This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive. To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access
burpSuiteAcademy
Burp Suite Academy: Exploiting XXE using external entities to retrieve filesBurp Suite Academy
This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file. Checking the request using Burp: Looking at the Port Swigger XML external entity (XXE) injection documentation we can learn a bit about this vulnerability. Send to Repeater and add the payload. The response will be:
Burp Suite Academy: SQL injection vulnerability allowing login bypassBurp Suite Academy
This lab contains a SQL injection vulnerability in the login function.To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user. Click on «My account»: We can see that the request is sent by POST. The value we add to the username field will be included in the request.We’ll use this field directly in the browser to add the payload. We can try the
Burp Suite Academy – SQL injection vulnerability in WHERE clause allowing retrieval of hidden dataBurp Suite Academy
This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following: SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1 To solve the lab, perform a SQL injection attack that causes the application to display details of all products in any category, both released and unreleased. https://0aca0089049c37728097175e00b9006c.web-security-academy.net https://0aca0089049c37728097175e00b9006c.web-security-academy.net/filter?category=Accessories As the vulnerability is
Burp Suite Academy – DOM XSS in document.write sink using source location.search inside a select elementBurp Suite Academy
This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element. To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls the alert function. Select any element: https://0a060014049d514780bc08700015003f.web-security-academy.net/product?productId=1 This script gets the param
Burp Suite Lab Academy – Reflected XSS into a JavaScript string with angle brackets HTML encodedBurp Suite Lab Academy
This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function. Access to the lab URL. According to the description, the vulnerability is located in the search functionality: Checking the inspector we can see that the URL running
Burp Suite Lab Academy – Stored XSS into anchor `href` attribute with double quotes HTML-encoded
This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked. Access to the lab: According to the description, the vulnerability is in the comment functionality. Now we can our comment in the source: Intercepting the request: Checking Burp Suite XSS documentation and based on the source code obtained after adding a new comment,
Burp Suite Academy Lab – Reflected XSS into attribute with angle brackets HTML-encoded
This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function. «><script>alert(document.domain)</script> Checking BurpSuite Academy for Cross-Site Scripting, we find that if angle brackets are blocked or encoded, the input you won’t be able to break out of the tag in which it appears, so we can try other
BurpSuite Lab – DOM XSS in jQuery selector sink using a hashchange event
This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property. To solve the lab, deliver an exploit to the victim that calls the print() function in their browser. The affected code is: Go to the exploit server: Add into the body the malicious iframe: <iframe src=»https://0a2e00cb036dbde4c0785e5d005a000a.web-security-academy.net/#» onload=»this.src+='<img src=1 onerror=print()>'»></iframe> Based on the documentation found in the
BurpSuite Lab – DOM XSS in jQuery anchor `href` attribute sink using `location.search` source
This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $selector function to find an anchor element, and changes its href attribute using data from location.search. To solve this lab, make the «back» link alert document.cookie. This is the Submit feedback functionality: If we check the url, we can see a returnPath parameter: https://0a1a00e703f5826ec0b1405b007b002d.web-security-academy.net/feedback?returnPath=/ This parameter is used here: To modify the back link with the value of the