Categoría: Portswigger Lab writeup

Exploiting NoSQL operator injection to extract unknown fields

Descripción The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection. To solve the lab, log in as carlos. Tip: The password only uses lowercase letters. Exploiting NoSQL operator injection to extract unknown fields writeup Al entrar en el laboratorio encontraremos una tienda online: Entraremos en […]

Exploiting NoSQL injection to extract data

Descripción The user lookup functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection. To solve the lab, extract the password for the administrator user, then log in to their account. You can log in to your own account using the following credentials: wiener:peter. Tip: The password only uses lowercase letters. […]

Exploiting NoSQL operator injection to bypass authentication

Descripción The login functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection using MongoDB operators. To solve the lab, log into the application as the administrator user. You can log in to your own account using the following credentials: wiener:peter. Exploiting NoSQL operator injection to bypass authentication writeup Al entrar […]

Detecting NoSQL injection

Descripción The product category filter for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection. To solve the lab, perform a NoSQL injection attack that causes the application to display unreleased products. Detecting NoSQL injection writeup Al entrar al laboratorio encontramos una tienda online: Filtraremos por ‘Gifts’ y enviaremos […]

Stored XSS into anchor href attribute with double quotes HTML-encoded

Descripción This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked. Stored XSS into anchor href attribute with double quotes HTML-encoded writeup Al entrar al laboratorio encontramos un blog online: Como nos indica la descripción del laboratorio, vamos […]

Reflected XSS into attribute with angle brackets HTML-encoded

Descripción This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function. Reflected XSS into attribute with angle brackets HTML-encoded writeup Al entrar al laboratorio encontramos un blog online: Al realizar una […]

DOM XSS in jQuery selector sink using a hashchange event

Descripción This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property. To solve the lab, deliver an exploit to the victim that calls the print() function in their browser. DOM XSS in jQuery selector sink using a hashchange event […]

Web shell upload via obfuscated file extension

Descripción This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab […]

Manipulating WebSocket messages to exploit vulnerabilities

Descripción This online shop has a live chat feature implemented using WebSockets. Chat messages that you submit are viewed by a support agent in real time. To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser. Manipulating WebSocket messages to exploit vulnerabilities writeup Al entrar al laboratorio encontramos una […]

Blind SSRF with out-of-band detection

Descripción This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded. To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server. Blind SSRF with out-of-band detection writeup Al iniciar el laboratorio encontraremos una tienda online: Encendemos el […]