👩💻IW Weekly #85: LFI to RCE, DoS Bugs, RXSS on Microsoft, Race Conditions, Finding Leaked Tokens, Bypassing URL Parsers and many more…
Welcome to the #IWWeekly85 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
This painting sold for $8 million and everyday investors profited
When the painting by master Claude Monet (you may have heard of him) was bought for $6.8 million and sold for a cool $8 million just 631 days later, investors in shares of the offering received their share of the net proceeds.
All thanks to Masterworks, the award-winning platform for investing in blue-chip art. To date, every one of Masterworks’ 16 sales out of its portfolio has returned a profit to investors. With 3 recent sales, investors realized net annualized returns of 17.6%, 21.5% and 35%.
Shares of every offering are limited, but Infosec readers can skip the waitlist with this exclusive link.
📝 5 Infosec Articles
- Read how @facufernandez was able to get an LFI to RCE while bug hunting.
- @0xMstar showcases a few features of the service PrettyRecon which helps him in mass hunting certain vulnerabilities, technologies, targets, etc.
- @royzsec talks about the approach they used to bypass cloudflare to get Reflected XSS on Microsoft.
- Find out how @anudeep-vysyaraju was able to flood a UPI ID with payment requests.
- Seasoned bug hunters always advise on escalating bugs for more impact, read how @0xPrial was able to escalate a subdomain takeover to being able to see all mails sent to the help desk and more.
🧵4 Trending Tweets
- @Jayesh25_ shares some tips on how to hunt on Windows IIS targets.
- Read about real world examples of race conditions which helped @Jayesh25_ earn quite a few bounties.
- @eduardo_nuri explains how they were able to find a critical 0day XXE to full read SSRF
- Resources for building an Active Directory lab by @hetmehtaa.
📽️ 3 Insightful Videos
- @NahamSec talks about different scenarios and ways to hack on targets using Tomcat and Jolokia.
- Listen about common tips and tricks on bypassing URL parsers, new tools, account takeover stories, and some controversial current events in the hacker scene in the latest episode by @ctbbpodcast.
- @gregxsunday is back with the detailed case studies, here he answers “What types of DoS bugs will get you a bounty?” by analyzing 138 DoS bug bounty reports.
💼 2 Job Alerts
- Pegasystems is seeking a Principal Security Engineer.
- EC-Council is looking for a Web Application Firewall Engineer.
🎁 1 Special Item
- Nuclei AI extension which helps with rapid nuclei template generation, by @pdiscoveryio.
IWCON 2023 is only 39 days away, and we can’t keep calm! 😍
Our team members Anangsha Alammyan and Sravani K got together to create a video answering some of the most frequently asked questions about IWCON.
What exactly is IWCON?
What’s the ticket price?
What are the event dates?
And more.
Watch this fun video, and feel free to share your thoughts in the comments.
We only have limited seats this time, so make sure you save your spot before all tickets are sold out.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Manan, Nithin R.
Newsletter formatting by: Manan, Ayush Singh, Hardik Singh, Nithin R
Lots of love
Editorial team,
Infosec Writeups