IW Weekly #14: $1M bounty, bug bounty tips, upcoming CTF events, API attacks, bypassing .NET, autofill credentials stolen, and much more.

Published in

InfoSec Write-ups

3 min readAug 3, 2022

Hey 👋

Welcome to the fourteenth edition of Infosec Weekly — the Monday newsletter that brings the best in Infosec straight to your inbox.

In today’s edition, we’ve curated all the amazing Infosec stuff that needs your attention this week in a format of 5 articles, 4 Threads, 3 videos, 2 Github repos and tools, and 1 job alert, to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

New Section Added: Upcoming CTF Events 🔥

Excited? Let’s dive in👇

📝 5 Infosec Articles

#1 Dhakal_Bibek wrote about access control bug worth $2000 where he shared his methodologies towards the access control vulnerabilities.

#2 A lot of web application security testers don’t know about some simple yet helpful bug hunting features. Here’s a detailed blog post by 0xblackbird on how to look for bugs right from your web browsers.

#3 Bypassing .NET Serialization Binders: Case studies for DevExpress (CVE-2022–28684) and Microsoft Exchange (CVE-2022–23277) by @mwulftange.

#4 Read How @PwningEth protected Moonbeam network by disclosing a critical design flaw, safeguarding more than $100M assets at risk in various DeFi projects and was awarded $1M and a $50k bonus.

#5 Did you know your browser’s Autofill Credentials could be stolen via Cross-Site Scripting (XSS)?. The GoSecure Titan Labs team has demonstrated it in this blog.

🧵4 Trending Threads

#1 Bhagavan Bollina shares his tips about how he gets debug parameters.

#2 Have a look at SM9l’s Tweet about fully automatic one-liner to test for SSRF using @pdiscoveryio ‘s interactsh.

#3 Are you an API pentester or starting to become one? Abhay Bhargav shares a great Thread about underrated #API Attacks and defense that you don’t want to miss.

#4 Ever thought how bug hunters are able to write their own security checks and always a step ahead from others?
@Jason Haddix shares a deep informative thread about the secrets of automation-kings in bug bounty.

📽️ 3 Insightful Videos

#1 See how Ben Sadeghipour explains about one of the current hot topics in InfoSec i.e attack surface management (ASM) when it comes down to Data gathering.

#2 Checkout the practical phishing assessment course by Graham Helton Part — 1 made free.

#3 Jhaddix has uploaded a video on how to use the waymore tool effectively. Check it out.

⚒️2 Github repositories & Tools

#1 Discover hidden endpoints & parameters from historical content discovery using @xnl_h4ck3r ‘s WayMore tool. The best tool for this type of content discovery during web assessments.

#2 @AnubhavSingh_ made a curated list of Android Security materials and resources for pentesters and bug hunters. This repository will guide you on how to start with Android pentesting from scratch.