CSRF is an attack that allows an attacker to insert a script into a browser and exploit a user's authenticated session to request the server side for intended actions(remittance, product purchase, etc.). This is a problem that arises because certain web applications trust users.
Lab: CSRF vulnerability with no defenses
[Information]
[Problemsolving]
1. I accessed the lab and logged in with the following account. "wiener:peter". Then I changed my email and grabbed it as a proxy.
2. I checked the POST request related to email change on the Logger tab of Burp Suite and right-clicked to access the CSRF PoC generation tool
The HTML code was copied from the CSRF PoC generator, pasted into the body part of the server attack-related page, and the attack was delivered after changing the viewer's email address.
XSS is an attack that can allow an attacker to insert a script into the target browser to execute arbitrary commands on the client side or steal user information such as cookies or sessions. This is a problem that occurs because users trust certain web applications.
Lab: Reflected XSS into HTML context with nothing encoded
[Information]
[Problemsolving]
1. I found a search form in lab.
I have entered "alert()" function javascript code, and serched.
The lab was resolved with a warning window reading "You've been hacked".
Using javascript's alert function, I created a code as follows.
<!DOCTYPE html><head><title>XSS</title></head><body><bodybackground="C:/Users/image.jpg"><script>alert("You've been hacked");</script><!-- alert() function javascript --><h1style="color:black">shad0w</h1><okbackground="C://User/image"></body></html>
You can see the alert message.
And if you click the OK button, you'll see my nickname.
You can also use the alert() function script in the console window of the developer tool.
Lab: Stored XSS into HTML context with nothing encoded
[Information]
[Problemsolving]
1. I checked that there was a section to write comments by accessing the lab and entering the post view. In the comments section I put the alert() script and uploaded it.
OS command injection is also known as shell injection. It allows an attacker to execute operating system(OS) commands on the server that is running an application.
Lab: OS command injection, simple case
[Information]
[Problem solving]
1. I went into the detailed view of one product, clicked the check stock button, and grabbed it as a proxy.
I inserted the "whoami" command into the productId parameter using | and sent a request to the server.
The lab was solved and the name of current user appeared at the bottom.
Lab: Blind OS command injection with time delays
[Information]
[Problem solving]
1. I accessed the lab, went to the feedback page, wrote the feedback and clicked the submit button with the proxy turned on.
2. I put "&sleep 10 #" in the name parameter, encoded url, and sent the request to the server. "&sleep 10 #" means asking the server to sleep for 10 seconds and annotating the string that follows so that it does not run. The intended request has not been forwarded because the name parameter does not have a vulnerability.
Next, I put the same value in the email parameter, encoded url, and requested it to the server, and the request was delivered as intended. This indicates that the email parameter is vulnerable.
Path traversal is also called directory traversal. These vulnerabilities enable an attacker to read unintended arbitrary files on the server that is running an application.
Lab: File path traversal, simple case
[Information]
[Problem solving]
1. In the lab you can find the display of product images.
2. I used the proxy tool to check all the logs and found "filename=image.jpg" queries, so I sent one of them to repeater.
In the repeater tap, you can see the parameter "filename=58.jpg".
I used "../" to go to the root path, then I set it up to access the "/etc/passwd" file and clicked the send button.
2. There was a query "filename=51.jpg" on the burpsuit Logger tab, so I sent it to the repeater.
I attempted to access "/etc/passwd" from the root path by erasing 51.jpg in the filename query part and using "../../../". However, as you can see response message, the file could not be found.
According the the problem information, it can be seen that the application has blocked the traversal sequences. So I used absolute path instead of relative path in filename query. You can check that the request was successful by looking at the response message.
I went back to the web and reloaded, and the lab was solved.
Authentication vulnerabilities are weaknesses and flaws in the processes and mechanisms used to verify the identity of users or systems. This allows an attacker to access critical data and features.
Lab: Username enumeration via different responses
[Information]
[Problem solving]
1. First, I accessed the lab, and grabbed the proxy using burpsuite. After that I entered any value in the login window.
I checked HTTP communication history to check the caught proxy. There was a record indicating the "/login" path. So I send that to intruder.
2. On the "Intruder" tab I marked $ only in the username part.
I copied the usernames from the username list and pasted them into the payload settings part and started to attack.
In the results, the username named "ak" had a different length of data. It also shows the string "Incorrect password" at the response. This means that this is the correct username, but the password is incorrect.
Conversely, responses from other usernames display the string "Invalid username". This means that the username is wrong.
I modified the username to "ak" and marked $ only in the password part.
After that, I copied the passwords from the password list, pasted it into the payload settings section, and started the attack.
The results show that the state and data length of the password "love" are different from those of other passwords.
If you check the response parts of the other passwords, you will see the sentence "Incorrect password". Therefore, "love" is the correct password.
3. I logged in with "ak" in Username, "love" in Password and it was solved.
Lab: 2FA simple bypass
[Information]
[Problem solving]
1. I accessed the lab, and entered the "My account" page. Then I loged in by Victim's credentials.
There was a "Back to lab home" button, so I clicked it and accessed the homepage.
2. I went back to the "My account" page and the LAB was resolved.
Lab: Password reset broken logic
[Information]
[Problem solving]
1. I accessed to the lab, and went to "My account" page, clicked the "Forgot password" url.
I entered my credentials username in the form, and submitted it.
To verify a reset password link, I clicked the "Email client" button.
And accesed to the follow link.
Finally, I reset my password to "peter".
2. I used a proxy tool by burpsuite to view the logs of all communications. Among the logs, the "/forgot-password" log was found and sent to the repeater.
You can check it in the reapeater tap.
I deleted all the tokens and changed my username wiener to carlos. This means that You can login with "username=carlos, password=peter" without a token. After that, I clicked the send button.
I logged in with the username and password that setup in the previous step.
SQL injection (SQLi) is an Injection-based web vulnerability that allows an attacker to commit intended malicious behavior against a database by manipulating SQL queries used by web applications to query a database running on the backend. Successful exploitation of SQL Injection could allow an attacker to acquire sensitive data or privacy within the organization and, in severe cases, take full control or completely compromise the organization's data.
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
[Information]
[Problem solving]
1. Let's accessed the Lab server.
I selected the "Accessories" category. There was three product in it.
2. I used "Accessories' or 1=1--" parameter to send request. After closing the category syntax through ' and making it always true through the phrase or 1=1, the back was annotated. All released accessories, including hidden ones, appeared on the screen because the number of accessories released through annotations has been invalidated.
And clicked on the "My account" hyperlink. There was a login form.
2. I puted "administrator'--" string to the Username input, "any text" to the Password input. It could access as an administrator user by typing "administrator" in the user name, closing the syntax to ' and annotating the password part.
