Learn how to use XSS payloads that result in bounties up to $44,625.

Hey 👋

Welcome to the #IWWeekly38 — the Monday newsletter that brings the best in Infosec straight to your inbox.

IWCON2022 finally came to a glorious end yesterday night ❤️ Thank you for joining us. I hope you had a lot of fun and learned something new 😊 Please share your feedback here to help us make the next version better for you 🙂

Coming back to today’s NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.

Excited? Let’s jump in 👇

#1 @TarunkantG has shared a unique case of cache poisoning that occurs between Akamai and Amazon S3 buckets.

#2 @pmnh_ and @UsmanMansha used Spring Expression Language injection on a Spring Boot application in order to bypass Akamai WAF and achieve remote code execution (P1). Read on to learn how they achieved it.

#3 Read how @jzeerx got SSTI which resulted in arbitrary file reading on one of Asia’s leading payment systems.

#4 Gafnit Amiga uncovers a major security flaw in AWS ECR Public where external actors can delete, update, and create images, layers, and tags.

#5 Read Omar Hashem’s in-detail article where he explained CVE-2022–42710 journey in the linear eMerge E3 Series to trace the path from XXE to Stored-XSS.

Beginner-friendly –

#1 Pratik Gaikwad discovered a privilege escalation vulnerability that resulted in the deletion of accounts and workspaces belonging to other people and organizations.

#2 Abdelrhman Allam created a comprehensive blog post on single sign-on (SSO).

#1 PhonePe is looking for a Security engineer. Checkout the details here.

We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world.

If you’d like to advertise to our 27k+ community of cybersecurity enthusiasts, click here to partner with us.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.

If you found this newsletter interesting, and know other people who would too, we’d really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let us know on  help@cyb4rgeek.xyz.

See you again next week.

Lots of love
Editorial team,
Infosec Writeups

This newsletter has been created in collaboration with our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Vinay Kumar, Manikesh Singh, and Tuhin Bose.

Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth and Ayush Singh.