👩💻IW Weekly #75: Privilege Escalation by request manipulation, PII Disclosure by manipulating parameters, PII leak using misconfigured API, CRLF to XSS, Blind SSRF with Out-of-band Detection and many more..
Welcome to the #IWWeekly75 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- Read about how @zingzangoo was able to escalate privileges by manipulating the requests.
- Latest research by the @assetnote team on how they were able to leak file contents using a blind file oracle.
- Deep diving into the application and observing different behaviors is a very important skill to have in bug bounty, read on how @Security_Sphinx was able to read all user information by manipulating parameters.
- Reconnaissance plays a huge role in expanding your attack surface, read how @h__ayub stumbled upon an API which was leaking user PII.
- Top 10 must have Burp Suite extensions by @gsaulenas.
🧵4 Trending Tweets
- @Rhynorater’s brain dump on different ways to take over accounts.
- SQLis are less prevalent but still present, @intigriti recommends these following labs to brush up on your SQLi hunting skills.
- Read on how @Rhynorater collaborated with a podcast listener to escalate a CRLF injection to an XSS.
- @silentgh00st’s thread on different tricks they used which ended up giving access to source code, hardcoded credentials, and more.
📽️ 3 Insightful Videos
- Learn how @NahamSec harnesses the power of AI to create a game-changing wordlist.
- Discover how to exploit Blind SSRF with Out-of-Band Detection in this informative video by @thecybermentor.
- Join @ctbbpodcast in a riveting showdown as they dive into 'The Great Hacker vs Program Debate' in Episode 34!
💼 2 Job Alerts
- Infoblox is seeking a Product Security Engineer I to join their Engineering team in Bangalore, India.
- Uplers is seeking an Application Security Engineer (SAST) for their client, Gitlab.
🎁 1 Special Item
- @kevin_mizu creates a playful XSS challenge for pure enjoyment, with no prizes at stake, just a link to explore!
![](https://weekly.infosecwriteups.com/content/images/2023/09/image.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Bimal Kumar Sahoo, Nithin R, Vinay Kumar, Tuhin Bose, Manan.
Newsletter formatting by: Nikhil A Memane, Manan, Ayush Singh, Hardik Singh, Rushi Padhiyar, Nithin R, Shlok
Lots of love
Editorial team,
Infosec Writeups
📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]