👩‍💻IW Weekly #68: Account Takeover using Custom OTP, CVE-2023-36934, Investigating EC2 , XSS in hidden inputs , macOS user's real name brute-forced with mDNS and many more..

Read how @FingerprintJs shares their finding which reveals a user's first name without permissions using the mDNS protocol.

Welcome to the #IWWeekly68 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. In his writeup, @bhavukjain1 explains how he discovered account takeover using a customized OTP-”1337” .
2. The Research team at @pdiscoveryio shares their analysis on CVE-2023-36934 - MOVEit transfer SQL injection.
3. Get hands on how to Forensic investigate a compromised Amazon EC2 instance through this writeup by  @e11i0t_4lders0n .
4. In this article, the team at @PortSwigger demonstrates how to take advantage of Chrome's new HTML popup feature to exploit XSS in meta tags and hidden inputs.
5. In their series of articles on discovering vulnerabilities in Apple’s device, @FingerprintJs shares their finding which reveals a user's first name without permissions using the mDNS protocol.

🧵4 Trending Threads

1. The tale of finding 4 SQL injections on one of oldest @SynackRedTeam targets by @mcipekci .
2. This thread by @intigriti provides a top 4 cheat-sheet which will help you around bypassing WAF while exploiting SQL injection.
3. Through his thread, @mattjay shares his top 13 infosec career hacks for those just starting out.
4. The tale of finding a zero-click Account Takeover on one of largest SaaS providers by @rez0__.

📽️ 3 Insightful Videos

1. Exploiting a NoSQL injection and dumping data via regex and python by @ippsec.
2. In his latest video with @_bagipro , @Liveoverflow shares key notes and tips for Android Application Bug bounty.
3. Checkout this talk by @insiderphd from @Nahamsec’s Nahamcon 23’on how to properly own API’s for Your first valid submission.

⚒️ 2 GitHub repositories & Tools

1. Shortscan, a golang based tool used for enumerating short filenames on IIS webservers, by @bitquark.
2. Jsluice is a tool for extracting URLs, paths, secrets, and other interesting data from JavaScript source code, by the team at @bishopfox.

💰1 Job Alert

1. Looking for an Appsec or VAPT job in India, @esecforte is hiring. Drop your CV at [email protected].

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Siddharth, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar,Nithin R,Tuhin Bose, Shlok.

Newsletter formatting by: Ayush Singh, Siddharth, Nithin R, Shlok.

Lots of love
Editorial team,
Infosec Writeups