π©βπ»IW Weekly #71: Introduction to AD pentesting, XSS via exported activity, using HOTW to leak CSRF token, full access to airline points, SSRFs and many more..
Welcome to the #IWWeekly71 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item π«’
Read, upskill yourself and spread love to the community π
Excited? Letβs jump in π
π 5 Infosec Articles
- Read how @AbhishekKarle3 was able to get an XSS by leveraging exported activities in an android app.
- HTML Over the Wire (or HOTW) allows developers to reduce the amount of custom javascript used, @healthyoutlet talks about how one could abuse certain HOTW functionalities to leak CSRF tokens.
- Having full access to transfer/issue airline points, managing rewards programs, oversee customer accounts, and more, read about how @samwcyo, @infosec_au and @iangcarroll went about hacking the largest airline and hotel rewards platform.
- @kuldeepdotexe writes about multiple instances of SSRF that he found while testing APIs.
- @AkashHamal0x01 shares some tips and tricks on how to go about hunting on smaller scoped bug bounty programs.
π§΅4 Trending Tweets
- @mcipekci shares the importance of knowing the target DBMS, here he outlines how learning about unique Oracle/PLSQL features allowed him to find multiple SQLi resulting in a total bounty of $16,000.
- @Rhynorater shares some tips on how to look for XSS.
- Learn about different ways to leak OAuth tokens from this tweet by @Rhynorater.
- Getting duplicates in bug bounty can be demotivating and frustrating, @Rhynorate shares some tips on avoiding duplicates.@kuldeepdotexe writes about an SQLMap feature flag that allows reducing the number of requests and in turn makes it easier for a triager to reproduce the SQLi.
π½οΈ 3 Insightful Videos
- Checkout this new video from @Nahamsec where he discusses some amazing important recon tips and tricks.
- βFrom Burgers to Bountiesβ, gain amazing tips from the recon legend @infosec_au on this episode 30 of Podcast with @criticalthinkingpodcast.
- Gain insights into @thecybermentorβs essential Bug Bounty recon tips for efficient testing.
πΌ 2 Job Alerts
- Looking for security roles? Institute of Information Security (IIS) is hiring for different security positions.
- Vonage is hiring for Information Security Engineer positions in Bengaluru, Karnataka India.
π 1 Special Item
- 5 hours of Active Directory Pentesting for FREE? Yes, you heard it right. Deep dive into introduction to AD pentesting with @thecybermentor.
Thatβs all for this week. Hope you enjoyed these incredible finds and learned something new from todayβs newsletter. Meet you again next week hacker, until then keep pushing πͺ
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Nithin R, Tuhin Bose
Newsletter formatting by: Nikhil A Memane, Hardik Singh, Nithin R, Shlok
Lots of love
Editorial team,
Infosec Writeups
π§
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]