👩‍💻IW Weekly #42: $1M bounty explained, GCP takeover, iOS pentesting, Smart Contract vulnerabilities, API security checklist and much more… | by InfoSec Write-ups | Feb, 2023

Take a look at how @kl_sree managed to takeover your GCP projects.

Welcome to the #IWWeekly42 — the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 GitHub Repos and Tools, 1 Job Alert in today’s newsletter. We also have a separate beginner’s corner in this issue.

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

1. Checkout how @kl_sree uncovers a SSRF vulnerability in Google Cloud’s Vertex AI — giving attackers the key to take over your GCP projects.
2. In this article, @realgmhacker analyzes the exploited vulnerability in the Nomad bridge’s Replica contract that led to the $190m hack in 2022.
3. Bypass WAFs with ease using @hakluke’s latest tool to discover origin host behind reverse proxy.
4. @emil.lerner walks you over through an exploit that achieves code execution in the Redis server via a memory corruption issue.
5. @sockpuppets has written an article on identifying coin scammers with wallet-tracker.

1. Penetration testing just got real. Join @hetmehtaa on a journey to master the tools, methodologies and attack vectors for each OSI layer!
2. Learn the art of iOS penetration testing with the help of @0ctac0der’s in-depth and informative thread.
3. This thread features a story type Q&A Session with Sumit Grover (@sumgr0) written by @harshbothra_.
4. @maikroservice shares his debugging thought process to resolve an issue with a locally hosted and built Angular and TypeScript application, involving FTP directory listings.

1. @NahamSec records an adversaries approach to analyzing and potentially exploiting vulnerabilities in smart contracts with security expert @Hackermate_.
2. @gregxsunday discusses on the $1 Million bounty in Aurora blockchain for no input sanitization bug with lead offensive security engineer Michal Bajor.
3. @HusseiN98D’s shares his approach to wide scoped bug bounty programs at NahamCon2022EU.

1. Shieldfy’s API Security Checklist: A comprehensive guide to designing, testing and releasing secure APIs.
2. Latest release of katana, a crawling and spidering framework by @pdiscoveryio, with new features and fixes.

1. SecureLayer7 has a remote opening for a senior security consultant in India.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Ayush Singh, Bhavesh Harmalkar, Nithin R, Mohit Khemchandani and Manan.

Newsletter formatting by: Ayush Singh, Hardik Singh, Manan and Nithin R.

Lots of love
Editorial team,
Infosec Writeups

📧If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email nithin@infosecwriteups.com