Showing 39 Result(s)

Writeup: Password reset poisoning via middleware

Lan link. The lab description says it is vulnerable to a password reset poisoning vulnerability. At first, we reset the password of the wiener user to understand the system structure. Specifying username in the POST /forgot-password request is enough to request a password, if we can manipulate this request with X-Forwarded-Host, the email for username …

Writeup: Offline password cracking

Lab link. We see that our lab description contains XSS. At first, we look at the cookie value used in the system. We find a forum on the blog page to organize our XSS attack. Here we first try a basic XSS payload to see if it is XSS. <script>alert(1);</script> We have found our XSS …

Writeup: Brute-forcing a stay-logged-in cookie

Lab link. Persistent cookies are used in sections such as “Remember me”. Some websites keep This cookie in predictable values or simple hashed form. In this Lab, operations are also done through cookies, we will examine this first. We need a hash-type detector to solve the structure in Cookie, you can use whatever you want. …

Writeup: 2FA bypass using a brute-force attack

Lab link. There is a weakness in the system related to 2FA authentication. To understand the structure of the vulnerability, we enter the system with the credentials given to us. If the MFA code is sent incorrectly twice, the system redirects us back to the login page. This makes our brute-force attack fail. For this …

Writeup: 2FA broken logic

Lab link. On the 2FA login pages, we send the MFA code, which is our last request. We leave only the verify component in the cookie value and make it carlos instead of wiener. When we send the request, we get the information that the MFA code is incorrect, which indicates that the system is …

Writeup: Username enumeration via account lock

Lab link. Certain suspicious accounts can be locked by the system. In this lab, our goal is to find the username first and then the password. We don’t get any time block when we make a few wrong attempts. We move our request to the intruder. To get an account lockout error, we need to …

Writeup: Broken brute-force protection, IP block

Lab link. We need to find the password for the user carlos. We know there is a logic flaw, so let’s make a few false entries and try to understand the system. After 3 login attempts, the system displays “You have made too many incorrect login attempts. Please try again in 1 minute(s).” error. We …

Writeup: Username enumeration via response timing

Lab link. Lab gave us the information “This lab is vulnerable to username enumeration using its response times.” At first, we log in with the wiener:peter credentials given to us on the login page We have successfully logged in and now we will log out and try to log in again, but this time with …