Etiqueta: Practitioner

Exploiting HTTP request smuggling to deliver reflected XSS

Descripción This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. The application is also vulnerable to reflected XSS via the User-Agent header. To solve the lab, smuggle a request to the back-end server that causes the next user’s request to receive a response containing an XSS exploit that executes alert(1). Exploiting […]

Exploiting HTTP request smuggling to capture other users’ requests

Descripción This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. To solve the lab, smuggle a request to the back-end server that causes the next user’s request to be stored in the application. Then retrieve the next user’s request and use the victim user’s cookies to access their […]

Exploiting HTTP request smuggling to reveal front-end request rewriting

Descripción This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. There’s an admin panel at /admin, but it’s only accessible to people with the IP address 127.0.0.1. The front-end server adds an HTTP header to incoming requests containing their IP address. It’s similar to the X-Forwarded-For header but has a different […]

Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Descripción This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding. There’s an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos. Exploiting HTTP request smuggling to […]

Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability

Descripción This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. There’s an admin panel at /admin, but the front-end server blocks access to it. To solve the lab, smuggle a request to the back-end server that accesses the admin panel and deletes the user carlos. Exploiting HTTP request smuggling to […]

Manipulating the WebSocket handshake to exploit vulnerabilities

Descripción This online shop has a live chat feature implemented using WebSockets. It has an aggressive but flawed XSS filter. To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser. Manipulating the WebSocket handshake to exploit vulnerabilities writeup Entraremos en el laboratorio, en la opción de ‘Live chat’. Enviaremos […]

Cross-site WebSocket hijacking

Descripción This online shop has a live chat feature implemented using WebSockets. To solve the lab, use the exploit server to host an HTML/JavaScript payload that uses a cross-site WebSocket hijacking attack to exfiltrate the victim’s chat history, then use this gain access to their account. Cross-site WebSocket hijacking writeup Entraremos al laboratorio e iremos a la […]

HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

Descripción This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response. HTTP request smuggling, confirming a TE.CL vulnerability via differential responses writeup Dividiremos el […]

HTTP request smuggling, confirming a CL.TE vulnerability via differential responses

Descripción This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. To solve the lab, smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response. HTTP request smuggling, confirming a CL.TE vulnerability via differential responses writeup En este […]

Exploiting time-sensitive vulnerabilities

Descripción This lab contains a password reset mechanism. Although it doesn’t contain a race condition, you can exploit the mechanism’s broken cryptography by sending carefully timed requests. To solve the lab: You can log into your account with the following credentials: wiener:peter. Exploiting time-sensitive vulnerabilities writeup Accedemos al laboratorio, vamos a ‘My account’, entramos en ‘Forgot […]