👩💻IW Weekly #75: Privilege Escalation by request manipulation, PII Disclosure by manipulating parameters, PII leak using misconfigured API, CRLF to XSS, Blind SSRF with Out-of-band Detection and many more..
Welcome to the #IWWeekly75 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- Read about how @zingzangoo was able to escalate privileges by manipulating the requests.
- Latest research by the @assetnote team on how they were able to leak file contents using a blind file oracle.
- Deep diving into the application and observing different behaviors is a very important skill to have in bug bounty, read on how @Security_Sphinx was able to read all user information by manipulating parameters.
- Reconnaissance plays a huge role in expanding your attack surface, read how @h__ayub stumbled upon an API which was leaking user PII.
- Top 10 must have Burp Suite extensions by @gsaulenas.
🧵4 Trending Tweets
- @Rhynorater’s brain dump on different ways to take over accounts.
- SQLis are less prevalent but still present, @intigriti recommends these following labs to brush up on your SQLi hunting skills.
- Read on how @Rhynorater collaborated with a podcast listener to escalate a CRLF injection to an XSS.
- @silentgh00st’s thread on different tricks they used which ended up giving access to source code, hardcoded credentials, and more.
📽️ 3 Insightful Videos
- Learn how @NahamSec harnesses the power of AI to create a game-changing wordlist.
- Discover how to exploit Blind SSRF with Out-of-Band Detection in this informative video by @thecybermentor.
- Join @ctbbpodcast in a riveting showdown as they dive into 'The Great Hacker vs Program Debate' in Episode 34!
💼 2 Job Alerts
- Infoblox is seeking a Product Security Engineer I to join their Engineering team in Bangalore, India.
- Uplers is seeking an Application Security Engineer (SAST) for their client, Gitlab.
🎁 1 Special Item
- @kevin_mizu creates a playful XSS challenge for pure enjoyment, with no prizes at stake, just a link to explore!
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Bimal Kumar Sahoo, Nithin R, Vinay Kumar, Tuhin Bose, Manan.
Newsletter formatting by: Nikhil A Memane, Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, Nithin R, Shlok
Lots of love
Editorial team,
Infosec Writeups
📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]