Etiqueta: Apprentice

Authentication bypass via information disclosure

Descripción This lab’s administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end. To solve the lab, obtain the header name then use it to bypass the lab’s authentication. Access the admin interface and delete the user carlos. You can log in […]

Source code disclosure via backup files

Descripción This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code. Source code disclosure via backup files writeup Al entrar encontraremos una tienda online. Añadiendo a la URL ‘/backup’ encontraremos el siguiente archivo: Dentro […]

Information disclosure on debug page

Descripción This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable. Information disclosure on debug page writeup Al entrar encontraremos una tienda online. Buscando en su código fuente con Ctrl + U o Click derecho -> Ver código fuente de la página, encontramos […]

Information disclosure in error messages

Descripción This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework. Information disclosure in error messages writeup Al entrar veremos una tienda online. Para provocar un error, iremos a cualquier producto y veremos que se […]

Reflected XSS into a JavaScript string with angle brackets HTML encoded

Descripción This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function. Reflected XSS into a JavaScript string with angle brackets […]

Clickjacking with a frame buster script

Descripción This lab is protected by a frame buster which prevents the website from being framed. Can you get around the frame buster and conduct a clickjacking attack that changes the users email address? To solve the lab, craft some HTML that frames the account page and fools the user into changing their email address […]

Clickjacking with form input data prefilled from a URL parameter

Descripción This lab extends the basic clickjacking example in Lab: Basic clickjacking with CSRF token protection. The goal of the lab is to change the email address of the user by prepopulating a form using a URL parameter and enticing the user to inadvertently click on an «Update email» button. To solve the lab, craft some […]

Basic clickjacking with CSRF token protection

Descripción This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word «click» on a decoy website. To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab […]

Insecure direct object references

Descripción This lab stores user chat logs directly on the server’s file system, and retrieves them using static URLs. Solve the lab by finding the password for the user carlos, and logging into their account. Insecure direct object references writeup Entramos al laboratorio y vemos que tiene una opción de ‘Live chat’. Al entrar en él, […]

User ID controlled by request parameter with password disclosure

Descripción This lab has user account page that contains the current user’s existing password, prefilled in a masked input. To solve the lab, retrieve the administrator’s password, then use it to delete the user carlos. You can log in to your own account using the following credentials: wiener:peter User ID controlled by request parameter with password disclosure […]