recommended_labs
"These labs have been selected because they reinforce core web security testing skills - such as understanding encodings and using them to evade defences, and proficiency in exploiting cross-user attacks. These specific labs support your exam preparation in terms of skill development, but they are in no way a list of the components you'll be expected to solve to complete the exam."
[0x1] Lab: SQL injection with filter bypass via XML encoding
You will need Hackvertor Burp Suite Extension
[0x2] Lab: Blind SQL injection with out-of-band data exfiltration
Identify vulnerability:
Control + U for URL Encoding and SEND
Data exfiltration
Control + U for URL Encoding and SEND
[0x3] Lab: Exploiting cross-site scripting to steal cookies
A simulated victim user views all comments after they are posted. Write this payload into comment section:
[0x4] Lab: SSRF with blacklist-based input filter
[0x5] Lab: Exploiting HTTP request smuggling to capture other users' requests
Send this request to repeater and with HTTP Request Smuggler extension CL.TE send the requests a lot of times till the victim user visit our post requests
[0x6] Lab: Brute-forcing a stay-logged-in cookie
Login in our account wiener:peter
and enable the option button Stay logged in
. When successflly login intercept a GET request at my-account
and a stay-logged-in
cookie will appear.
Overtake carlos account steps:
Send request to Intruder
Menu bar => Payloads => Payload Processing
Add Hash:MD5
Add prefix:
carlos:
Add Encode:Base64-encode
[0x7] Email Reset User Takeover
Go to 'Forgot you password?' functionality, if you can put a name instead of email put 'carlos' username and intercept the post request. For the next step we have to open the exploit server and copy the exploit server host, insert 'X-Forwarded-Host' header with exploit server host for value and forward the request. Our last step is to open the http logs from exploit server and take the reset link with new password functionality
[0x8] onpopstate event XSS cookie retrieve
You have to encode the payload with hackvertor extension. Ps. Don't forget the `
quote after onpopstate=document.location=
Last updated