Lab 4: User role controlled by request parameter

 I need to access the admin site and delete Carlos but to do this I need to change the parameters to then gain access into the admin page.

I went into my account and logged in using the credentials that were provided for me






I then went into cookies and found the Admin cookie set to false, so I changed it to true and then I went into the admin panel




After doing so I was able to delete Carlos.

Another way I could of done this was by using Burp

I could have sent the request to the proxy and taken a look at the cookies.



Here I could have changed the cookie to true and then it would have worked the same way


Comments

Post a Comment

Popular posts from this blog

Practitioner Lab 1: File path traversal, traversal sequences blocked with absolute path bypass

Image
 This lab contains a path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. To solve the lab, retrieve the contents of the  /etc/passwd  file. I began by looking into one of these pages which have images I then went into the source code and took a look at where the image was being accessed I then went into it and changed the image for the absolute path of the file /etc/passwd This then resulted in the lab being finished. To solve this using Burp I went into the http history and this allowed me to see the request for images. Here I take a look at the request and then change it to the absolute path of /etc/passwd and then I get the contents of the file
Read more

Practitioner Lab 7: SSRF with filter bypass via open redirection vulnerability

Image
  This lab has a stock check feature which fetches data from an internal system. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. I went into the page and looked at the check stock which accesses the database Here I took a look at the request to see what was happening and how it was working here I first check how it would react if I just tried to use the Ip directly without using local. I will use their own URL and then &path=http://192.168.0.12:8080/admin to the end of the URL As can be seen the URL doesn’t allow for redirections. I need a URL that needs redirections. This URL allows for redirections I found this after clicking next item. /product/nextProduct?currentProductId=1&path=/product?productId=2 I can use this URL and feed it to the stock checker to then be able to go to the admin page I put the URL that I got before here to then be able to redirec...
Read more

Practitioner Lab 4: File path traversal, validation of start of path

Image
 This lab contains a path traversal vulnerability in the display of product images. The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder. To solve the lab, retrieve the contents of the  /etc/passwd  file. I began by going into the page with an image and captured the request. I then opened Burp Suite and looked at the request and as the lab specified the request will not work unless it has the main path of /var/www/images I tried to check what answer it would give me when I didn't have the full path name just to learn. After putting a full path name it worked out including the starting point of /var/www/images. Now the lab is solved.
Read more

Practitioner Lab 5:File path traversal, validation of file extension with null byte bypass

Image
 This lab contains a path traversal vulnerability in the display of product images. The application validates that the supplied filename ends with the expected file extension. To solve the lab, retrieve the contents of the  /etc/passwd  file. the first thing I do is check the website out and look for images. I will then click on the page with the image because this way I can see the request on Burp Suite In this case, the server is checking for a specific extension so i put it after the %00 null byte Now I am going to check how it works when I don’t put that. I want to see what type of answer it will give me. It will simply say no such file.
Read more