👩💻IW Weekly #98: Image to RCE, MySQL Server Access, Hacking College Website, RCE on Apple’s Production Server, Web-Cache Deception Vulnerability, Github Code Search, SSRF on Vercel and many more…
Welcome to the #IWWeekly98 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @MukundBhuva uncovers the covert pathway: From an innocuous image to remote code execution, exposing vulnerabilities in the Dutch Government.
- Diving into the gaming realm, @dhanush1895 navigates a journey from reconnaissance to MySQL server access in this detailed article.
- @kuldeepdotexe explains a unique case of web cache deception vulnerability which didn’t involve path confusion like normal exploits does.
- @cyberpro151 shares his journey exploiting IDORs and CORS misconfigurations to breach their college website.
- Discover how @rootxharsh and @iamnoooob uncovered an RCE vulnerability on Apple's production server, leading to a supply chain attack targeting Lucee installations through compromised update servers.
🧵4 Trending Tweets
- Attacking secondary contexts is something @samwcyo has previously shown to uncover unique vulnerabilities, read about a case where he was able to find an SSRF on Vercel in collaboration with @iangcarroll.
- @ctbbpodcast shares some key pointers that might help you find vulnerabilities in Wordpress plugins.
- @AyaaHam82030201 shares some insights on an access control issue they found.
- Github code search is a powerful tool if you know what and how to look for it, @hakluke shares some tips for the same.
📽️ 3 Insightful Videos
- @gregxsunday shares his journey on how he became a full-time bug bounty hunter and content creator
- @ctbbpodcast interviews @samm0uda, whose #1 on Meta bug bounty program, where they discuss postMessages, ATOs, recon, Javascript monitoring, and more.
- Watch @0xrudrapratap’s interview with @S1r1u5_, founder of @ElectrovoltSec, where he shares his journey and insights from being interested in security to finding RCEs on VSCode, Discord and more.
💼 2 Job Alerts
- DeepStrike is seeking a Mid-Senior Penetration Tester and Junior Penetration Tester to bolster their remote team, focusing on web and mobile app security.
- Join BugBase's cybersecurity team in India! Explore internship opportunities focusing on research, pentesting, or bug bounty, and dive into the exciting realms of cybersecurity innovation and growth.
🎁 1 Special Item
- @albinowax shouts out http-garden, a differential testing and fuzzing tool for HTTP servers and proxies, by @NarfIndustries.
Watch “Bypassing Door Passwords ” by Yunus Aydin at IWCON2023
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Manikesh Singh, Bhavesh Harmalkar, Bimal Kumar Sahoo, Nithin R, Vinay Kumar, Tuhin Bose, Mohit Khemchandani, Manan, Shlok, Rachit Arora, Eeshan V, AnuPallavi, Pawan Gambhir, Ansh Patel
Newsletter formatting by: Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Nithin R, Manan, Shlok, Rachit Arora, Eeshan V, AnuPallavi, Pawan Gambhir, Ansh Patel
Lots of love
Editorial team,
Infosec Writeups
📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]