Etiqueta: Apprentice

Reflected XSS into attribute with angle brackets HTML-encoded

Descripción This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function. Reflected XSS into attribute with angle brackets HTML-encoded writeup Al entrar al laboratorio encontramos un blog online: Al realizar una […]

DOM XSS in jQuery selector sink using a hashchange event

Descripción This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property. To solve the lab, deliver an exploit to the victim that calls the print() function in their browser. DOM XSS in jQuery selector sink using a hashchange event […]

Web shell upload via obfuscated file extension

Descripción This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab […]

Manipulating WebSocket messages to exploit vulnerabilities

Descripción This online shop has a live chat feature implemented using WebSockets. Chat messages that you submit are viewed by a support agent in real time. To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser. Manipulating WebSocket messages to exploit vulnerabilities writeup Al entrar al laboratorio encontramos una […]

Basic SSRF against another back-end system

Descripción This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos. Basic SSRF against another back-end system writeup Al iniciar el laboratorio encontraremos una tienda […]

OS command injection, simple case

Descripción This lab contains an OS command injection vulnerability in the product stock checker. The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response. To solve the lab, execute the whoami command to determine the name of the current user. OS command injection, simple […]

DOM XSS in jQuery anchor href attribute sink using location.search source

Descripción This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $ selector function to find an anchor element, and changes its href attribute using data from location.search. To solve this lab, make the «back» link alert document.cookie. DOM XSS in jQuery anchor href attribute sink using location.search source writeup Al entrar encontraremos un blog: Vamos a […]

CSRF vulnerability with no defenses

Descripción This lab’s email change functionality is vulnerable to CSRF. To solve the lab, craft some HTML that uses a CSRF attack to change the viewer’s email address and upload it to your exploit server. You can log in to your own account using the following credentials: wiener:peter CSRF vulnerability with no defenses writeup Al entrar […]

DOM XSS in innerHTML sink using source location.search

Descripción This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search. To solve this lab, perform a cross-site scripting attack that calls the alert function. DOM XSS in document.write sink using source location.search writeup Al entrar al laboratorio nos encontramos con […]

DOM XSS in document.write sink using source location.search

Descripción This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL. To solve this lab, perform a cross-site scripting attack that calls the alert function. DOM XSS in […]