LAB - 1

Unprotected Admin Functionality

• About

  • This lab has an unprotected admin panel.
  • Solve the lab by deleting the user carlos

(a) Open the Lab Experiment

• Page

(b) Type in URL

• Type :

  • /robots.txt

(c) Type For Administrator Panel

• Type

  • /administrator-panel

Delete the User : Carlos

(d) Delete User

• After Deleting the user :

SOLVED

---

LAB - 2

Unprotected Admin Functionality with Unpredictable URL

• About

  • This lab has an unprotected admin panel.
  • It's located at an unpredictable location, but the location is disclosed somewhere in the application.
  • Solve the lab by accessing the admin panel, and using it to delete the user carlos

(a) Open the Lab Experiment

• Page

• Go to Page > Righ-Click > Select : View Page Source

Copy : /admin-r4niqc

• Append to URL : /admin-r4niqc

• Delete the User : Carlos

SOLVED

---

LAB - 3

User role controlled by request parameter

• About

  • This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.
  • Solve the lab by accessing the admin panel and using it to delete the user carlos.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Open the Lab Experiment

• Page

• Browse : /admin

• Login Page :

• Login with the Credentials and Use Burp Suite

We can observe that the Admin Cookie is Set to FALSE ----> Admin=False

• Change the Value to TRUE

  • Admin=true

The Cookie is Set to True now.

• Now, Forward the Proxy

• Go to Admin Panel

• Let it Load

• Delete the User : Carlos

SOLVED

---

LAB - 4

User role can be modified in user profile

• About

  • This lab has an admin panel at /admin.
  • It's only accessible to logged-in users with a roleid of 2.
  • Solve the lab by accessing the admin panel and using it to delete the user carlos.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Open the Lab Experiment

• Page

• Open My Account
• Give the Credentials
• After Logging-IN, Type the Updated E-mail
• Update the Email
• While Updating, Use Burp Suite to capture the E-mail.

(b) Burp Suite

Capture it in Proxy

Send it to the REPEATER

After Clicking on Send from the Request, we can observe the ROLEID : 1 in the Response Side

• Now Convert it to 2

• Now you can Access the Admin Panel (As it's Logged-IN)

• Now, Delete the User : Carlos

SOLVED

---

LAB - 5

User ID controlled by request parameter

• About

  • This lab has a horizontal privilege escalation vulnerability on the user account page.
  • To solve the lab, obtain the API key for the user carlos and submit it as the solution.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Open the Lab Experiment

• Page

Wiener Account Page

• Go to Burp Suite
• Capture the ID in Proxy
• Send to Repeater

• When the Request is SENT, we can observe the API KEY in the Response

• Change the Users' ID to Carlos

Now, we got the API KEY for Carlos also

• Submit the API KEY

SOLVED

---

LAB - 6

User ID controlled by request parameter, with unpredictable user IDs

• About

  • This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.
  • To solve the lab, find the GUID for carlos, then submit his API key as the solution.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Open the Lab Experiment

• Page

• Find a blog post by carlos

• When you click on CARLOS, you'll get an USERID

userId=64207431-ec63-44cb-ab1a-32cbe44448de

• Logging-IN with given Credentials

• Send this to REPEATER

• Convert it to other ID

  • userId=64207431-ec63-44cb-ab1a-32cbe44448de

We get the API KEY of Carlos

• Copy it and Submit it

  • n2itHDef01LH03U02oLWtRpbBpnZiiyl

SOVED

---

LAB - 7

User ID Controlled by Request Parameter with Data Leakage in Redirect

• About

  • This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response.
  • To solve the lab, obtain the API key for the user carlos and submit it as the solution.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Open the Lab Experiment

• Page

(b) Burp Suite

• Logging-IN using Credentials

• Send to Repeater

• Changing the ID parameter to carlos

• Submit the API KEY

  • OLOH3b4r1FeUAsCYTxCX2fxXmzWzpVC6

SOLVED

---

LAB - 8

User ID Controlled by Request Parameter with Password Disclosure

• About

  • This lab has user account page that contains the current user's existing password, prefilled in a masked input.
  • To solve the lab, retrieve the administrator's password, then use it to delete the user carlos.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Open the Lab Experiment

• Page

(b) Burp Suite

• Logging-IN using Credentials

• Send to Repeater

• Change ID Parameter to Administator

Here, We can observe that Administrators'' Password is mentioned : zpmyzfwtz5zct0cdtote

Now, Log into Administrator User with the Password

• Now, Go to Admin Panel

• Delete User : Carlos

SOLVED

---

LAB - 9

Insecure Direct Object References

• About

  • This lab stores user chat logs directly on the server's file system, and retrieves them using static URLs.
  • Solve the lab by finding the password for the user carlos, and logging into their account.

(a) Open the Lab Experiment

• Page

Open LIVE CHAT

• In Live Chat Page :

  • Enter your Message

• Then, Click on View Transcript

• While using Burp Suite

• Now change the 5.txt to 1.txt

Now, you got the PASSWORD : 17uwftb9facl3xsuzfo8

Log IN with the Password

SOLVED

---

LAB - 10

URL-based Access Control can be Circumvented

• About

  • This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path.
  • However, the back-end application is built on a framework that supports the X-Original-URL header.
  • To solve the lab, access the admin panel and delete the user carlos

(a) Open the Lab Experiment

• Page

• Open Admin Panel

-While Accessing /admin : Access Denied

• Using Burp Suite

  • Send to Repeater

• Change the URL in the request line to / and add the HTTP header X-Original-URL: /invalid

• Response : NOT FOUND

• Change the value of the X-Original-URL header to /admin

Can now Access the Admin Page

• To delete carlos

  • add : ?username=carlos to the real query string
  • change the X-Original-URL path to /admin/delete

SOLVED

---

LAB - 11

Method-Based Access Control can be Circumvented

• About

  • This lab implements access controls based partly on the HTTP method of requests.
  • You can familiarize yourself with the admin panel by logging in using the credentials administrator : admin.
  • To solve the lab, log in using the credentials wiener : peter and exploit the flawed access controls to promote yourself to become an administrator

(a) Open the Lab Experiment

• Page

• Log IN using Administrator Credentials

• Go to Admin Panel

• Promote carlos, and send the HTTP request to Burp Repeater.

• Now, Open an INCOGNITO TAB and Log IN with Normal User Credential : wiener : peter

• Burp Suite

  • Copy the Session Cookie

• Replace the Session Cookie from the Administrator Session Cookie to the copied one from Normal User

Unauthorized

• Change the method from POST to POSTX and observe that the response changes to missing parameter

• Convert the request to use the GET method by right-clicking and selecting Change request method

• Change the username parameter to your username and resend the request

SOLVED

---

LAB - 12

Multi-Step Process with No Access Control on One Step

• About

  • This lab has an admin panel with a flawed multi-step process for changing a user's role.
  • You can familiarize yourself with the admin panel by logging in using the credentials administrator : admin
  • To solve the lab, log in using the credentials wiener : peter and exploit the flawed access controls to promote yourself to become an administrator.

(a) Open the Lab Experiment

• Page

• Go to My Account

• Log IN with Administrator Credentials

• Go to Admin Panel

• Upgrade Carlos and send the HTTP Request to Burp Repeater

• Now Open Incognito Tab

• Log IN with Normal User Credentials

• Send the HTTP Request to Burp Repeater

• Copy the Session Cookie

• Copy the Session Cookie of the Normal User and paste it in the Admin User Session Cookie
• Change the Name to WIENER

SOLVED

---

LAB - 13

Referrer-Based Access Control

• About

  • This lab controls access to certain admin functionality based on the Referrer header.
  • You can familiarize yourself with the admin panel by logging in using the credentials administrator : admin.
  • To solve the lab, log in using the credentials wiener : peter and exploit the flawed access controls to promote yourself to become an administrator

(a) Open the Lab Experiment

• Page

• Go to My Account
• Log IN with Administrator Credentials
• Go to Admin Panel
• Upgrade User Carlos and send the HTTP request to Burp Repeater

• Open Incognito Tab and Log IN using Normal User Credentials
• Send the HTTP Request to Burp Repeater

• Browse : /admin-roles?username=carlos&action=upgrade
• Observe that the request is treated as unauthorized due to the absent Referer header.

• Copy the Normal User Session Cookie and use it in the Admin Session Cookie and change the name to wiener

SOLVED

---

---