Categoría: Portswigger Lab writeup

CSRF where token is tied to non-session cookie

Descripción This lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren’t fully integrated into the site’s session handling system. To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You […]

CSRF where token is not tied to user session

Descripción This lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren’t integrated into the site’s session handling system. To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You have […]

Blind SQL injection with out-of-band data exfiltration

Descripción This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain. The database […]

Blind SQL injection with out-of-band interaction

Descripción This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain. To solve […]

Blind SQL injection with time delays and information retrieval

Descripción This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or […]

Blind SQL injection with time delays

Descripción This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or […]

Username enumeration via subtly different responses

Descripción This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists: To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page. Username enumeration via subtly different responses writeup […]

Password reset broken logic

Descripción This lab’s password reset functionality is vulnerable. To solve the lab, reset Carlos’s password then log in and access his «My account» page. Victim’s username: carlos Your credentials: wiener:peter Password reset broken logic writeup Al entrar veremos un blog. Iremos primero a ‘Email client’ y anotaremos el correo electrónico que nos proporciona la página web: Ahora, […]

2FA simple bypass

Descripción This lab’s two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user’s 2FA verification code. To solve the lab, access Carlos’s account page. 2FA simple bypass writeup Al entrar veremos un blog. Iremos a ‘My account’ e iniciaremos sesión con el usuario […]

Username enumeration via different responses

Descripción This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists: To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page Username enumeration via different responses writeup Al entrar […]