👩‍💻IW Weekly #95: From Rook to XSS, CVE-2023-5480, Response Manipulation to Privilege Escalation, Top 10 Web Hacking Techniques for 2023, Unicode Escape Handling in Java and many more…

👩‍💻IW Weekly #95: From Rook to XSS, CVE-2023-5480, Response Manipulation to Privilege Escalation, Top 10 Web Hacking Techniques for 2023, Unicode Escape Handling in Java and many more…
Photo by Azamat E / Unsplash

Welcome to the #IWWeekly95 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

  1. In @slonser's detailed write-up, he thoroughly explores CVE-2023-5480, a Chrome XSS vulnerability, offering a comprehensive analysis of its implications .
  2. In @zikolaasec's write-up, he reveals how a bug granted ordinary users access to premium features by response manipulation, securing a $500 bounty for exposing this significant security flaw.
  3. @garethheyes at @PortSwiggerRes explores Java's handling of unicode escapes in source code strings, uncovering surprising nuances and demonstrating how to exploit them for concealing payloads.
  4. In his write-up, @_MrNiko shares a comprehensive walkthrough for mastering the HTB Zipping challenge, offering valuable insights and guidance.
  5. Deep dive into the journey of a rook to an amazing XSS on chess.com through this detailed blog by @skii.dev.
  1. @Jayesh25_ shares some tips on finding additional targets connected to your widescope target.
  2. @intigriti discusses a common OAuth vulnerability, check out their thread for a detailed explanation. 
  3. @thebinarybot shares a list of browser extensions for bug bounty hunters and security researchers.
  4. Hunting on a bug bounty target with a limited scope can often be challenging, check out some tips shared by @ott3rly for small scoped targets.

📽️ 3 Insightful Videos

  1. In his recent video, @LiveOverflow shares a guide on utilizing AFL++ for fuzzing, with the goal of rediscovering the libwebp vulnerability (CVE-2023-4863) that was exploited to compromise iPhones.
  2. In his latest video, @_johnhammond raises awareness by demonstrating a tutorial on backdooring a desktop shortcut to execute malware.
  3. In episode 55 of the Critical thinking Bug Bounty podcast by @ctbbpodcast, they discussed the functionalities and vulnerability testing in Wordpress Plugins.

💼 2 Job Alerts

  1. Uplers is looking to fill a remote position for a Product Security Engineer at Airbase.
  2. Checkmarx is hiring for the position of an Application Security Engineer in Pune, Maharashtra.

🎁 1 Special Item

  1. As is tradition, @PortSwiggerRes has released its annual list of top web hacking techniques for 2023. Grab your coffee, delve into the cutting-edge research, and cast your vote for the top 10.

Watch “A decade plus of maintaining ZAP” by Simon Bennetts (psiinon) at IWCON2023 and let us know how much you liked this.


That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Bhavesh Harmalkar, Manan, Ansh Patel
Newsletter formatting by: Hardik Singh, Shlok, Eeshan V

Lots of love
Editorial team,

Infosec Writeups

📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]

Subscribe to The Infosec Newsletter

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe