This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive. To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access

This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file. Checking the request using Burp: Looking at the Port Swigger XML external entity (XXE) injection documentation we can learn a bit about this vulnerability. Send to Repeater and add the payload. The response will be:

This lab contains a SQL injection vulnerability in the login function.To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user. Click on «My account»: We can see that the request is sent by POST. The value we add to the username field will be included in the request.We’ll use this field directly in the browser to add the payload. We can try the

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following: SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1 To solve the lab, perform a SQL injection attack that causes the application to display details of all products in any category, both released and unreleased. https://0aca0089049c37728097175e00b9006c.web-security-academy.net https://0aca0089049c37728097175e00b9006c.web-security-academy.net/filter?category=Accessories As the vulnerability is

This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element. To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls the alert function. Select any element: https://0a060014049d514780bc08700015003f.web-security-academy.net/product?productId=1 This script gets the param

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function. Access to the lab URL. According to the description, the vulnerability is located in the search functionality: Checking the inspector we can see that the URL running

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked. Access to the lab: According to the description, the vulnerability is in the comment functionality. Now we can our comment in the source: Intercepting the request: Checking Burp Suite XSS documentation and based on the source code obtained after adding a new comment,

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function. «><script>alert(document.domain)</script> Checking BurpSuite Academy for Cross-Site Scripting, we find that if angle brackets are blocked or encoded, the input you won’t be able to break out of the tag in which it appears, so we can try other

This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property. To solve the lab, deliver an exploit to the victim that calls the print() function in their browser. The affected code is: Go to the exploit server: Add into the body the malicious iframe: <iframe src=»https://0a2e00cb036dbde4c0785e5d005a000a.web-security-academy.net/#» onload=»this.src+='<img src=1 onerror=print()>'»></iframe> Based on the documentation found in the

This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $selector function to find an anchor element, and changes its href attribute using data from location.search. To solve this lab, make the «back» link alert document.cookie. This is the Submit feedback functionality: If we check the url, we can see a returnPath parameter: https://0a1a00e703f5826ec0b1405b007b002d.web-security-academy.net/feedback?returnPath=/ This parameter is used here: To modify the back link with the value of the