8sjsptwz.ctfio.com Open in urlscan Pro
206.189.18.113  Public Scan

Form analysis
0 forms found in the DOM

Text Content

NAHAMSEC TRAINING

THESE LABS HAVE BEEN DEVELOPED BY ADAM LANGLEY FOR THE IN PERSON AND UDEMY
COURSE ORGANIZED BY NAHAMSEC

Please download the lists.zip file for our word lists, and a link to a copy of
the slides.


CHALLENGES

Launch


XSS

Basic example of an XSS.
Launch


XSS2

XSS where you must escape from a text input box first.
Launch


XSS3

XSS where you must escape the title tag from the HTML head.
Launch


XSS4

XSS where you must escape from a JavaScript variable.
Launch


XSS5

URL's can contain JavaScript code as can be seen in this iframe code.
Launch


XSS6

An example of where an XSS can be created from MarkDown Code.
Launch


OR1

Discover how open redirects can often be stored in parameter
Launch


OR2

An example of broken logic with open redirect where the URL must begin with
"http://www.google.com" you can use the @ symbol and then another domain.
Launch


IDOR

This app contains an IDOR through an AJAX call to reveal other users data.
Launch


LFI

Local Files can be exposed through the way this app handles images.
Launch


LOGIC-FLAW

Try and purchase the gold tier for 0.01
Launch


LOGIC-FLAW2

Again try and purchase the gold tier for 0.01
Launch


LOGIC-FLAW3

Bypass this email check
Launch


LOGIC-FLAW4

The restrictions are better this time, but the process is still bad!
Launch


SQLI

An Error based SQL Injection
Launch


SQLI2

A Boolean based SQL Injection
Launch


SSRF

This SSRF shows how you can also use file URL's when an app is expecting a HTTP
URL
Launch


SSRF2

Like the above but even when screenshots/images are being used you can still get
local files.
Launch


SSRF3

Delays in response can be used to port scan a local system for example
http://127.0.0.1:10000
Launch


SSRF4

This example only allow HTTP request to the 8sjsptwz.ctfio.com subdomain using
the Open Redirect labs you can redirect the request to any website you wish.
Launch


SSRF5

This SSRF doesn't allow any request to the local system, this can be bypassed by
create a A type domain record and pointing it to 127.0.0.1, we can add port
numbers to scan the local network
Launch


SSRF7

SSRF's exist in pdf creators if you can control the URL they get their
information from you can display it, here you can pass in file:// to show local
files.
Launch


SSRF8

In this PDF creator you can pass in text, you can also pass in your own HTML,
using JavaScript you can redirect to a local file.
Launch


SSRF9

The same situation but the app is blocking the string file:, because we can add
JavaScript we can get round this by splitting and then concatenating the string
to redirect to a local file.
Launch


SSRF10

In this example most HTML tags are stripped out, but iframe's are allowed which
we can use to show the contents of a local file.
Launch


SSRF11

This time the SSRF is blind and you'll never see the results, you'll have to
extract the data to your own server.
Launch


SSTI

This App is vulnerable to SSTI using the ${} prefix, for example ${ system('cat
/etc/passwd') }
Launch


XXE

This is is vulnerable to XXE and can reflect local files in the output.
Launch


XXE2

This is a blind XXE where data need to be exfiltrated via a HTTP request.
Launch


UPLOAD

This upload script only looks for the file extension in the string
Launch


UPLOAD2

This upload script required you to bypass using the content type
Launch


RCE

The stock check command uses curl to make the request!
Launch


RCE2

We can add extra command to this oing request.
Launch


RCE3

This comment saves data in an executable manner
Launch


SUBENUM

Discover subdomains through automation and recon
Launch


BRUTE

Brute force with helpful errors
Launch


BRUTE2

Brute force with no helpful errors
Launch


BRUTE3

Brute force user http status codes
Launch


CONTENT

Use different content discovery methods to find useful information.
Launch


HEADERS

Experiment with setting different HTTP headers
Launch


PROXY

Web requests can be passed onto other servers via a proxy, sometimes there are
ways to traverse to other areas.
Launch


BYPASS

How to navigate around 403 errors to gain access to forbidden directories.