-
Notifications
You must be signed in to change notification settings - Fork 0
/
Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a.html
680 lines (589 loc) · 50.6 KB
/
Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title>Practical Demonstration - Main Web Application hacking</title><style>
/* webkit printing magic: print all background colors */
html {
-webkit-print-color-adjust: exact;
}
* {
box-sizing: border-box;
-webkit-print-color-adjust: exact;
}
html,
body {
margin: 0;
padding: 0;
}
@media only screen {
body {
margin: 2em auto;
max-width: 900px;
color: rgb(55, 53, 47);
}
}
body {
line-height: 1.5;
white-space: pre-wrap;
}
a,
a.visited {
color: inherit;
text-decoration: underline;
}
.pdf-relative-link-path {
font-size: 80%;
color: #444;
}
h1,
h2,
h3 {
letter-spacing: -0.01em;
line-height: 1.2;
font-weight: 600;
margin-bottom: 0;
}
.page-title {
font-size: 2.5rem;
font-weight: 700;
margin-top: 0;
margin-bottom: 0.75em;
}
h1 {
font-size: 1.875rem;
margin-top: 1.875rem;
}
h2 {
font-size: 1.5rem;
margin-top: 1.5rem;
}
h3 {
font-size: 1.25rem;
margin-top: 1.25rem;
}
.source {
border: 1px solid #ddd;
border-radius: 3px;
padding: 1.5em;
word-break: break-all;
}
.callout {
border-radius: 3px;
padding: 1rem;
}
figure {
margin: 1.25em 0;
page-break-inside: avoid;
}
figcaption {
opacity: 0.5;
font-size: 85%;
margin-top: 0.5em;
}
mark {
background-color: transparent;
}
.indented {
padding-left: 1.5em;
}
hr {
background: transparent;
display: block;
width: 100%;
height: 1px;
visibility: visible;
border: none;
border-bottom: 1px solid rgba(55, 53, 47, 0.09);
}
img {
max-width: 100%;
}
@media only print {
img {
max-height: 100vh;
object-fit: contain;
}
}
@page {
margin: 1in;
}
.collection-content {
font-size: 0.875rem;
}
.column-list {
display: flex;
justify-content: space-between;
}
.column {
padding: 0 1em;
}
.column:first-child {
padding-left: 0;
}
.column:last-child {
padding-right: 0;
}
.table_of_contents-item {
display: block;
font-size: 0.875rem;
line-height: 1.3;
padding: 0.125rem;
}
.table_of_contents-indent-1 {
margin-left: 1.5rem;
}
.table_of_contents-indent-2 {
margin-left: 3rem;
}
.table_of_contents-indent-3 {
margin-left: 4.5rem;
}
.table_of_contents-link {
text-decoration: none;
opacity: 0.7;
border-bottom: 1px solid rgba(55, 53, 47, 0.18);
}
table,
th,
td {
border: 1px solid rgba(55, 53, 47, 0.09);
border-collapse: collapse;
}
table {
border-left: none;
border-right: none;
}
th,
td {
font-weight: normal;
padding: 0.25em 0.5em;
line-height: 1.5;
min-height: 1.5em;
text-align: left;
}
th {
color: rgba(55, 53, 47, 0.6);
}
ol,
ul {
margin: 0;
margin-block-start: 0.6em;
margin-block-end: 0.6em;
}
li > ol:first-child,
li > ul:first-child {
margin-block-start: 0.6em;
}
ul > li {
list-style: disc;
}
ul.to-do-list {
text-indent: -1.7em;
}
ul.to-do-list > li {
list-style: none;
}
.to-do-children-checked {
text-decoration: line-through;
opacity: 0.375;
}
ul.toggle > li {
list-style: none;
}
ul {
padding-inline-start: 1.7em;
}
ul > li {
padding-left: 0.1em;
}
ol {
padding-inline-start: 1.6em;
}
ol > li {
padding-left: 0.2em;
}
.mono ol {
padding-inline-start: 2em;
}
.mono ol > li {
text-indent: -0.4em;
}
.toggle {
padding-inline-start: 0em;
list-style-type: none;
}
/* Indent toggle children */
.toggle > li > details {
padding-left: 1.7em;
}
.toggle > li > details > summary {
margin-left: -1.1em;
}
.selected-value {
display: inline-block;
padding: 0 0.5em;
background: rgba(206, 205, 202, 0.5);
border-radius: 3px;
margin-right: 0.5em;
margin-top: 0.3em;
margin-bottom: 0.3em;
white-space: nowrap;
}
.collection-title {
display: inline-block;
margin-right: 1em;
}
time {
opacity: 0.5;
}
.icon {
display: inline-block;
max-width: 1.2em;
max-height: 1.2em;
text-decoration: none;
vertical-align: text-bottom;
margin-right: 0.5em;
}
img.icon {
border-radius: 3px;
}
.user-icon {
width: 1.5em;
height: 1.5em;
border-radius: 100%;
margin-right: 0.5rem;
}
.user-icon-inner {
font-size: 0.8em;
}
.text-icon {
border: 1px solid #000;
text-align: center;
}
.page-cover-image {
display: block;
object-fit: cover;
width: 100%;
height: 30vh;
}
.page-header-icon {
font-size: 3rem;
margin-bottom: 1rem;
}
.page-header-icon-with-cover {
margin-top: -0.72em;
margin-left: 0.07em;
}
.page-header-icon img {
border-radius: 3px;
}
.link-to-page {
margin: 1em 0;
padding: 0;
border: none;
font-weight: 500;
}
p > .user {
opacity: 0.5;
}
td > .user,
td > time {
white-space: nowrap;
}
input[type="checkbox"] {
transform: scale(1.5);
margin-right: 0.6em;
vertical-align: middle;
}
p {
margin-top: 0.5em;
margin-bottom: 0.5em;
}
.image {
border: none;
margin: 1.5em 0;
padding: 0;
border-radius: 0;
text-align: center;
}
.code,
code {
background: rgba(135, 131, 120, 0.15);
border-radius: 3px;
padding: 0.2em 0.4em;
border-radius: 3px;
font-size: 85%;
tab-size: 2;
}
code {
color: #eb5757;
}
.code {
padding: 1.5em 1em;
}
.code-wrap {
white-space: pre-wrap;
word-break: break-all;
}
.code > code {
background: none;
padding: 0;
font-size: 100%;
color: inherit;
}
blockquote {
font-size: 1.25em;
margin: 1em 0;
padding-left: 1em;
border-left: 3px solid rgb(55, 53, 47);
}
.bookmark {
text-decoration: none;
max-height: 8em;
padding: 0;
display: flex;
width: 100%;
align-items: stretch;
}
.bookmark-title {
font-size: 0.85em;
overflow: hidden;
text-overflow: ellipsis;
height: 1.75em;
white-space: nowrap;
}
.bookmark-text {
display: flex;
flex-direction: column;
}
.bookmark-info {
flex: 4 1 180px;
padding: 12px 14px 14px;
display: flex;
flex-direction: column;
justify-content: space-between;
}
.bookmark-image {
width: 33%;
flex: 1 1 180px;
display: block;
position: relative;
object-fit: cover;
border-radius: 1px;
}
.bookmark-description {
color: rgba(55, 53, 47, 0.6);
font-size: 0.75em;
overflow: hidden;
max-height: 4.5em;
word-break: break-word;
}
.bookmark-href {
font-size: 0.75em;
margin-top: 0.25em;
}
.sans { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, "Apple Color Emoji", Arial, sans-serif, "Segoe UI Emoji", "Segoe UI Symbol"; }
.code { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace; }
.serif { font-family: Lyon-Text, Georgia, YuMincho, "Yu Mincho", "Hiragino Mincho ProN", "Hiragino Mincho Pro", "Songti TC", "Songti SC", "SimSun", "Nanum Myeongjo", NanumMyeongjo, Batang, serif; }
.mono { font-family: iawriter-mono, Nitti, Menlo, Courier, monospace; }
.pdf .sans { font-family: Inter, -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, "Apple Color Emoji", Arial, sans-serif, "Segoe UI Emoji", "Segoe UI Symbol", 'Twemoji', 'Noto Color Emoji', 'Noto Sans CJK SC', 'Noto Sans CJK KR'; }
.pdf .code { font-family: Source Code Pro, "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace, 'Twemoji', 'Noto Color Emoji', 'Noto Sans Mono CJK SC', 'Noto Sans Mono CJK KR'; }
.pdf .serif { font-family: PT Serif, Lyon-Text, Georgia, YuMincho, "Yu Mincho", "Hiragino Mincho ProN", "Hiragino Mincho Pro", "Songti TC", "Songti SC", "SimSun", "Nanum Myeongjo", NanumMyeongjo, Batang, serif, 'Twemoji', 'Noto Color Emoji', 'Noto Sans CJK SC', 'Noto Sans CJK KR'; }
.pdf .mono { font-family: PT Mono, iawriter-mono, Nitti, Menlo, Courier, monospace, 'Twemoji', 'Noto Color Emoji', 'Noto Sans Mono CJK SC', 'Noto Sans Mono CJK KR'; }
.highlight-default {
}
.highlight-gray {
color: rgb(155,154,151);
}
.highlight-brown {
color: rgb(100,71,58);
}
.highlight-orange {
color: rgb(217,115,13);
}
.highlight-yellow {
color: rgb(223,171,1);
}
.highlight-teal {
color: rgb(15,123,108);
}
.highlight-blue {
color: rgb(11,110,153);
}
.highlight-purple {
color: rgb(105,64,165);
}
.highlight-pink {
color: rgb(173,26,114);
}
.highlight-red {
color: rgb(224,62,62);
}
.highlight-gray_background {
background: rgb(235,236,237);
}
.highlight-brown_background {
background: rgb(233,229,227);
}
.highlight-orange_background {
background: rgb(250,235,221);
}
.highlight-yellow_background {
background: rgb(251,243,219);
}
.highlight-teal_background {
background: rgb(221,237,234);
}
.highlight-blue_background {
background: rgb(221,235,241);
}
.highlight-purple_background {
background: rgb(234,228,242);
}
.highlight-pink_background {
background: rgb(244,223,235);
}
.highlight-red_background {
background: rgb(251,228,228);
}
.block-color-default {
color: inherit;
fill: inherit;
}
.block-color-gray {
color: rgba(55, 53, 47, 0.6);
fill: rgba(55, 53, 47, 0.6);
}
.block-color-brown {
color: rgb(100,71,58);
fill: rgb(100,71,58);
}
.block-color-orange {
color: rgb(217,115,13);
fill: rgb(217,115,13);
}
.block-color-yellow {
color: rgb(223,171,1);
fill: rgb(223,171,1);
}
.block-color-teal {
color: rgb(15,123,108);
fill: rgb(15,123,108);
}
.block-color-blue {
color: rgb(11,110,153);
fill: rgb(11,110,153);
}
.block-color-purple {
color: rgb(105,64,165);
fill: rgb(105,64,165);
}
.block-color-pink {
color: rgb(173,26,114);
fill: rgb(173,26,114);
}
.block-color-red {
color: rgb(224,62,62);
fill: rgb(224,62,62);
}
.block-color-gray_background {
background: rgb(235,236,237);
}
.block-color-brown_background {
background: rgb(233,229,227);
}
.block-color-orange_background {
background: rgb(250,235,221);
}
.block-color-yellow_background {
background: rgb(251,243,219);
}
.block-color-teal_background {
background: rgb(221,237,234);
}
.block-color-blue_background {
background: rgb(221,235,241);
}
.block-color-purple_background {
background: rgb(234,228,242);
}
.block-color-pink_background {
background: rgb(244,223,235);
}
.block-color-red_background {
background: rgb(251,228,228);
}
.select-value-color-default { background-color: rgba(206,205,202,0.5); }
.select-value-color-gray { background-color: rgba(155,154,151, 0.4); }
.select-value-color-brown { background-color: rgba(140,46,0,0.2); }
.select-value-color-orange { background-color: rgba(245,93,0,0.2); }
.select-value-color-yellow { background-color: rgba(233,168,0,0.2); }
.select-value-color-green { background-color: rgba(0,135,107,0.2); }
.select-value-color-blue { background-color: rgba(0,120,223,0.2); }
.select-value-color-purple { background-color: rgba(103,36,222,0.2); }
.select-value-color-pink { background-color: rgba(221,0,129,0.2); }
.select-value-color-red { background-color: rgba(255,0,26,0.2); }
.checkbox {
display: inline-flex;
vertical-align: text-bottom;
width: 16;
height: 16;
background-size: 16px;
margin-left: 2px;
margin-right: 5px;
}
.checkbox-on {
background-image: url("data:image/svg+xml;charset=UTF-8,%3Csvg%20width%3D%2216%22%20height%3D%2216%22%20viewBox%3D%220%200%2016%2016%22%20fill%3D%22none%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Crect%20width%3D%2216%22%20height%3D%2216%22%20fill%3D%22%2358A9D7%22%2F%3E%0A%3Cpath%20d%3D%22M6.71429%2012.2852L14%204.9995L12.7143%203.71436L6.71429%209.71378L3.28571%206.2831L2%207.57092L6.71429%2012.2852Z%22%20fill%3D%22white%22%2F%3E%0A%3C%2Fsvg%3E");
}
.checkbox-off {
background-image: url("data:image/svg+xml;charset=UTF-8,%3Csvg%20width%3D%2216%22%20height%3D%2216%22%20viewBox%3D%220%200%2016%2016%22%20fill%3D%22none%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Crect%20x%3D%220.75%22%20y%3D%220.75%22%20width%3D%2214.5%22%20height%3D%2214.5%22%20fill%3D%22white%22%20stroke%3D%22%2336352F%22%20stroke-width%3D%221.5%22%2F%3E%0A%3C%2Fsvg%3E");
}
</style></head><body><article id="731d6dea-d50b-4df9-bb12-ce143d21bc9a" class="page sans"><header><div class="page-header-icon undefined"><span class="icon">👹</span></div><h1 class="page-title">Practical Demonstration - Main Web Application hacking</h1></header><div class="page-body"><nav id="a3c0187f-e30e-46c1-9948-1e437ec5689a" class="block-color-gray table_of_contents"><div class="table_of_contents-item table_of_contents-indent-0"><a class="table_of_contents-link" href="#ab46b874-1319-46e1-9e87-efef0b51ba0c">Introduction</a></div><div class="table_of_contents-item table_of_contents-indent-0"><a class="table_of_contents-link" href="#015ca3da-d3f5-4b29-9113-dcc8dc2fffda">OWASP Juice Shop</a></div><div class="table_of_contents-item table_of_contents-indent-1"><a class="table_of_contents-link" href="#12a41cad-7054-4b90-85f8-6caa1d8edae6">Installation</a></div><div class="table_of_contents-item table_of_contents-indent-1"><a class="table_of_contents-link" href="#1be38a88-1e87-4b45-8522-6b55f0fdd856">Identifying Nature of our target</a></div><div class="table_of_contents-item table_of_contents-indent-1"><a class="table_of_contents-link" href="#ca1924d3-62ea-4c52-b163-2bc726cdc9c8">Exploring the Application</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#8ed5678c-b4ea-4942-8857-ec2ce0ca0567">Setting up Burp Suite</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#a6ef79f0-a896-41af-8786-5d27540fccbc">Manually Walking the Application</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#8c4ab516-02ce-4260-9d59-167801b59369">SQLi (Structured Query Language Injection)</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#8c032a25-08d3-4fa2-8e50-9af814478c3d">Testing for IDORs(Indirect Object Reference)</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#abb0e728-fd86-4e85-90da-b120381c8755">Testing for Vertical Privilege Escalation</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#a716069c-7c8d-49bd-81c2-f0d55a318c6f">The login section</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#c8148900-772c-4b94-adc6-1bdd8160f5da">CSRF (Cross Site Request Forgery)</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#6a86616c-20c3-4f7c-8102-3e2453274c0c">Exploring the requests</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#375096e3-67e4-471d-a888-db7d5b2c3598">LFI/RFI</a></div><div class="table_of_contents-item table_of_contents-indent-2"><a class="table_of_contents-link" href="#de3cb6f2-ede4-40d8-b423-2f26cda3739a">OS Command injection</a></div></nav><h1 id="ab46b874-1319-46e1-9e87-efef0b51ba0c" class="">Introduction</h1><p id="ee7d4bce-82c4-49c5-b8b2-c91fccb84b21" class="">Hello All </p><p id="f1d179b8-e4fd-43da-a948-8a544b1f7cfa" class="">Welcome to Practical Demonstration of Web Application Hacking here we are going to learn about various web vulnerabilities and how to hunt them on a target and how to exploit them .</p><p id="905571a3-6457-43ab-b836-d3803e290510" class="">Before we begin to hunt we should choose a target that is in scope here we are going to choose our target as OWASP (Open Web Application Security Project) Juice Shop Project which is an insecure web application.</p><p id="9c1e0feb-6bca-4841-8794-8b716a6d3df2" class="">
</p><p id="cfa7651a-6517-4e65-9c48-3866160ad636" class="">When we hunt, it's important to look at every target in it's own right. We are going to look at the OWASP juice shop. In this demonstration you will be show all the topic we went over and which parameters we will be using to test. Not all of our tests will lead to existing issues but still we <strong>Have </strong>to do all these tests. We are no longer practicing right now, this is bug bounties. </p><h1 id="015ca3da-d3f5-4b29-9113-dcc8dc2fffda" class="">OWASP Juice Shop</h1><h2 id="12a41cad-7054-4b90-85f8-6caa1d8edae6" class="">Installation</h2><p id="b23eedd3-d199-49c3-aa55-b432da3b2cce" class="">
</p><p id="706af744-ac87-42ab-92f5-f9903ebbafb8" class="">In general if we want to hunt bugs on a target we will search for the application, and then we will start hunting but here we are choosing our web target as OWASP Juice Shop which is an insecure application this website requires installation now we will see how to install this application.</p><p id="f6753e5a-d83d-4e7d-afac-89dfd853ef27" class="">Here I am choosing Heroku for installing our Juice Shop as this is free and easy to use, you can also choose other ways like installing Docker Images.</p><p id="105c8977-a192-4f20-9faa-47929f107536" class="">
</p><p id="956da37d-b284-4b89-926f-039d45c99bd5" class="">Step 1: go to <a href="https://www.heroku.com/">https://www.heroku.com/</a> and Sign up for an account if you are not having.<div class="indented"><p id="d44c319b-7337-4cac-ac2d-d179e283ecf8" class=""> If you are having an account then go to step 2</p></div></p><p id="8312f37c-f36e-4fd8-9626-7eae338a1dd0" class="">
</p><figure id="da63d3dc-7606-4964-aa96-d48d311abab3" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-23-14.jpeg"><img style="width:1574px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-23-14.jpeg"/></a></figure><figure id="b5088b39-f4d4-4af9-ac0c-8b16b5c7a7da" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-19-23.jpeg"><img style="width:850px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-19-23.jpeg"/></a></figure><p id="a24baef5-657c-476c-a37d-d51dad792f1d" class="">Then confirm your email, and you will be seeing a page for setting up your password like below </p><figure id="c56bbfc3-48e3-407b-8c45-ab8e2b7d14fb" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-29-50.jpeg"><img style="width:1357px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-29-50.jpeg"/></a></figure><p id="e9a422a7-88b2-44d5-838a-74e6c3a1f202" class="">Enter your Password and Proceed by clicking on SET Password and Login In and you will be seeing a </p><figure id="2fabf2f1-37e5-4d96-8aec-a926fce38ec7" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/enter_to_procee.jpeg"><img style="width:1301px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/enter_to_procee.jpeg"/></a></figure><p id="14f11c2f-ce26-496c-a121-d8a81b4390a6" class="">
</p><p id="61aae08e-6ca1-4906-8c9b-b6452a8f234a" class="">Now you will be seeing the terms of services of Heroku and accept by clicking the accept button</p><figure id="099327ff-eae4-436b-a78d-eae2cd89ff62" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/heroku_terms.jpeg"><img style="width:1677px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/heroku_terms.jpeg"/></a></figure><p id="877ff4cc-3cd5-4a12-aa84-3835b241a8f3" class="">You are ready by one step and are seeing the dashboard </p><figure id="03cafc30-dbf1-4420-bde5-e8c52d0ea636" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/dashboard.jpeg"><img style="width:1676px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/dashboard.jpeg"/></a></figure><p id="7bc6e445-3a55-4636-a6e1-e169f36d5450" class="">
</p><p id="1131cb87-48d2-403d-a7c7-3963c0df8b37" class="">
</p><p id="f426ea72-8759-457b-b148-8e1211c51eea" class="">
</p><p id="104872c8-a09b-41c3-b4c1-8a81f1026d91" class="">
</p><p id="13474a95-14e2-47d2-a73b-839a88b372a6" class="">Step 2:</p><p id="44a115d8-89a1-4294-9f24-28d1f9ba0b21" class="">Now we are ready with our account, and we are going to create our juice shop on Heroku Navigate to <a href="https://elements.heroku.com/buttons/bkimminich/juice-shop">https://elements.heroku.com/buttons/bkimminich/juice-shop</a> then click on <strong>"DEPLOY TO HEROKU"</strong> for deploying the application onto Heroku </p><figure id="9e475dd7-a093-471e-ae3c-7bb45ca41765" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/deploy.jpeg"><img style="width:1568px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/deploy.jpeg"/></a></figure><p id="f339e8a0-45af-4777-a0da-b8552242ab96" class="">
</p><p id="78510c61-2a8c-41e6-88a6-66f3b76b0b98" class="">Pick a unique name for your app, it doesn't matter which it is, but it has to be unique.</p><figure id="e440d832-db7d-4bb7-a981-2ea33050aef4" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled.png"><img style="width:773px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled.png"/></a></figure><p id="190734ff-0d0e-4718-b106-4193ea268413" class="">Click the "Deploy app" button, the app will now start deploying. It will take a while before the app is deployed so give it some time, sit back and make yourself a good coffee or tea with a nice piece of cheese.</p><p id="57937538-6c16-4267-bf8f-a5179eb32ec4" class="">
</p><figure id="62202dfe-c6f8-4fad-a035-9893dfac86ce" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%201.png"><img style="width:735px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%201.png"/></a></figure><p id="3ea05a75-1049-4782-9337-f238ce340d80" class="">
</p><figure id="92bfeba6-c412-401b-887d-cf7023a00c08" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%202.png"><img style="width:733px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%202.png"/></a></figure><p id="b621fb82-52af-4c50-aad3-905707e7140d" class="">We Successfully Deployed our App, and We can now view our app 😉</p><h2 id="1be38a88-1e87-4b45-8522-6b55f0fdd856" class="">Identifying Nature of our target</h2><p id="3e5838a2-81bf-4653-b264-c329b6612bbc" class="">We identified this target as a webshop, so we have to keenly observe our target for knowing how this website is processing the user requests, as this is a web target we need to test the website at least for the following Functions.</p><p id="3e2beb92-69ba-4fcd-adfd-1988e4cf26e7" class=""><del>this target properly we will have to make a small investment. Since this is a webshop we want to test for at least the following functions:</del></p><ul id="f491f789-d7c7-47d6-b713-3fdde8efc99b" class="bulleted-list"><li>Registration</li></ul><ul id="93840724-3d5f-4888-be0d-4b66f236846e" class="bulleted-list"><li>Login</li></ul><ul id="aa0d20b7-c340-4a59-8cc1-6672c997d99c" class="bulleted-list"><li>Buying an item</li></ul><ul id="534c9c58-212d-4abb-a95b-1fe85cf8bcdd" class="bulleted-list"><li>Possibly returning an item</li></ul><ul id="0aded44c-048f-4b79-88af-f2ab8a64816a" class="bulleted-list"><li>Our wallet functionality if exists</li></ul><ul id="7cac334e-8e06-465d-9dbb-1b6538bfb52f" class="bulleted-list"><li>Logic flaws</li></ul><ul id="cab582e1-093e-421e-8769-1224f2b4f62a" class="bulleted-list"><li>XSS<ul id="617e24a6-24e3-408d-a487-c25be0795ea6" class="bulleted-list"><li>Stored</li></ul><ul id="b872011b-9288-44f1-86c0-68a810d9be87" class="bulleted-list"><li>Reflected</li></ul></li></ul><ul id="04b9ad3a-536b-473b-a075-292415b08717" class="bulleted-list"><li>Basket functionality</li></ul><ul id="67a4045e-ce0c-4d3b-9b9e-b9c42cc3628b" class="bulleted-list"><li>Adresses</li></ul><ul id="67d160d3-86ad-426b-9237-afffca808774" class="bulleted-list"><li>IDORs</li></ul><ul id="1eb36467-a79b-4cc9-9b9f-fbfbe6e48db1" class="bulleted-list"><li>CSRF</li></ul><ul id="91d4bff7-415c-49e0-9e87-4476ac164a4a" class="bulleted-list"><li>Broken access control if we can get to admin functions<p id="6311f902-8a4b-40ac-bed1-b044e11f845d" class="">This is an initial judgement and we might add to this as we explore the website and find more functionality.</p></li></ul><h2 id="ca1924d3-62ea-4c52-b163-2bc726cdc9c8" class="">Exploring the Application</h2><p id="123e2816-9175-494e-b4cf-dc863d3b1b03" class="">First of all we need to know what functionality exists before we can start attacking our target properly. We need to fill up our site map in burp and we need to be able to explore the parameterised requests. To do this, we need to set up burp properly first. This includes setting up our scope and setting the options that we need. In this course we will use burp suite but feel free to use any other MiTM proxy with the same functionality.</p><h3 id="8ed5678c-b4ea-4942-8857-ec2ce0ca0567" class="">Setting up Burp Suite</h3><p id="48aa3310-b98d-4e72-9303-b671ecc719c1" class="">It really helps to have burp suite pro, you don't have to but the fact that you can save a project is a major plus for having the burp pro application. I can only hunt in bursts of 1 to 3 hours, so I have to revisit my target often. This means two things.</p><ul id="182e726b-fe86-4392-a818-7daa52267b64" class="bulleted-list"><li>I have to take very dilligent notes so i don't retest things 10 times needlesly and so that i make sure i do test all of my functionality. Part of this documentation is the "Judging our target" section.</li></ul><ul id="3b99e86f-5e5d-4a30-bc9f-30051438f165" class="bulleted-list"><li>If u can set up my project settings in burp suite, save them and reload them whenever you want, that is a major plus. The biggest part of any activity is getting yourself to do it and if you can skip part of the setup, that will help you get started. If you are doing something time seems to fly but if you are sitting in your sofa it takes tremendous power to get yourself up and go hunting. Anything you can do to make this easier is a major win.</li></ul><figure id="ec2e88bd-6dea-4ac8-9d05-5e75fd1a96f4" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/burpproject.png"><img style="width:953px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/burpproject.png"/></a></figure><p id="062644ce-f169-4528-9cff-fc1e23a3d7c3" class="">First i like to setup my scope, make sure you add the proper URLs that are in scope. </p><figure id="9f6b4cd9-226d-41da-ab90-f5bc1c7904f4" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%203.png"><img style="width:999px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%203.png"/></a></figure><p id="325e52dc-700e-4f67-b972-a483e0c66f7a" class="">Hackerone has configuration files for burp you can download.</p><figure id="cb67d403-ae8f-41eb-8b5a-a552f0d86b44" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/h1.png"><img style="width:876px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/h1.png"/></a></figure><p id="cffa7d6d-2639-43a4-bf93-67e6316b9f11" class="">You can then import this file via the project options import functionality under "Project > Project options > Load Project options"</p><figure id="f8645fe5-6948-4b32-af2c-0fae1beb91af" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%204.png"><img style="width:352px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%204.png"/></a></figure><p id="5b5d7f5a-4f0f-43e6-ae4b-72c083b409b5" class="">
</p><figure id="25a34939-b676-4d8c-9cf8-3f896c237560" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%205.png"><img style="width:859px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%205.png"/></a></figure><p id="ba02daf6-94c3-470e-bf18-6b286740ca8e" class="">After setting up our scope we will move on to setting up our proxy options. I always configure several options to make it easier for myself to see things like hidden fields and to remove any javascript validation from my responses.</p><figure id="4c558d77-6b4e-4505-a2da-9e8b61c94008" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%206.png"><img style="width:499px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%206.png"/></a></figure><p id="a1140b33-cc69-404e-aeb2-65d2145e7a1f" class="">This will make any hidden fields easier to see as it will unhide them and draw a big red square around them. If you see this big red square you know you are looking at a hidden field.</p><figure id="bc80b540-c421-4b10-85de-799de4e72823" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%207.png"><img style="width:455px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%207.png"/></a></figure><p id="e38fd533-6dc8-40cd-a88d-0bff86dc09f9" class="">Now that we have burp suite set up in the background we can start exploring our application.</p><h3 id="a6ef79f0-a896-41af-8786-5d27540fccbc" class="">Manually Walking the Application</h3><p id="56179f3c-9570-429c-b8a7-2e63cc91f8b2" class="">Just because we are manually walking the application does not mean we should not be hacking. This is the most important phase in bug bounties and most of you will know it as the recon phase.</p><p id="c63c1d2a-3898-4bd4-964f-ba9b32f27196" class="">In this phase we want to get to know our application. We want to start by exploring the functionality and as we do that we want to take note of our prvilidge levels. Even though it might not seem like it, since we don't have access to the admin functionality (yet), but there are different levels of priviledges. </p><ul id="86e9ccef-8909-4afa-9228-2cb69d113593" class="bulleted-list"><li>Unauthenticated accounts (not logged in)</li></ul><ul id="c49362b3-4752-4085-9e29-2f5a743550d8" class="bulleted-list"><li>Authenticated accounts</li></ul><p id="17f881ea-b0ab-4173-9ec2-6db222f2b477" class="">As we hack our application, there might be more levels we can add to this such as administrators.</p><p id="a44c71c2-be2f-4388-9467-3908e33b93bd" class="">I myself use excel to make a quick mindmap but you can use whatever tool suits you best.</p><p id="e45297db-a106-48e5-a544-ec1e7ea90ecb" class="">
</p><figure id="c9c7ee08-912e-42b3-997e-18807e4cc66e" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%208.png"><img style="width:413px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%208.png"/></a></figure><p id="04a73d17-1b0e-47e3-85d9-1b2e4b6381be" class="">When i register my account, I register using an attack vector that automatically tests for JS XSS, HTML injection and HTML tag attribute injection. </p><pre id="62e1a802-df4d-429a-acea-eff399ba91de" class="code"><code>'"><u>THE XSS RAT WAS HERE</code></pre><p id="74e5d1fa-fb9b-40fb-bb5a-16f5802497b7" class="">I use this attack vector wherever possible when attacking my target. </p><p id="bc58de62-8928-42ea-ba61-b68b68895fb4" class="">
</p><figure id="12be39f0-4949-42d4-8796-8f28b91be106" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%209.png"><img style="width:719px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%209.png"/></a></figure><p id="8f00ccc7-2ac9-4e5d-bc3b-843a34402943" class="">This is the way, whenever the application uses my username anywhere, I am automatically testing for all the described attack vectors. If my username is reflected in the JS context anywhere, then I will try to break out of the context it is being reflected into. If the username is reflected in a tag, like it is in the picture above. In this picture, when we save the username, we can see that we have broken out of the VALUE attribute of the input tag. From here, we can try to insert our own JavaScript. </p><figure id="a7ff9b94-daa9-42de-80b1-c82b033b92b8" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2010.png"><img style="width:672px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2010.png"/></a></figure><p id="0e7fe1d0-b4aa-4f16-ab34-f13f1ba7c23f" class="">I will try this WHERE EVER I can, this includes addresses, nicknames, ... </p><p id="4c5df68a-7895-414f-9329-81e33eb2da33" class="">On the profile page however i can still see some more things i can test for. I see a profile picture so i can test for XXE via SVG here. </p><figure id="120037dd-36b3-4a11-9b3e-3d8ba8fd8300" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2011.png"><img style="width:363px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2011.png"/></a></figure><p id="14b9b96c-7e8a-41be-9b97-34e6261c31b8" class="">I also see a link option here. This link will resolve to a picture which gives the option for SSRF. To test for this, i start my burp collaborator and grab a URL that i can insert into this field. Running a public burp collaborator server is a premium option and only available in the paid version of burp. If you don't have the paid version of burp you can use:</p><ul id="141f2c5f-d5f5-47ba-a5d4-0e0fe94dae49" class="bulleted-list"><li>Your own webserver<ul id="5de2e992-d5df-4843-8a56-d825d5385851" class="bulleted-list"><li>If you don't configure this properly, you can only capture HTTP requests</li></ul></li></ul><ul id="ce60fe07-cf44-41aa-b1f3-76af1a89be25" class="bulleted-list"><li>A public burp collaborator<ul id="18ca1ec3-b156-446e-a548-70191515a225" class="bulleted-list"><li>This may suffer from availability issues as it's shared between all users<p id="e6cc4d96-fe96-4d05-bcf6-fe064a293ecd" class="">Whichever option we go for, we need to copy our payload to the clipboard and paste it in our URL field that the server tries to resolve.</p></li></ul></li></ul><figure id="8bb6db65-93e6-40d2-9462-622e5ce54c8b" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2012.png"><img style="width:1024px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2012.png"/></a></figure><p id="aac6b5fb-c0c8-426f-b626-307d58380f5f" class="">We might need to put HTTP:// in front of our URL if the server checks for syntax.</p><p id="b2412b7c-eea9-40d4-a962-ba3a73718c6c" class="">http://<a href="http://s5yf4ljmn9wgf95dcykd4iu7zy5otd.burpcollaborator.net/">s5yf4ljmn9wgf95dcykd4iu7zy5otd.burpcollaborator.net</a></p><figure id="f43d6840-18f3-4331-93ee-5c57b7fc2b3d" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2013.png"><img style="width:739px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2013.png"/></a></figure><p id="d9f190cd-6817-4f03-ae42-633effca5e6e" class="">If you are getting a lot of DNS requests coming into your burp collaborator but no HTTP requests, then there is probably no way to pull off SSRF, so there is a possible egress filter in place. Egress filters can stop certain types of outgoing traffic. As of this writing OWASP juice shop does not have any SSRF vulnerabilities but if we would find one here, continue on our SSRF path. </p><figure id="e7574d0a-888e-4864-b646-65624ed584b9" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2014.png"><img style="width:1020px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2014.png"/></a></figure><figure id="b59e25de-62f2-4fde-a5b0-96ba5932b926" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2015.png"><img style="width:1120px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2015.png"/></a></figure><p id="32d39943-f28c-4e78-be88-401c70d247fa" class="">I will try the same XSS technique for adress any stored or reflected fields i can find. If i suspect a server side template engine is being used, i will add an SSTI attack vector. </p><pre id="2d71070a-8deb-4456-992b-e3ca59ca4a25" class="code"><code>'"><u>THE XSS RAT WAS HERE${7'*7'}</code></pre><p id="b37705d8-c7f3-4b59-9295-07bc52271ab8" class="">If this resolves to 7777777 or 49 I will investigate further into SSTI (SERVER SIDE TEMPLATE INJECTION) or CSTI (CROSS SITE TEMPLATE INJECTION)attack techniques.</p><h3 id="8c4ab516-02ce-4260-9d59-167801b59369" class="">SQLi (Structured Query Language Injection)</h3><p id="90efc421-a8e7-47e9-b981-a2f51a52dc19" class="">The previous attack vector also automically tests for SQLi as well</p><pre id="55bea3c6-a337-448a-b7bc-f865d2a7a4b3" class="code"><code>'"</code></pre><p id="3a0dea91-2ca0-406d-9080-d3c81aa0d7c7" class="">These special characters will also test for SQLi since these are special characters also used in SQL statements. If we get an SQL error, we usually run a tool like SQLMAP to better investigate what SQLi. Now we are having a Hands-on Session and for any further doubts refer SQLi section.</p><h3 id="8c032a25-08d3-4fa2-8e50-9af814478c3d" class="">Testing for IDORs(Indirect Object Reference)</h3><p id="ce8334df-cf80-4a8d-a439-8f0699ff549f" class="">For testing IDOR's we require two accounts on the target, we are already having one so that we have to create a second account at our Target so that we can find IDOR's. We can test IDOR's by changing the first user(first account) cookies or Authorization Tokens or Headers with the Second User(Second Account). This may seem confusing as you can't copy your victims cookie or headers in production, but<strong> </strong>this is not our goal. We just need that cookie or header to automate our IDOR search. How to do this has been demonstrated in the tools section.</p><h3 id="abb0e728-fd86-4e85-90da-b120381c8755" class="">Testing for Vertical Privilege Escalation</h3><p id="64bc8548-4f6b-4fc7-b155-0374f7955932" class="">When we want to test for vertical privilege escalation we do need accounts of different privilege levels. Since we don't have any admin accounts yet, we can't test for this yet. If we did have different privilege levels, we would create accounts of all different privilege levels and test for BAC. Example:</p><ul id="d418fed8-2cf9-4bcc-8cec-93a78de87bd0" class="bulleted-list"><li>Administrator</li></ul><ul id="2af84c44-edea-46aa-94ab-359c4b428ccf" class="bulleted-list"><li>Content editor</li></ul><ul id="197efdd7-997c-4aa7-aaae-e0c2f22c6ab6" class="bulleted-list"><li>hu/Customers</li></ul><p id="f3b3037d-d620-43c5-a10c-2fc1b16b8592" class="">Again, how to test for this specifically has been illustrated in the tools section.</p><h3 id="a716069c-7c8d-49bd-81c2-f0d55a318c6f" class="">The login section</h3><p id="32fac507-90f8-428f-8981-c9dfb32abf51" class="">In the login section we can play around with the requests a little bit. For example if we request a password reset link, and append our own email adress to the request, the server might send the password reset link of the victim to the email adress of the attacker.</p><pre id="029cecf1-b6ad-4722-99ec-5823ed6161f4" class="code"><code>POST /api/resetPassword HTTP/1.1
Host: ferretshop.herokuapp.com
Connection: close
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
Accept: application/json, text/plain, */*
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTcsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QGdtYWlsLmNvbSIsInBhc3N3b3JkIjoiMWFlZGI4ZDlkYzQ3NTFlMjI5YTMzNWUzNzFkYjgwNTgiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2MTU0MDY1OTcsImV4cCI6MTYxNTQyNDU5N30.ZP57rD5SMMyXD87VceX57xF4TQqqMeqAIUm96XQY_wTghbPF8gRmGxIIJN1G_vZkuewH5VrIbZ8RJuAaj5LOR3kfUJvkMm5ibLaNpUZYlenjM1OXowMKeZVniJiLx3D-UBGauEvJf4wkX2x3UXs_SuudK57-2xACAadUYxTlWEU
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://ferretshop.herokuapp.com/
Accept-Encoding: gzip, deflate
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: language=en; welcomebanner_status=dismiss; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTcsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QGdtYWlsLmNvbSIsInBhc3N3b3JkIjoiMWFlZGI4ZDlkYzQ3NTFlMjI5YTMzNWUzNzFkYjgwNTgiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2MTU0MDY1OTcsImV4cCI6MTYxNTQyNDU5N30.ZP57rD5SMMyXD87VceX57xF4TQqqMeqAIUm96XQY_wTghbPF8gRmGxIIJN1G_vZkuewH5VrIbZ8RJuAaj5LOR3kfUJvkMm5ibLaNpUZYlenjM1OXowMKeZVniJiLx3D-UBGauEvJf4wkX2x3UXs_SuudK57-2xACAadUYxTlWEU; io=Mq1hqj7m93njsus2AAAF
Content-Length: 24
{email:"[email protected]"}</code></pre><p id="c8e449b7-a717-4b38-b176-67d5377a77db" class="">Might turn into</p><pre id="8268afc3-064d-4075-89f8-dcf1d11b541d" class="code"><code>POST /api/resetPassword HTTP/1.1
Host: ferretshop.herokuapp.com
Connection: close
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
Accept: application/json, text/plain, */*
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTcsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QGdtYWlsLmNvbSIsInBhc3N3b3JkIjoiMWFlZGI4ZDlkYzQ3NTFlMjI5YTMzNWUzNzFkYjgwNTgiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2MTU0MDY1OTcsImV4cCI6MTYxNTQyNDU5N30.ZP57rD5SMMyXD87VceX57xF4TQqqMeqAIUm96XQY_wTghbPF8gRmGxIIJN1G_vZkuewH5VrIbZ8RJuAaj5LOR3kfUJvkMm5ibLaNpUZYlenjM1OXowMKeZVniJiLx3D-UBGauEvJf4wkX2x3UXs_SuudK57-2xACAadUYxTlWEU
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://ferretshop.herokuapp.com/
Accept-Encoding: gzip, deflate
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: language=en; welcomebanner_status=dismiss; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTcsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QGdtYWlsLmNvbSIsInBhc3N3b3JkIjoiMWFlZGI4ZDlkYzQ3NTFlMjI5YTMzNWUzNzFkYjgwNTgiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIxLTAzLTEwIDIwOjAzOjEyLjc5MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2MTU0MDY1OTcsImV4cCI6MTYxNTQyNDU5N30.ZP57rD5SMMyXD87VceX57xF4TQqqMeqAIUm96XQY_wTghbPF8gRmGxIIJN1G_vZkuewH5VrIbZ8RJuAaj5LOR3kfUJvkMm5ibLaNpUZYlenjM1OXowMKeZVniJiLx3D-UBGauEvJf4wkX2x3UXs_SuudK57-2xACAadUYxTlWEU; io=Mq1hqj7m93njsus2AAAF
Content-Length: 24
{email:"[email protected]",
email:"[email protected]"}</code></pre><p id="b503a4d3-cd53-45a2-8a76-2540fb258abf" class="">This might prompt the "GenerateLink" server to generate a password reset link for the first email address but the "SendLink" server might send the link to the attacker.</p><h3 id="c8148900-772c-4b94-adc6-1bdd8160f5da" class="">CSRF (Cross Site Request Forgery)</h3><p id="98258185-969f-4937-bc1b-2b281967cb47" class="">Whenever i see a CSRF token, i will try to replace it:</p><ul id="76f3a4b1-4c25-45af-8a63-4f8c7b79d92f" class="bulleted-list"><li>with an empty parameter (CSRF=)</li></ul><ul id="469baa79-c9c1-4df7-8f54-ade0e13ee844" class="bulleted-list"><li>with a parameter of the same restrictions (like same length and alphanumeric) (CSRF=2475455dfs1)</li></ul><ul id="e6ce6b5f-c8cd-4a49-b3f1-31c88739e55c" class="bulleted-list"><li>CSRF=1</li></ul><ul id="45516b60-ee95-4906-baed-d59075a9873f" class="bulleted-list"><li>A CSRF token that does not belong to that account</li></ul><p id="5091b446-6568-4400-96b8-9267af2ae0f6" class="">I can use the tools "Match and replace" or "Autorepeater" for this although the "Autorepeater" extensions seems to have broken with the latets burp update though this might get fixed later on.</p><p id="f196d502-11b0-4435-ba12-21356594ebe0" class="">See the tools section.</p><h3 id="6a86616c-20c3-4f7c-8102-3e2453274c0c" class="">Exploring the requests</h3><p id="6a5384de-b532-41a8-9075-3dc0cdb13cfe" class="">Now comes the fun part, we are going to look at all the requests and parameters in their own right. To do this we need to go back to burp suite and look at our site map. This has been filling up in the background while we click around.</p><figure id="20821c17-f0fc-4f93-b669-64a0ad2b4268" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2016.png"><img style="width:842px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2016.png"/></a></figure><p id="d5e14ceb-736c-418e-96b7-835e61b3aff3" class="">Now we can see the parameterised requests, we don't really care about the static requests.</p><p id="5a147930-9b65-44c9-84fa-d83f88f86615" class="">
</p><figure id="cde631f2-cae9-4143-a4b7-e2ac6ba84678" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2017.png"><img style="width:782px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2017.png"/></a></figure><p id="44a311a3-3d8e-4647-96e9-7d45a45832c8" class="">I am going to look at all of these requests and see if i can find some parameters i can manipulate that i should not be able to manipulate such as:</p><ul id="06e1d096-3fe1-4bf3-90f3-2b67a5c8c371" class="bulleted-list"><li>{userType:"User"} > {userType:"Admin"}</li></ul><ul id="6754eadc-96a7-4fd1-82eb-d2de41026c06" class="bulleted-list"><li>{accountType:"Basic"} > {accountType:"Advanced"} (might be more expensive)</li></ul><ul id="75fc5828-b29e-40c9-bbc7-34f6eeecfce6" class="bulleted-list"><li>{rating:5} > {rating:-5000} (might be able to negatively affect the rating of a video on youtube)</li></ul><ul id="43ded1be-11ec-4a48-9612-7d9d5e4aa218" class="bulleted-list"><li>... Use your imagination</li></ul><p id="72934281-9121-463c-9417-424351e12020" class="">
</p><figure id="ea529e54-6463-49cd-b77a-09d53d45f01c" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2018.png"><img style="width:630px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2018.png"/></a></figure><p id="2e4f2755-e42b-4e15-8abb-f6888d18d011" class="">In this case for example, we can change the author of a review which should not be possible.</p><h3 id="375096e3-67e4-471d-a888-db7d5b2c3598" class="">LFI/RFI</h3><p id="15eb3078-f967-4134-8988-43eb85d71855" class="">Whenever a parameters shows that it is grabbing a file from the local file system or whenever it seems to be from a remote location, i will try either LFI or RFI respectively. See those sections to learn more about them.</p><ul id="1a05aca1-998d-4b83-b0a6-6c1c7ae6677a" class="bulleted-list"><li>GET /avatar.php?file=image1.png</li></ul><ul id="5ac7984e-e143-4e43-8b24-57b29e7b9422" class="bulleted-list"><li>GET /avatar.php?file=s3.bucket.org/image1.png</li></ul><p id="6750df63-6c9e-46ef-adbe-af7ae9b856ae" class="">LFI/RFI in and off- itself is usually not that impactful. If we find this issue we should try to find files on the system that we should not be able to access like private pictures of other users or we should try to include a file which executes remote code execution. This can cause use to create a reverse shell allowing us access on the server. If you ever achieve this, you should stop and report, don't explore a production server with the risk of seeing data you should not or crashing the production server.</p><h3 id="de3cb6f2-ede4-40d8-b423-2f26cda3739a" class="">OS Command injection</h3><p id="4ae2e8e8-f8f2-4139-8b8d-bc314dce2e78" class="">This is the last vulnerability type i check for. The only way to check for this issue type is to fuzz all of those parameters with your fuzzing list that you created in the OS command injection section. To do this I use the intruder tool that's built into burp.</p><figure id="d1624edb-1cf8-4e6d-90d0-5b76267d48fb" class="image"><a href="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2019.png"><img style="width:1253px" src="Practical%20Demonstration%20-%20Main%20Web%20Application%20hac%20731d6dead50b4df9bb12ce143d21bc9a/Untitled%2019.png"/></a></figure><p id="abc5471f-ca39-4012-a8dd-c97f2dbcd487" class="">
</p><figure id="Zer0DayLab" class="link-to-page"><a href="https://hide01.ir"><span class="icon">🎩</span>Hide01</a></figure></div></article></body></html>