep into the world of security by reversing Citrix Gateway for XSS.
  2. @hbenja_m strikes gold with two successful Web Cache Deceptions, raking in $2250 in rewards.
  3. @sec_consult unveils their latest tool, DNS Analyzer, which harnesses the power of Burp Suite to efficiently identify and mitigate DNS vulnerabilities.
  4. @ollieatnowhere presents a breakthrough: BChecks, the long-awaited solution for Houston's challenges.
  5. Discover the potential for an Account Takeover (ATO) through a Stored XSS vulnerability in a GraphQL API, as discussed in this insightful bug writeup by @pmnh_.
  1. @intigriti takes you on a journey to discover the exploitability of an XSS through the User-Agent header.
  2. @rez0__ shares TOP 5 Tips for mastering bug bounty hunting in the latest @ctbbpodcast episode, featuring the brilliant @inhibitor181.
  3. BugBounty.zip! A potent toolkit designed specifically for bug bounty hunters by @Tur24Tur.
  4. @TakSec explores AWS S3 Bucket Leaks through basic tests, AWS CLI, Google Dorks, and essential tools.

📽️ 3 Insightful Videos

  1. Join @gregxsunday as he embarks on a thrilling journey with @Yassineaboukir, hacking his way to become the Most Valuable Hacker while exploring the world on the go!
  2. Unlocking the secrets of the $250K Coinbase API Hack with @apisecu, the mastermind behind the breach!
  3. Join @ctbbpodcast in Episode 25 as they delve into the fascinating world of 2x MVH and the intriguing multi-million dollar hacker, Inhibitor181.

⚒️ 2 GitHub repositories & Tools

  1. jsluice is a Go package and command-line tool for extracting URLs, paths, secrets, and other interesting data from JavaScript source code. Created by @bishopfox.
  2. Surf: A powerful tool to exploit SSRF vulnerabilities in contemporary cloud environments and elevate their impact by @assetnote.

💰1 Job Alert

  1. Join @nii-consulting's dynamic cybersecurity team! Exciting openings in Assessment, Strategy Risk Assessment, SOC, and Training departments.

📝 3 Infosec Articles

  1. Confused as to whether your discovery is a CSTI or SSTI? Learn about the differences through this article by @infosec_vision.
  2. In his writeup , @PratikY9967 shares how he was able to chain a XSS to IDOR which led to account takeover at an NFT marketplace.
  3. In this article, @zingzangoo explains how he was able to take advantage of a pre-account takeover due to a flawed access control system.

📽️ 2 Insightful Video

  1. “Find your first API related bug”, a talk by @insiderphd from Nahamcon 2023.
  2. Get to know about Directory traversal attacks and how you can hunt them though this video by @thecybermentor.

House of Hackers (HoH) is your one-stop forum to discuss all things Cybersecurity. Visit HoH here: https://houseofhackers.xyz/

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Vinay Kumar, Tuhin Bose, Manan and Shlok.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, Nithin R, Shlok.

Lots of love
Editorial team,
Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]