👩💻IW Weekly #70: NFT Bridge Vulnerability, CVE-2023-3519 Deep Analysis, RCE in Huawei Theme Manager, Preauth RCE in Metabase, Chaining Bugs for Session Hijack and many more..
The team at @assetnote unveils a game-changer: Pre-Auth RCE in Metabase (CVE-2023-38646). Get the scoop on this critical vulnerability!
Welcome to the #IWWeekly70 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a Beginner's Corner featured in this edition.
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- Deep dive into CVE-2023-3519, exposing critical vulnerabilities in Citrix ADC and NetScaler Gateway - Part 2 by @assetnote.
- Exploring the Huawei Theme Manager: @Doyensec's Discovery of Arbitrary Code Execution
- @UnoHeuss explains a Critical NFT Bridge Vulnerability and how it allows an attacker to exploit the bridge’s withdrawal process.
- Discovering Critical Vulnerability: @assetnote unveils a Pre-Auth RCE in Metabase (CVE-2023-38646).
- @therceman shares the chaining of multiple issues for a Session Hijack exploit.
🧵4 Trending Threads
- Check out @Rhynorater's Twitter thread on PostMessage, where he discusses their purpose and potential vulnerabilities to hunt for .
- XSS to Account Takeover: Real Cases Unveiled in @expankita's Twitter Thread. Essential web security insights!
- Discover the world of XXE vulnerabilities and effective hunting techniques in @intigriti’s insightful Twitter thread. A must-read for web security enthusiasts!
- Explore 10 often overlooked web vulnerabilities and essential hunting tips in @hakluke's eye-opening Twitter thread.
📽️ 3 Insightful Videos
- @_JohnHammond shares his insights on the recent Zimbra ZCS 0-day in this insightful video.
- @NahamSec shares how one can create a basic Subdomain Monitoring system using Notify.
- Hacking Root EPP Servers To Take Control of Zones from NahamCon2023 is out!
⚒️ 2 GitHub repositories & Tools
- Check out xurlfinder, a CLI utility to find domain's known URLs from curated passive online sources by @RealHueristiq .
- Check out @mindedsecurity's GitHub repo:semgrep-rules-android-security featuring Semgrep rules tailored for Android apps, derived from OWASP MASTG .
💰1 Job Alert
- UST is hiring full time Security Analysts for Kerala, India. Do drop your CV.
📝 3 Infosec Articles
- @7srambo writes about interesting ways they were able to bypass 2-factor-authentication (2FA).
- Read how @cyberchiranjit, out of curiosity, was able to find a critical vulnerability in Assam's electoral website.
- Javascript files have a lot of sensitive data at times, read about how @mohammed0x04 was able to find a couple of vulnerable endpoints by analyzing javascript files.
🧵 2 Trending Threads
- @impratikdabhi shares some google dorks to find potentially vulnerable or misconfigured devices.
- @expankita shares some tips to ace your job interview.
📽️ 1 Insightful Video
- @gregxsunday interviews @NahamSec where they discuss how bug hunting doesn’t need to be recon heavy, and more.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Nithin R, Vinay Kumar,Rushi Padhiyar, Shlok.
Newsletter formatting by: Nikhil A Memane, Hardik Singh, Rushi Padhiyar, Nithin R, Shlok.
Lots of love
Editorial team,
Infosec Writeups