Position for SOC leader at Director/ Associate Director level to run a SOC. Position is in Noida, CTC ~60L. Pls share any reference with priti@thecyberhire.com with a cc to talent@thecyberhire.com

If you've discovered an Insecure Direct Object Reference (IDOR) vulnerability where you can modify data belonging to others, here's a strategic approach to handle it:

1. Understand the Impact: First, assess the severity of the IDOR. If it allows you to modify critical data or perform actions with significant consequences, it's a high-impact vulnerability.

2. Avoid Temptation: Even though you could exploit the IDOR to change data, it's crucial not to do so without authorization. Unauthorized modification of data is a breach of trust and could lead to legal and ethical implications.

3. Proof of Concept (PoC): Create a PoC to demonstrate the IDOR. This could be as simple as changing a user's name or email address to something obvious, like "test@example.com".

4. Check for XSS Vulnerability: Before escalating the IDOR, check if the application is vulnerable to Cross-Site Scripting (XSS). If user input is echoed without proper sanitization and escaping, an IDOR could be escalated to an XSS attack.

5. Escalate to XSS: If an XSS vulnerability is found, exploit it to inject a malicious noscript. This could allow you to steal cookies, perform actions on behalf of the user, or even take over the user's account (Account Takeover - ATO).

Here's a simple example of how you might escalate an IDOR to an XSS attack:

- IDOR: You can change another user's name to "test".
- XSS: You find that user input is echoed without proper sanitization. So, you change the user's name to a malicious noscript, like <noscript>alert('XSS Attack!')</noscript>.

6. Report the Vulnerabilities: After creating your PoCs, report the IDOR and any XSS vulnerabilities you've found to the appropriate security team. Provide clear steps on how to reproduce the issues.

Here's how you might report it:

- IDOR: "I found that I could change another user's name to any value. Here's how to reproduce it: [steps]..."
- XSS: "I found that user input is echoed without proper sanitization, allowing for XSS attacks. Here's how to reproduce it: [steps]..."

CVE-2024-22116: RCE in Zabbix, 9.9 rating 🔥

Lack of escaping for noscript parameters allows an attacker to execute arbitrary code.

Search at Netlas.io:
👉 Link: https://nt.ls/KoYW4
👉 Dork: http.favicon.hash_sha256:22b06a141c425c92951056805f46691c4cd8e7547ed90b8836a282950d4b4be2

Vendor's advisory: https://support.zabbix.com/browse/ZBX-25016