Unveil the power of Account Takeover (ATO) via Stored XSS vulnerability in a GraphQL API, explored in this enlightening bug writeup by @pmnh_.
Welcome to the #IWWeekly66 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @assetnote dives deep into the world of security by reversing Citrix Gateway for XSS.
- @hbenja_m strikes gold with two successful Web Cache Deceptions, raking in $2250 in rewards.
- @sec_consult unveils their latest tool, DNS Analyzer, which harnesses the power of Burp Suite to efficiently identify and mitigate DNS vulnerabilities.
- @ollieatnowhere presents a breakthrough: BChecks, the long-awaited solution for Houston's challenges.
- Discover the potential for an Account Takeover (ATO) through a Stored XSS vulnerability in a GraphQL API, as discussed in this insightful bug writeup by @pmnh_.
🧵4 Trending Threads
- @intigriti takes you on a journey to discover the exploitability of an XSS through the User-Agent header.
- @rez0__ shares TOP 5 Tips for mastering bug bounty hunting in the latest @ctbbpodcast episode, featuring the brilliant @inhibitor181.
- BugBounty.zip! A potent toolkit designed specifically for bug bounty hunters by @Tur24Tur.
- @TakSec explores AWS S3 Bucket Leaks through basic tests, AWS CLI, Google Dorks, and essential tools.
📽️ 3 Insightful Videos
- Join @gregxsunday as he embarks on a thrilling journey with @Yassineaboukir, hacking his way to become the Most Valuable Hacker while exploring the world on the go!
- Unlocking the secrets of the $250K Coinbase API Hack with @apisecu, the mastermind behind the breach!
- Join @ctbbpodcast in Episode 25 as they delve into the fascinating world of 2x MVH and the intriguing multi-million dollar hacker, Inhibitor181.
⚒️ 2 GitHub repositories & Tools
- Surf: A powerful tool to exploit SSRF vulnerabilities in contemporary cloud environments and elevate their impact by @assetnote.
💰1 Job Alert
- Join @nii-consulting's dynamic cybersecurity team! Exciting openings in Assessment, Strategy Risk Assessment, SOC, and Training departments.
📝 3 Infosec Articles
- Confused as to whether your discovery is a CSTI or SSTI? Learn about the differences through this article by @infosec_vision.
- In his writeup , @PratikY9967 shares how he was able to chain a XSS to IDOR which led to account takeover at an NFT marketplace.
- In this article, @zingzangoo explains how he was able to take advantage of a pre-account takeover due to a flawed access control system.
📽️ 2 Insightful Video
- “Find your first API related bug”, a talk by @insiderphd from Nahamcon 2023.
- Get to know about Directory traversal attacks and how you can hunt them though this video by @thecybermentor.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Vinay Kumar, Tuhin Bose, Manan and Shlok.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, Nithin R, Shlok.
Lots of love