PortSwigger's Server-Side Vulnerabilities Path: What the Labs Don't Tell You (And Why Rana Khalil's Videos Fill the Gap)

 



To start learning BurpSuite I embarked on the PortSwigger Server-side vulnerabilities path (for Apprentice level). You would think this would be a course for absolute beginners. Yes and no. Let me break it down.

What you need to know:

First, it would be helpful if you took an Intro to Cybersecurity course so you understand the terminology they are talking about.

·        Path traversal

·        Access Control

·        Authentication

·        Server-side request forgery (SSRF)

·        File upload vulnerabilities

·        OS command injection

·        SQL injection

Are the areas covered in this path. They do give some information, but it’s more an overview of a topic than an in-depth explanation.

Second, watch a video of a brief overview of the BurpSuite UI. The lab jumps right into BurpSuite without discussing what each area is for. They just assume you know what a Repeater is and how to use it. There is a lot in the UI (user interface) as BurpSuite is a very versatile tool, so I will cover the key areas needed and used for these labs.

When they say this is an ‘apprentice path’, they are assuming you are familiar with the BurpSuite program, but are new to the methods hackers use.

Third, Rana Khalil’s video Directory Traversal | Complete Guide gives the detailed overview that BurpSuite does not. This was recommended to me by Claude AI. The video covers:

·        What is directory traversal?

·        How do you find it?

·        How do you exploit it?

·        How do you prevent it?

(And if you so decide to, you can also check out Broken Access Control | Complete Guide)


Everything above is in retrospect after I did the first two labs.

Now let’s get started.


Lab #1: File path traversal, simple case

Directory traversal is also known as file path traversal, it is a vulnerability that allows an attacker to read files on the server that is running the application.

Rana Khalil’s video mentioned above also covers the Impact of Directory Traversal Vulnerabilities which includes unauthorized access to the application which allows an attacker to

·        Read files on the system

·        Run commands and alter or delete files on the system


During my first lab, I manage to solve the lab in my own way, but I did not know how to see the result:


I clicked on 'View details' for the first image > right-clicked on the image > selected 'Open image in new tab'. 

In the URL, I set filename=../../../../etc/passwd and this helped me pass the lab, but I wouldn't say that I solved it as it didn't give me the desired result.

And in all honesty, Burpsuite’s ‘solution’ leaves a lot to be desired if you're a noobie.


Notice no mention of the BurpSuite UI and no step-by-step tutorial on what to do. Instead they have the cop out of having videos in ‘Community solutions’. 

I use AI as a sounding board and it also interjects with good advice, such as which videos are amazing at teaching not only about the lab, but information that is relevant and informative.

I watched Rana Khalil’s Directory Traversal – Lab #1 Filetraversal, simple case and tried again.

(And I realized I forgot to set up screen capture to also capture my microphone, but you can see what I did here.)

My steps in BurpSuite:

1. At the top there are two navigation bars. Go to Proxy and then Intercept > click Open browser > enter the website the lab gives you.

I have Interceptor off because my BurpSuite keeps collecting info. 

2. Now in Proxy go to HTTP history > click filter > select Images > hit Apply & close.

3. While still in HTTP history > under URL select any image (.jpg) > right-click and select Send to Repeater



4. Top navigation > go to Repeater > in the Request section > in GET /image?filename=<image_name.jpg> substitute <image_name.jpg> with ../../../../../../../etc/passwd

5. In the Response section you will see the result.



Lab #2: Access control

I had watched Rana Khalil’s video Unprotected admin functionality and then tried to replicate it.

Then I realized I had forgotten that BurpSuite mentioned the robots.txt file, which would have gotten me the answer much quicker.


Follow step 1 in the lab above to open the BurpSuite browser and in the URL enter the website the lab gives you.

1. At the end of the URL add robots.txt to the end.

2. The resulting page shows the URL extension that will get you to the administrator panel (which is /administrator-panel). Add this to the end of the URL in place of robots.txt.

3. You will be brought to the administrator panel page where you will find carlos under users. Click Delete next to his name.

Lab #3: Unprotected admin functionality with unpredictable URL

Here's how I solved it:

I tried adding robots.txt to the end of the URL and that turned up nothing.

So then I right-clicked on the page, selected view page source, and performed a search for admin.

Under var isAdmin = false you'll find adminPanelTag.setAttribute which has the text /admin-5jkvsv which you would pop onto the end of the URL, leading you to the admin panel page.


Lab #4 show more URL manipulation, this time to change a person’s access control.

I would say, follow Rana’s video (link is Lab #4's title above) because Burpsuite’s solution: 


Gave me so much trouble, mainly with turning the interceptor on and off. In the lab, I found that just leaving the interceptor off is fine. In addition, Rana’s video added an extra step in the browser when enabled me to access the admin panel.

1. At the end of the URL add admin and it will reveal that you do not have access to the admin interface.

2. Go to My account and login with the credentials given by the lab: wiener : peter

3. In BurpSuite > go to Proxy (HTTP history) > select Method: GET URL: /my-account?id=wiener > right-click select Send to Repeater.

3. Go to Repeater (in the top navigation) > in the Request section > Cookie: Admin=false set to true and click Send.

4. In the Response section > search for admin using the search bar at the bottom > it will show <a href="/admin"> Admin panel

5. However, this still won't get you into the admin panel in the browser. In the video you can see I refreshed the browser and I still could not access the admin panel.

6. In the browser > right-click the screen > click Inspect.


7. Top navigation go to Application > left-hand navigation under Cookies select the cookie.

8. In Name: Admin Value: false change the value to true.

9. Now when you refresh the page you will see you have access to the admin panel and you can delete carlos.

Lab #5: Broken Access Control User ID controlled by param with password disclosure


Basically changing GET /my-account?id= from 'wiener' to 'administrator' and sending the Request. Yup, that's it!

First steps are similar to the labs above until you get to Repeater.

In Response I searched for 'password' and looked for value='password value'/>

Lab #6 UID controlled by parameter, with unpredictable UIDs


Going through the blog entries I found one which 'carlos' wrote and clicked on his name. Using his account ID, I substituted wiener's account ID with carlos's account ID and his API key was revealed in the Response section. (Remember the first steps are similar to the previous labs until you get to Repeater.)

In summary, these labs were basically trying to get into an admin account (or another user's account).

To try to find the admin panel, try the following:
  • add robots.txt to the end of the URL to reveal the plain text file placed on a website's server that instructs search engine crawlers which pages or files they can or cannot crawl and index (the admin panel may be revealed here)
  • use ../../../../../../etc/passwd to get to the plain text file that stores user account information
  • view the page's source code to see if the javascript might reveal in the adminPanelTag.setAttribute

To exploit an access control vulnerability, for example to get into the administrator account:

  • change the Cookie: Admin=false to true using BurpSuite and the browser's Inspect tool (FYI, the Inspect tool is very powerful and gives a lot of information!)
  • In BurpSuite's Repeater tab's in the Repeat section GET /my-account?id=<change to administrator> and send.

Now that I’ve gotten through all the labs in ‘Path traversal’ and ‘Access control’, I understand the process more. I would say BurpSuite teaches the attacks in very manageable, bite-sized chunks.

Overall, there were a few hiccups in the beginning, but I learned a lot and I am more comfortable with BurpSuite and getting a taste of these different vulnerabilities was very beneficial.

I will be continuing through the rest of the path.


Comments

Post a Comment

Popular posts from this blog

Resources, Tips, and Techniques that Helped Me Pass the CompTIA Security+ Exam

Image
After completing the Google Cybersecurity Certificate program, the next step on my to-do list was to pass the CompTIA Security+ Exam. Exam Prep Time How long does it take to study and prep for the exam? It depends on your knowledge, experience, and background. It also depends on how quickly you can study and learn. I have seen Reddit comments that give the range from 1-2 weeks to several months.  ​ My Background I am going to be upfront and say that the Google cybersecurity program was NOT enough to pass the Security+ exam. Don’t get me wrong, it was a very informative course with lots of practical knowledge. However, the CompTIA Security+ exam covers A LOT! Also, I did not do the Network+ certification nor did I have two years of network admin experience. My background in software development and IT has mainly been in technical writing, manual QA testing, and doing computer troubleshooting and fixing for myself and friends and family. I decided to set two goals:    ...
Read more

Protecting Our Elders: A Comprehensive Look at Social Engineering Threats and Proactive Steps for Families

Image
As our parents get older we will often find our roles reversed. Us (adult) kids aren’t just tech support, now it’s our responsibility to parent our parents through monitoring their online activity and protecting them from scams. Social Engineering Scams It’s not just tech. Criminals know it is easier to trick a person than to hack a computer. From the age old ‘ don’t talk to (internet) strangers ’ to ‘ don’t click suspicious ’ links, here are the seven social engineering psychology principles scammers will use (which I learned from studying for the CompTIA Security+ Exam), the possible scams they’ll try to pull, and how to thwart or prevent the scams. Psychology Principle Scam Example (Targeting Senior Citizens) How to Thwart or Prevent the Scam Authority IRS or Social Security Impersonation: Attacker calls claiming to be from the IRS or Social Security Administration (SSA).  They state the victim owes back taxes or that...
Read more

Network+ Deep Dive: Where Firewalls, Load Balancers, and APs Fit in the OSI Model

Image
OSI Model or Open Systems Interconnect model: It is important to remember that this is a theoretical framework, meaning that it is just one way of thinking about networking. What happens at each layer? The table below shows examples of what exists at each layer, mainly hardware at the physical layer and protocols on the other layers. OSI Layers Which Headers Can Be Added at this Layer What happens on these layers Application SMTP, HTTP, FTP, HTTPS, P2P, DNS, etc. Header is added to the data (whether it is an HTTP header, SMTP, etc.) Presentation   Handles data formatting, encryption, and compression to ensure data is in a usable format for the application layer. Session   Managing and controlling connections between devices, including establishing, maintaining, and terminating sessions. Transport TCP, UDP, etc. ...
Read more