đŦVulnerability Labs
Last updated
Last updated
đ Resources đ
Find the admin panel and delete the user
carlos.
Find the unpredictable admin panel and delete user
carlos.
Admin panel found in the code of the / or /login page response for example
Access the
/adminpanel and use it to delete usercarlos.Admin panel use a forgeable cookie to identify administrators.
User's creds:
wiener:peter
Send this request to the repeater and forge the cookie with Admin=true
Delete user carlos once the admin panel login is bypassed.
Burp Proxy interception (or browser Dev Tools) can be used too, while logging in, to set the Cookie to Admin=true, and to access the Admin panel from /my-account .
App's
/adminpanel is accessible only to users withroleid= 2.Access the
/adminpanel and use it to delete usercarlos.
Once logged in, update the email
Send this POST request to the repeater and add "roleid:2" into the JSON body
Browse to /admin and delete user
External access to
/adminpanel is blocked at front-end. Back-end supportsX-Original-URLheader.Access the
/adminpanel and use it to delete usercarlos.
Send a Request to / with an X-Original-URL header pointing top a non-existing resource
With re response 404 Not Found it means the app supports the special request headers
Send an allowed URL as main and the real target in the X-Original-URL
Delete user using the X-Original-Url header
App's access control is based on the HTTP method of requests.
Admin creds:
administrator:admin.Login with
wiener:petercredentials and exploit the access control to promote the user to an administrator.
Login as administrator, promote carlos and send the request to the repeater
Login with wiener in an incognito windows and get the session cookie. Input the session cookie in the existing repeater request -> Unauthorized
Change the method to POSTX -> Missing parameter 'username'
Right click on the request and convert it to GET with Change request method
Set the username to wiener and send it
GET method is allowed
wiener user has access to the admin panel now
Login with
wiener:petercredentials and exploit the horizontal privesc vulnerability on the account page to getcarlos's API key.
Login as wiener and send the request to the repeater
Change the id to id=carlos and send the GET request to get the Carlos's API key
Click the Submit solution button and paste the API key to solve the lab - eXXoHWSpwaZpxBAXr7MbVt9GMoEuCpy9
The app identifies users with GUIDs.
Login with
wiener:petercredentials and exploit the horizontal privesc vulnerability on the account page to getcarlos's GUID and API key.
Find a carlos blog post and get its user ID. /blogs leaks the account's userID
Login as wiener, go to the account page and send the request to the repeater
Change the id to id=fe62ab1c-3eb7-47b8-862b-1c1c47a5490c and send the GET request to get the Carlos's API key
Click the Submit solution button and paste the API key to solve the lab - p3UtBNlmwKtAnEf0PKgBcW9sPQNJcMLq
The app leaks sensitive information in the body of a redirect response
Login with
wiener:petercredentials and exploit the access control vulnerability to getcarlos's API key.
Login as wiener, access the account page via browser and change the id to id=carlos and send the GET request to get the Carlos's API key
This request is redirected to the login page. Check the redirect body content in BurpSuite and find the carlos API key
Click the Submit solution button and paste the API key to solve the lab - ah9Nwj1bvuWv5uvWPK86EBHZCnghqRHe
The user account page leaks password in a masked input.
Login with
wiener:petercredentials, retrieveadministratorpassword and deletecarlosuser.
Login as wiener and access the account page
Change the id to id=administrator and check the response containing the administrator's password
Login as administrator:dta5qwrsg998j416zqh0 and delete carlos
đ Resources đ
Open BurpSuite - Turn off the intercept - Open its internal Browser and open the lab link - Check HTTP history for intercepted requests - Check Images in the Filter settings
Find a fetched product image Request
right click on it and Send to Repeater, or select it and press CTRL+R
Change the Request
The app blocks path traversal sequences but treats the filename as relative to a default working directory.
The app strips path traversal sequences from the supplied filename before using it.
The app blocks input containing path traversal sequences and then performs URL-decode before using it.
With ../../../etc/passwd it does not work
Use BurpSuite Decoder to double URL-Encode the ../../../etc/passwd string
\ / should always be encoded
The application transmits the full file path and validates that it starts with the expected folder.
The app validates the supplied filename end with expected file extension.
Use a null byte character \0 to represent the end of the string
../../../etc/passwd\0.png > ..%2f..%2f..%2fetc%2fpasswd%00.png
the O.S. requests retrieval of the string, it assumes the string is terminated after passwd
