Etiqueta: Practitioner

Scanning non-standard data structures

Descripción This lab contains a vulnerability that is difficult to find manually. It is located in a non-standard data structure. To solve the lab, use Burp Scanner’s Scan selected insertion point feature to identify the vulnerability, then manually exploit it and delete carlos. You can log in to your own account with the following credentials: wiener:peter Scanning non-standard data […]

Discovering vulnerabilities quickly with targeted scanning

Descripción This lab contains a vulnerability that enables you to read arbitrary files from the server. To solve the lab, retrieve the contents of /etc/passwd within 10 minutes. Due to the tight time limit, we recommend using Burp Scanner to help you. You can obviously scan the entire site to identify the vulnerability, but this might not […]

SQL injection with filter bypass via XML encoding

Descripción This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The database contains a users table, which contains the usernames and passwords of registered users. To solve the lab, perform […]

Infinite money logic flaw

Descripción This lab has a logic flaw in its purchasing workflow. To solve the lab, exploit this flaw to buy a «Lightweight l33t leather jacket». You can log in to your own account using the following credentials: wiener:peter Infinite money logic flaw writeup Para completar este laboratorio lo dividiremos en 3 partes que se realizarán una […]

HTTP/2 request splitting via CRLF injection

Descripción This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests and fails to adequately sanitize incoming headers. To solve the lab, delete the user carlos by using response queue poisoning to break into the admin panel at /admin. An admin user will log in approximately every 10 seconds. The connection to the back-end is reset […]

URL normalization

Descripción This lab contains an XSS vulnerability that is not directly exploitable due to browser URL-encoding. To solve the lab, take advantage of the cache’s normalization process to exploit this vulnerability. Find the XSS vulnerability and inject a payload that will execute alert(1) in the victim’s browser. Then, deliver the malicious URL to the victim. URL normalization […]

CSRF with broken Referer validation

Descripción This lab’s email change functionality is vulnerable to CSRF. It attempts to detect and block cross domain requests, but the detection mechanism can be bypassed. To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You can log in to […]

CSRF where Referer validation depends on header being present

Descripción This lab’s email change functionality is vulnerable to CSRF. It attempts to block cross domain requests but has an insecure fallback. To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You can log in to your own account using […]

SameSite Lax bypass via cookie refresh

Descripción This lab’s change email function is vulnerable to CSRF. To solve the lab, perform a CSRF attack that changes the victim’s email address. You should use the provided exploit server to host your attack. The lab supports OAuth-based login. You can log in via your social media account with the following credentials: wiener:peter Note The […]

SameSite Strict bypass via sibling domain

Descripción This lab’s live chat feature is vulnerable to cross-site WebSocket hijacking (CSWSH). To solve the lab, log in to the victim’s account. To do this, use the provided exploit server to perform a CSWSH attack that exfiltrates the victim’s chat history to the default Burp Collaborator server. The chat history contains the login credentials […]