Categoría: Portswigger Lab writeup

Basic SSRF against another back-end system

Descripción This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos. Basic SSRF against another back-end system writeup Al iniciar el laboratorio encontraremos una tienda […]

OS command injection, simple case

Descripción This lab contains an OS command injection vulnerability in the product stock checker. The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response. To solve the lab, execute the whoami command to determine the name of the current user. OS command injection, simple […]

DOM XSS in jQuery anchor href attribute sink using location.search source

Descripción This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $ selector function to find an anchor element, and changes its href attribute using data from location.search. To solve this lab, make the «back» link alert document.cookie. DOM XSS in jQuery anchor href attribute sink using location.search source writeup Al entrar encontraremos un blog: Vamos a […]

CSRF where token validation depends on request method

Descripción This lab’s email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests. To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You can log in to your […]

CSRF vulnerability with no defenses

Descripción This lab’s email change functionality is vulnerable to CSRF. To solve the lab, craft some HTML that uses a CSRF attack to change the viewer’s email address and upload it to your exploit server. You can log in to your own account using the following credentials: wiener:peter CSRF vulnerability with no defenses writeup Al entrar […]

DOM XSS in innerHTML sink using source location.search

Descripción This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search. To solve this lab, perform a cross-site scripting attack that calls the alert function. DOM XSS in document.write sink using source location.search writeup Al entrar al laboratorio nos encontramos con […]

DOM XSS in document.write sink using source location.search

Descripción This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL. To solve this lab, perform a cross-site scripting attack that calls the alert function. DOM XSS in […]

Stored XSS into HTML context with nothing encoded

Descripción This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the blog post is viewed. Stored XSS into HTML context with nothing encoded writeup Al entrar al laboratorio nos encontramos con un blog. Dado que el título del laboratorio nos dice […]

Reflected XSS into HTML context with nothing encoded

Descripción This lab contains a simple reflected cross-site scripting vulnerability in the search functionality. To solve the lab, perform a cross-site scripting attack that calls the alert function. Reflected XSS into HTML context with nothing encoded writeup Al entrar al laboratorio nos encontramos con un blog y una barra de búsqueda, donde la descripción dice que tenemos […]

File path traversal, validation of file extension with null byte bypass

Descripción This lab contains a path traversal vulnerability in the display of product images. The application validates that the supplied filename ends with the expected file extension. To solve the lab, retrieve the contents of the /etc/passwd file. File path traversal, validation of file extension with null byte bypass writeup Al entrar en el laboratorio nos encontraremos […]