👩‍💻IW Weekly #41: VueJS XSS, Critical Car-Vulnerabilities, $1000 IAP Proxy Misconfiguration in Google Cloud, Prototype Pollution Attacks, GraphQL Pentesting and much more… | by InfoSec Write-ups | Feb, 2023

Read how @samwcyo and team were able to hack the giants in automotive industry

Hey 👋

Welcome to the #IWWeekly41 — the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We have also featured a Beginner’s Corner this time.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

1. From being able to honk multiple scooters at the same time to finding critical vulnerabilities affecting the giants in automotive industry, check out how @samwcyo and team worked to achieve this magnificent task.
2. @sid0krypt explains how he was able to get reflected XSS on a VueJS application.
3. @LogicalHunter published an excellent article on his $1000 Identity-Aware Proxy misconfiguration vulnerability in Google Cloud.
4. @RahulKankrale describes how he was able to turn off message requests for any user in Instagram.
5. @harshbothra_ has yet again written a fabulous pentester guide, this time on prototype pollution attacks.

1. @maikroservice has crafted a neat twitter thread on how to start purple teaming.
2. @hacker_ talks about his story on performing social engineering legally to get AWS console access.
3. SSRF bugs are always interesting. Find out what @CristiVlad25 learnt by reading Raymond Lind’s recent article on “SSRF Bug Leads To AWS Metadata Exposure”.
4. Checkout how @DhiyaneshDK was able to exploit S3 buckets on Akamai using his Nuclei template.

1. Analyzing ClipboardEvent Listeners for XSS, a NahamCon2022EU talk by @spaceraccoonsec.
2. @trufflesec shared an interesting attack vector to bypass firewalls using misconfigured CORS on internal applications and typo-squatting.
3. @HackerSploit teaches us how to maintain persistence after the initial foothold using SSH Keys, Web Shells & Cron Jobs.

1. Latest version of nuclei with some fixes and new features, by @pdiscoveryio.
2. An info-rich repository by @immunefi that contains all the resources you need to start or expand your knowledge in web3 security.

1. RedHunt Labs have a vacant full-time remote job opening for a Security Researcher.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Tuhin Bose, Ayush Singh, Hardik Singh, and Siddharth.

Newsletter formatting by: Hardik Singh, Siddharth and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

📧

If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm.