# Web Labs Basic ## Cross Site Scripting ### XSS Lab 1 We end up here, our user agent is reflected to us: ![user agent](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-a0c5defecc4904e7df7679e2dbbd6f3ca60045d8%2F2023-04-30-14-13-51.png?alt=media) We put on the intercept on burp (we can also work in the repeater tab).\ Let's try this first `` ![Burp](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-8dce382e24628c7f8a3d0e7a08aae1640befde14%2F2023-04-30-14-16-07.png?alt=media) It works ![Burp request](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-c26f9e8ff2ea290de5f355a06ffa4e6e6fac4227%2F2023-04-30-14-22-33.png?alt=media) ![Pop up](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-79544b2d7bbfdecc809230c57219bdc84c16944a%2F2023-04-30-14-15-29.png?alt=media) ### XSS Lab 2 We end up here ![cookie lab](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-dba2863976584783c16dc1a1cc298a4215feb274%2F2023-04-30-14-17-40.png?alt=media) This time our cookie is reflected to us ![Burp cookie reflected](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ce24eae50a4eeeb08ee408c81b84c39b54967635%2F2023-04-30-14-18-35.png?alt=media) Let's try the same paylaod `` ![Burp request](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-9471bb7da1ed0fc672ab12532d22a3ef3365dc49%2F2023-04-30-14-20-14.png?alt=media) It works again ![Burp](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-e1fbd0ec78a311b1dcc459dcbf57a4df3e4f98c3%2F2023-04-30-14-21-31.png?alt=media) ![alert](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-7a32996350a750d429611206c3416a2cff77f02a%2F2023-04-30-14-21-00.png?alt=media) ### XSS Lab 3 We land here ![land page](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-1b29f21ba21ac1872a08d25dcb760c8b1e2cb7fc%2F2023-04-30-14-25-36.png?alt=media) Here is what it looks like in burp ![Burp](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-a8ffe36f3d12ac69e3314cdf69ebc4246b35a616%2F2023-04-30-14-28-16.png?alt=media) These 2 snippets of js are interesting ```javascript [STRIPPED] [STRIPPED] [STRIPPED] ``` The first snippet is going to set the local storage to `alert-labs` if null.\ The second one is going fetch the localStorage and print it in the page.\ This time we need to modify this in our browser.\ In firefox we can modify the localStorage property and enter this `

`. Just like this ![Firefox LocalStorage modification](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-8cdeef96600b6a8d83310eb57b556e625f597c5a%2F2023-04-30-15-27-18.png?alt=media) This way if we refresh the page we get our alert: ![LocalStorage pop up](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-c2bd2c11cdb37de5f79774e6c13530e2d090bf78%2F2023-04-30-15-30-38.png?alt=media) Note that in a real context, this would require a user interaction. The following articles are really interesting to see how a vulnerability like this could be exploited in a real context: * [DOM-based HTML5-storage manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation) * [DOM-based vulnerabilities - Portswigger](https://portswigger.net/web-security/dom-based) * [Wagtail XSS + LocalStorage = Account Hijack on TechAnarchy](https://www.techanarchy.net/wagtail-xss-localstorage-privesc/) * [LocalStorage exploit via Cross Site Scripting on Appsec Ramblings](http://appsecramblings.blogspot.com/p/blog-page_8462.html) * [XSS - The LocalStorage Robbery by Jerry Shah](https://shahjerry33.medium.com/xss-the-localstorage-robbery-d5fbf353c6b0) * [This article](https://portswigger.net/research/web-storage-the-lesser-evil-for-session-tokens) by James Kettle is really interesting and worth reading to have a better understanding of security of Web Storage ## IDOR We end up here so let's try and create a pdf file.\ We get an id let's take it and paste it to get our generated pdf ![PDF creation](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-d79afcde0fb6d0d4832c46ca8eff9b4adb699c09%2F2023-05-01-17-38-43.png?alt=media) Our request to get our pdf looks like this: ![Request](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-a2431880864141d42e442f8e867dc6c11a6d7f39%2F2023-05-01-17-40-37.png?alt=media) Let's send this to the repeater and try to get other pdf\_id It seems like we can enumerate any pdf on the platform ![PDF enum](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-da5e53ff1ffd8be1b6dca590cd43644da6e851c1%2F2023-05-01-17-43-38.png?alt=media) Let's do this with the intruder to find the one with our flag We put our var on the id like this ![Variable](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-6a43d696e53f2d693cf66306feeed271723e7eb9%2F2023-05-01-17-47-02.png?alt=media) Here is how to set the payload ![Payloads](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-aa6d9cf35e378cac756fdcd5227322cc881765cc%2F2023-05-01-17-47-53.png?alt=media) We can launch the attack. The length of the response will be very helpful to know which file is the one we want. There is one that is considerably different than the other ![Length](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-975f31caed9df94ad9e79b31fb08221f3e91518f%2F2023-05-01-17-49-39.png?alt=media) Let's try it. If we show the response in the browser we find the flag in our PDF! ![Flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-0ce1071cdc5e6cbace17097b5b7cc9527d65accc%2F2023-05-01-17-50-53.png?alt=media) ## Local File Inclusion We end up here: ![landing](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-75072079ec58acf90f322b9d87ef63c51587fb72%2F2023-05-03-15-52-51.png?alt=media) Let's try to click on search ![Search](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-8ddb99d41c949d4729d6d01c21ec6492c3d33020%2F2023-05-03-15-56-24.png?alt=media) Here is what we see on burp ![Request](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-5bae8cd0c8a3160cacd10868444d434e201c38b0%2F2023-05-03-15-57-02.png?alt=media) Let's send this to repeater and try to access to file from the server.\ It works we can access `/etc/passwd` ![LFI](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ea98940d9a9b3f8dac8ba3ea41e4f1e940717252%2F2023-05-03-15-58-16.png?alt=media) Apparently we do not even need to move in the folders, sending a request with just `/etc/passwd` works as well.