Etiqueta: Practitioner

Single-endpoint race conditions

Descripción This lab’s email change feature contains a race condition that enables you to associate an arbitrary email address with your account. Someone with the address carlos@ginandjuice.shop has a pending invite to be an administrator for the site, but they have not yet created an account. Therefore, any user who successfully claims this address will automatically inherit […]

Multi-endpoint race conditions

Descripción This lab’s purchasing flow contains a race condition that enables you to purchase items for an unintended price. To solve the lab, successfully purchase a Lightweight L33t Leather Jacket. You can log into your account with the following credentials: wiener:peter. Multi-endpoint race conditions writeup Accederemos al laboratorio, nos registraremos en ‘My account’ con el usuario ‘wiener’ […]

Bypassing rate limits via race conditions

Descripción This lab’s login mechanism uses rate limiting to defend against brute-force attacks. However, this can be bypassed due to a race condition. To solve the lab: You can log in to your account with the following credentials: wiener:peter. You should use the following list of potential passwords: Bypassing rate limits via race conditions writeup Necesitaremos […]

SSRF with filter bypass via open redirection vulnerability

Descripción This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting […]

Web cache poisoning via ambiguous requests

Descripción This lab is vulnerable to web cache poisoning due to discrepancies in how the cache and the back-end application handle ambiguous requests. An unsuspecting user regularly visits the site’s home page. To solve the lab, poison the cache so the home page executes alert(document.cookie) in the victim’s browser. Web cache poisoning via ambiguous requests writeup Entraremos […]

Web cache poisoning via a fat GET request

Descripción This lab is vulnerable to web cache poisoning. It accepts GET requests that have a body, but does not include the body in the cache key. A user regularly visits this site’s home page using Chrome. To solve the lab, poison the cache with a response that executes alert(1) in the victim’s browser. Web cache poisoning via a […]

Parameter cloaking

Descripción This lab is vulnerable to web cache poisoning because it excludes a certain parameter from the cache key. There is also inconsistent parameter parsing between the cache and the back-end. A user regularly visits this site’s home page using Chrome. To solve the lab, use the parameter cloaking technique to poison the cache with […]

Web cache poisoning via an unkeyed query parameter

Descripción This lab is vulnerable to web cache poisoning because the query string is unkeyed. A user regularly visits this site’s home page using Chrome. To solve the lab, poison the home page with a response that executes alert(1) in the victim’s browser. Web cache poisoning via an unkeyed query parameter writeup Dividiremos el laboratorio en varios […]

Web cache poisoning via an unkeyed query string

Descripción This lab is vulnerable to web cache poisoning because the query string is unkeyed. A user regularly visits this site’s home page using Chrome. To solve the lab, poison the home page with a response that executes alert(1) in the victim’s browser. Web cache poisoning via an unkeyed query string writeup Entramos al laboratorio y enviamos […]

Targeted web cache poisoning using an unknown header

Descripción This lab is vulnerable to web cache poisoning. A victim user will view any comments that you post. To solve this lab, you need to poison the cache with a response that executes alert(document.cookie) in the visitor’s browser. However, you also need to make sure that the response is served to the specific subset of users […]