Exam Notes
login attempt and thus reset the timer  The right
Authentication
Username enumeration via different responses
This lab can simply be solved by bruteforcing usernames
wordlist with any single invalid password → the right
username will give a response length different from the rest.
Then take this username and brute force its password simply
with the given password wordlist until a response code 302
is obtained or a response with a different length is obtained
Username enumeration via subtly different responses
Sometimes when all responses have different lengths we can
fetch for the response message when a username is trying to
log in  In this case a wrong username gives Invalid username
or password. but a right username gives Invalid username or
password without a . at the end  We can brute the
username like that then simply brute its password after.
Username enumeration via response timing
This lab firstly implements locking an account via IP address
after too many login attempts  We can simply bypass this
by making a valid login after every wrong login try using
wiener:peter to reset the invalid attempts number.
1 So we first enumerate the username by simply having a
wordlist with the given usernames but having username
wiener in between every 2 usernames and set the password
to always be peter  This will cause it to make a valid login
2FA simple bypass
Simply Login to user carlos  Then visit /my-account page
within the URL to avoid entering the 2FA code.
Access control vulnerabilities
Unprotected admin functionality
Visiting robots.txt reveals a secret admin panel allowing us
to delete user carlos
Unprotected admin functionality with unpredictable URL
Taking a look at the dashboard source code leaks the url of
the admin panel called /admin-h5cx1t → allowing us to delete
user carlos.
User role controlled by request parameter
Visiting the /admin url and intercepting the request reveals a
parameter called Admin=<Boolean> passed in the body that
controls if the user is Admin or not  Change it to Admin=true
to visit the admin page successfully.
Place wienerʼs session ID in place of session ID of the
previous admin role changing request performed by the
admin in addition to changing the body to upgrade role of
user wiener.
Now sending this alone in repeater will result in an
unauthorized reply  So we just
right click the request → C hange request method  It will now
become a GET request with the same previous body
parameter but passed in the url instead.
Wiener Account profile
Final modified Request with
Admin legit request to request
the injected session ID
change carlos role
User ID controlled by request parameter
For this lab we can perform horizontal privilege escalation by
simply modifying the ?id= parameter from wiener to carlos
in the account page  We should get carlosʼs API key from
the returned reply body.
User ID controlled by request parameter with data leakage in
redirect
This lab simply can be solved by changing the ?id=<username>
when accessing the /my-account webpage where the returned
webpage will leak information about the requested user like
his API key.
with username wiener and password peter after every invalid
enumerated username will have a significantly different
response time than the rest of the other users.
2 Then we can enumerate the password in the same way
but have the usernames set to change between
<right username> and wiener and passwords change between
the tried password and peter to make a successful login
attempt after every try.
We can also solve this lab by simply using Pitch Fork attack → supplying an
X-Forwarded-For:<num> in the first payload to spoof the IP of the request and
make sure its a number from 1-1000  Then simply putting payload 2 as the
enumerated usernames wordlist and its also important to set the password
very long to make the request take longer for a valid username.
We can double check a username to be valid by right click its request →
send to repeater → check if the response time is still high (bottom right
number in milliS )
Broken brute-force protection, IP block
We can simply bypass IP blocks by iterating each incorrect
login attempt with a correct login attempt using user
wiener:peter  Since we want to login to user carlos  We
first have a wordlist with users written in each line as
wiener,carlos,wiener,carlos … etc and password are also
iterated in the same but but for each tried password for
carlos we have password peter after that for a successful
login and reseting the number of tries.
Username enumeration via account lock
Valid usernames will get locked after 4 login attempts or so
while invalid ones keep getting the message invalid username
User role can be modified in user profile
The lab only allows users with roleid: 2 to visit the admin
page. if we try to change the user email, intercept the
request and the reply within repeater  We will see a JSON
inserted in the request body containing our new email and
then we recieve another JSON within the response body
containing our current roleid value of 1.
We can try changing the
roleid within the request JSON and sending it within
repeater  This should now allow us to visit the admin page.
Modified
Initial Request First
Response
Response
Final Response
With that
response, our
user wiener has
of 2 and
roleid
can visit /admin
url.
URL-based access control can be circumvented
User ID controlled by request parameter with password
disclosure
This lab is pretty straightforward  There is a vulnerability
allowing us to access different user accounts based on the
id=<username>parameter  Their password are disclosed
within a pre-filled field within the /my-account page.
Simply login to our wiener account → navigate to
page and intercept it → modify ?id=wiener to ?
/my-account
to access the administrator account page
id=administrator
which reveals their password in the reply body  Then
finally login to user administrator with these credentials and
delete user carlos from the admin panel.
Insecure direct object references
This lab allows us to chat with someone and then click the
view transcript button to obtain all the chat logs so far →
These chat logs are stored in a .txt file and are returned in a
or password  So the account that will get locked has our right
username which we will then need to bruteforce.
We set the first payload to the usernames wordlist  Set the second
payload to be an invalid username followed by $$ to append NULL
payloads to it with Cluster bombs options and force this to repeat 5 times
per user.
The right username will get an error message showing that it got locked
After getting the username simply brute force the password wordlist with
sniper → the right password will give no response with status code 200 .
Brute-forcing a stay-logged-in cookie
Cookies in this lab are basically the string <username>:<hashed
password> encoded in base64  which means we can brute
force the cookies of carlos by simply sending carlos:<md5 hash
thatʼs encoded in base64 as a whole until
of tried password>
we get a valid session ID.
We will brute force this by intercepting the request to the
my-account page of carlos and replacing the stay-logged-in
cookie value with brute forced value (make sure the session=
value is made different)
Under Payload processing, add the following rules in order.
These rules will be applied sequentially to each payload
before the request is submitted.
Hash: MD5
Add prefix: carlos:
Encode: Base64-encode
This lab allows us to access the admin page by passing the
X-Original-URL header in the web request and settings its
value to our desired url ( /admin ).
If we pass a request with headers
GET /login and X-Original-URL: /admin  We will see options to
delete wiener and carlos ( href=”/admin/delete?username=carlos” ).
We try to put
X-Original-URL: /admin/delete?username=carlos header but it gives
us a warning where no username is passed → so we pass it
in the original GET header and use
GET /login?username=carlos
 Causing user carlos to be
X-Original-URL: /admin/delete
deleted successfully
Method-based access control can be circumvented
In this lab … access control is dependent on the http request
method utilized.  We can simply bypass this restriction by
capturing a request the admin performed to change some
user (carlos in this case) → save it for later → then login to
our account (wiener) and navigate to the profile page and
capturing this request which holds a certain session ID 
webpage once requested with this button.
txt files are numbered and ordered like this →
<num>.txt like 1.txt , 2.txt …. etc.
?
We can chat a little bit → request the chat log with
view transcript button and intercept this request  Then
change the GET request txt file number till we find an
interesting file with a password logged from the chat
Multi-step process with no access control on one step
The flaw here is that if we log in with an administrator
account → go to admin panel and attempt to upgrade a user
role to admin (carlos in this case) → we have 3 steps ⇒ 1
load the page with the form to choose those roles and the
user ⇒ 2 submit the form ⇒ 3 confirm the form in a
separate page.
Now we can take this request in the 3rd step which contains
3 body parameters of
action=upgrade&confirmed=true&username=carlos made by the
administrator after upgrading user carlos role to admin →
send it to repeater  Login to our account weiner and go to
/my-account page to obtain our own session ID  finally place
this session ID instead of the one in the intercepted page of
the admin upgrading carlos role → change username=carlos to
username=wiener in the body to upgrade our own account.

Referer-based access control
The flaw here is that the web application relies on the Referer
value to allow/deny access to sub web pages  Referer
contains the URL this request came from  For example to
access the /admin webpage we do need admin privileges but
to access the /admin/admin-roles we only need to have the the
Referer value in the request body set to some valid URL
coming from the root admin page ( Referer:
https://0ad700f3041d7c3d823810ba008b000d.web-security-
) The app takes parameters from the user from the URL
academy.net /admin
Thus  Login to account administrator → admin panel page
→ intercept request of upgrading user carlos to admin role →
Send to Repeater  We can see the url as /admin-roles?
username=carlos &action=upgrade with the username of upgraded
user passed in the url itself
that the 2 SELECT queries have the same number of columns
and same corresponding datatypes.
determining the number of columns for a UNION SQLi attack
2 ways :
Injecting the following SQL keywords to order results by a certain
existing column ' ORDER BY 1-- → ' ORDER BY 2-- → ' ORDER BY 3--
….etc.  And keep incrementing until the column number is not even
existent where either an error message will show up or some indicator
like an empty page shows up … the important thing is an indicator of an
incorrect column number selected → telling us that we just exceeded
the number of columns by 1.
Injecting the following SQL keywords to UNION the previous existing
query with columns of NULL → ' UNION SELECT NULL-- → ' UNION SELECT
NULL,NULL-- → ' UNION SELECT NULL,NULL,NULL-- → ….etc.  In this case we
will keep getting errors until the number of NULL columns matches the
number of columns in the main SQL query we are trying to inject. 
When a match occurs an additional row of NULLs will be inserted at
the bottom of the returned table  Weʼve used NULL since itʼs
compatible with every datatype so it makes life a bit easier on us.
This lab has an SQLi vulnerability in the products filters
allowing us to UNION with the main table in the main query
and conclude the number of columns it has  Simply
intercept a filter request to the Accessories category →
Send to Repeater → keep injecting into the URL filter query
/filter?category=Accessories'+UNION SELECT NULL-- starting with
UNION SELECT NULL-- , ' UNION SELECT NULL,NULL-- , then ' UNION
SELECT NULL,NULL,NULL--until finally getting an OK response
from the server (the server will keep replying with an internal
error if the UNION statement doesnʼt match the column
number)
SQL injection UNION attack, finding a column containing text
We can now login as the administrator account.
SQL injection attack, querying the database type and version
on MySQL and Microsoft
This lab is really similar to the previous lab except we are
working with a Microsoft MySQL server instead of Oracle
Thus we donʼt need to always supply a valid table name to
the UNION SELECT statement for it to work)  If we inject '
we get a valid OK response and thus we
UNION SELECT NULL,NULL#
have 2 columns.  If we inject ' UNION SELECT 'a','a'# we also
do get a valid OK response and thus we have 2 string
columns (even better !  Finally we can now retrieve the DB
version by ' UNION SELECT NULL,@@version#  URL query
becomes /filter?category=Accessories' UNION SELECT NULL,@@version
# inject after with an SQL statement that queries every single
We used the # for comments … since for some reason -- isnʼt
working
SQL injection attack, listing the database contents on non-
Oracle databases
After finding the number of columns with ‘ UNION SELECT
NULL,NULL-— (so 2 columns)  We queried available tables and
their columns using ' UNION SELECT table_name,column_name FROM
information_schema.columns--  Filtering within the returned
webpage for keywords ‘usernameʼ and ‘passwordʼ we find
them in the same table named users_oobqmu and its columns
involve username_kglsny and password_rptdch for the username
and password.  Finally we can query for the username and
password columns from table users_oobqmu with ' UNION SELECT
username_kglsny,password_rptdch FROM users_oobqmu-- and that should
Then  Login to wiener → intercept request to /my-account
page  Obtain the session ID in this request  Within the
intercepted request in Repeater replace session ID to
wieners → replace webpage username parameter to wiener
instead of carlos → wiener should now have admin
privileges.
SQL Injection Vulnerabilities
SQL injection vulnerability in WHERE clause allowing retrieval
of hidden data
arguments in /filter?category=<product category> to filter
released products only by category within SQL.  We need
to SQL inject this URL to display all products regardless of
being released or not (all products)  SQL statement is
SELECT * FROM products WHERE category = 'Gifts' AND released = 1 →
We simply intercept request and change url header to
/filter?category=Accessories' OR 1=1—- To be able to display all
released and unreleased products.
After finding the number of columns of a target table we
need to find the datatype of its columns.  Normally we are
interested in string datatype including username/passwords.
 In a scenario with 4 detected columns  We inject queries
like ' UNION SELECT 'a',NULL,NULL,NULL-— → ' UNION SELECT
NULL,'a',NULL,NULL-— → ' UNION SELECT NULL,NULL,'a',NULL-— → '
→
UNION SELECT NULL,NULL,NULL,'a'-— → where we inserted a string
in one certain column and checked the returned results  If
the corresponding column in the main targeted table does
indeed have a string in the same column where we injected
 Then no error message/empty page will be returned and
results will be returned with an additional row containing the
row we injected.
This lab has an SQLi vulnerability just like the previous lab
(allowing us to UNION with the main table in the main query
and conclude the number of columns it has) but we
additionally need to find the which columns in the main table
are of type string → intercept a filter request to the
Accessories category  Send to Repeater → find the number
of columns like the previous lab We found 3 columns here)
→ Then we simply inject queries in the order ' UNION SELECT
' D4q3MO ',NULL,NULL-- , ' UNION SELECT NULL,' D4q3MO ',NULL-- ….
' With string 'D4q3MO' cuz the lab demands to display an
additional row with this string) until we donʼt get an
error/empty page and results are returned → eventually the
query /filter?category=Accessories ' UNION SELECT
NULL,'D4q3MO',NULL-— returns an OK response from the server
and this is the right query.
SQL injection UNION attack, retrieving data from other tables
give us the usernames and password of all users in this table
including the administrator.
Note: We also have information_schema.tables for a list of all the tables
but we use information_schema.columns at once since it has the tables and
their columns.
Blind SQL injection with conditional responses
Some pages arenʼt meant to display content from MySQL but
has some indications that the injected MySQL query was
successful or not in which we can use to enumerate
passwords character by character. → value
TrackingId=YbMBxdMReB7RA33U within the web request can be
password character from table users for user administrator
against other characters using > , < and = operators. →
Rinse and repeat until we get the full password. → statement
SUBSTRING((SELECT password FROM users WHERE username =
'administrator'), 1, 1) returns characters of administrator
password starting from index 1 and going forward up to 0
characters … if we put SUBSTRING((SELECT password FROM users WHERE
username = 'administrator'), 1, 3)  It will get the 1st, 2nd and
3rd characters.
⇒
SUBSTRING((SELECT password FROM users WHERE username =
Will obtain the 2nd character of the
'administrator'), 2, 1)
password … and so on for later chars.
TrackingId=YbMBxdMReB7RA33U' AND SUBSTRING((SELECT password FROM users WHERE username
= 'administrator'), 1, 1) > 'm  Checks if password character is later than
in ASCII table → if yes the page returns true by having Welcome as a string
of returned page → otherwise Welcome isnʼt returned
SQL injection vulnerability allowing login bypass
This lab is using SQL query SELECT * FROM users WHERE username =
'wiener' AND password = 'bluecheese’ in the login form  We can
bypass it by simply inserting administrator’—- as the
username ( administrator is what we want) where the
quotations were closed and the rest of the SQL statement
that checks for the password was commented ( SELECT * FROM
users WHERE username = 'administrator'-- ' AND password =
'bluecheese’ ) thus allowing us to login to user administrator.
SQL injection UNION attack, determining the number of
columns returned by the query
Itʼs possible to obtain data from other databases using the
UNION keyword allowing us to execute additional SELECT
queries and append results to the original query.
 UNION statements like
SELECT a, b FROM table1 UNION SELECT c, d FROM table2 demands
This lab has SQLi vulnerability just like the previous 2 labs
but we were given that there is table users with username
and password columns (type string)  After performing the
previous labs checks to find number of columns and
datatypes → /filter?category=Pets' UNION SELECT NULL,NULL-—
worked so we have 2 columns → /filter?category=Pets'
UNION+SELECT 'a','a'-—also worked to the original target table
has 2 columns of type string  Perfect !
Now to obtain the username and password from table users
we simply add that as the
UNION SELECT ... query ⇒ 'UNION SELECT username,password from
users-— URL becomes /filter?category=Pets ' UNION SELECT
username,password from users-- )
Weʼve obtained the administrator password so we can now login to it.
SQL injection UNION attack, retrieving multiple values in a
single column
This lab has all the previous vulnerabilities as well  We
found 2 columns  But unfortunately only 1 of 2 columns in
the target table contains a string !  ' UNION SELECT NULL,'a' from
users-— seems to return an OK response) but we need 2 to be
able to see both the username and password combinations
 Now to bypass that we can use a string concatenation
syntax allowing us to inject a UNION query to retrieve the
username first as part of the 2 returned columns allowed by
the UNION query ….. and then concatenate the password to
that result ( ' UNION SELECT NULL,username + || ‘~’ || password from
users-- ) as well.  The final URL query is /filter?
category=Accessories' UNION SELECT NULL,username || '~' || password
FROM users-—
Within the repeater we keep sending trial and error requests for each
character by getting a string for each character and do that for the
Welcome
whole password chars  We can filter for Welcome string
To know when we have finished getting the password characters →
TrackingId=YbMBxdMReB7RA33U' AND SUBSTRING((SELECT password FROM users WHERE username
= 'administrator'), 21, 1) < '0 is the only statement that returns true with < '0
condition since the NULL character is smaller than 0 in ASCII  therefore
the length of the password is 20.
(trying
TrackingId=YbMBxdMReB7RA33U' AND SUBSTRING((SELECT password FROM users WHERE username
= 'administrator'), 99, 1) < '0 also gives true since all characters after the
last valid password character return which is smaller than in ASCII.)
NULL 0
m