Etiqueta: Practitioner

Username enumeration via account lock

Descripción This lab is vulnerable to username enumeration. It uses account locking, but this contains a logic flaw. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page. Username enumeration via account lock writeup Este laboratorio es parecido al anterior (Broken brute-force protection, IP block), salvo que en […]

Broken brute-force protection, IP block

Descripción This lab is vulnerable due to a logic flaw in its password brute-force protection. To solve the lab, brute-force the victim’s password, then log in and access their account page. Broken brute-force protection, IP block writeup Este laboratorio es idéntico al anterior (Username enumeration via response timing), salvo que en este caso el bloqueo […]

Username enumeration via response timing

Descripción This lab is vulnerable to username enumeration using its response times. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page. Your credentials: wiener:peter Username enumeration via response timing writeup Entraremos en ‘My account’ y capturaremos una petición de inicio de sesión con datos aleatorios: Si intentamos iniciar […]

HTTP request smuggling, obfuscating the TE header

Descripción This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server rejects requests that aren’t using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server […]

HTTP request smuggling, basic TE.CL vulnerability

Descripción This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding. The front-end server rejects requests that aren’t using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the […]

HTTP request smuggling, basic CL.TE vulnerability

Descripción This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. The front-end server rejects requests that aren’t using the GET or POST method. To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the […]

CL.0 request smuggling

Descripción This lab is vulnerable to CL.0 request smuggling attacks. The back-end server ignores the Content-Length header on requests to some endpoints. To solve the lab, identify a vulnerable endpoint, smuggle a request to the back-end to access to the admin panel at /admin, then delete the user carlos. This lab is based on real-world vulnerabilities discovered by PortSwigger […]

HTTP/2 request smuggling via CRLF injection

Descripción This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests and fails to adequately sanitize incoming headers. To solve the lab, use an HTTP/2-exclusive request smuggling vector to gain access to another user’s account. The victim accesses the home page every 15 seconds. If you’re not familiar with Burp’s exclusive […]

H2.CL request smuggling

Descripción This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length. To solve the lab, perform a request smuggling attack that causes the victim’s browser to load and execute a malicious JavaScript file from the exploit server, calling alert(document.cookie). The victim user accesses the home […]

Response queue poisoning via H2.TE request smuggling

Descripción This lab is vulnerable to request smuggling because the front-end server downgrades HTTP/2 requests even if they have an ambiguous length. To solve the lab, delete the user carlos by using response queue poisoning to break into the admin panel at /admin. An admin user will log in approximately every 15 seconds. The connection to the back-end […]