👩‍💻IW Weekly #94: 2FA Bypass, Decoding Obfuscated JavaScript, Exploiting Password Reset Functionality, AWS S3 Bucket Takeover, Invisible Prompt Injections and many more…

👩‍💻IW Weekly #94: 2FA Bypass, Decoding Obfuscated JavaScript, Exploiting Password Reset Functionality, AWS S3 Bucket Takeover, Invisible Prompt Injections and many more…
Photo by Markus Spiske / Unsplash

Welcome to the #IWWeekly94 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. Explore @bbuerhaus latest piece on decoding obfuscated JavaScript, exposing concealed vulnerabilities, including GET parameter values.
  2. Uncover the secrets of XSS challenge dissecting prototype pollution flaw in Axios, leveraging jQuery's lowercase transformation shared by @sudhanshur705
  3. Delve into the realm of authentication testing with @Om83418440 in Part 05 of his InfoSec Write-ups series, unraveling insights, methods, and examples to fortify your understanding of potential vulnerabilities.  
  4. Dive into a bug bounty success story where business logic flaws are exploited to bypass 2FA and achieve account takeover encountered by @truong_rong
  5. AWS has swiftly resolved a potential data exfiltration risk in Amazon Q for Business. Dive into the details of this crucial fix by @wunderwuzzi23 and ensure your systems are secure! 
  1. @Jayesh25_ shows us a step-by-step approach on how we can exploit CVE-2023-7028 
  2. Do you know how to set up Discord/Slack notifications for bug bounty findings? Don’t worry as @Jayesh25_ got you covered.
  3. Learn more about AWS S3 Bucket Takeover with @thebinarybot
  4. Checkout 7 different ways to exploit the password reset functionality to make $$$$ as curated by @thebinarybot

📽️ 3 Insightful Videos

  1. Watch @NahamSec as he talks about how he would start his bug bounty journey from scratch in 2024
  2. In the latest episode of the @ctbbpodcast, the hosts talk about vulnerable code patterns, invisible prompt injections, the launch of hackernotes and other interesting stuff.
  3. Learn how to build your foundation of knowledge and skills in Application Security Testing  using free and paid resources with @TCMSecurity

💼 2 Job Alerts

  1. Payatu is actively seeking skilled professionals for roles such as Security Consultant, MERN Intern & more located in Hyderabad, Telangana. 
  2. Bug Base is on the lookout for a talented CTF Developer Intern! Check out the job alert and be part of Bug Base's dynamic team.

🎁 1 Special Item

  1. Unearth the risks in bug bounty! Discover how a seemingly harmless login response turned into a massive PII exposure for 40k+ companies.

Watch “Hacking into Pretrained ML model” by S.G Harish at IWCON2023.

Tag us at Twitter and let us know what portion of the talk you enjoyed the most!

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bhavesh Harmalkar, Tuhin Bose
Newsletter formatting by: Hardik Singh, Bhavesh Harmalkar, Nithin R, Anu Pallavi, Pawan Gambhir

Lots of love
Editorial team,

Infosec Writeups

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]