# Write-up Practical Bug Bounty — TCM Academy ## 1. Authentication and Authourization | Criterion | Authentication | Authorization | | :--- | :---: | ---: | | Meaning | Verification of user identity. Answers the question: "Who are you?" | Control over authenticated user access rights. Answers the question: "What are you allowed to do?" | | Real-World Example | Logging in with a username and password| A user is allowed to view their own profile page, but denied access to the admin panel | | Related Flaws| Brute force, weak password, session fixation, and 2FA bypass| IDOR (Insecure Direct Object Reference), BOLA (Broken Object Level Authorization), Broken Access Control, and Privilege Escalation| ### Auth0x01  Sent request to intruder  Use this wordlists `/usr/share//seclists/Passwords/xato-net-10-million-usernames.txt`  Brute-force and filter this string `Your username or password was incorrect!`   Another way is to use ffuf:     Filter the results that return size 1814:  ### Auth0x02 This lab is two-factor authentication.       Intercept and change the username jessmy to jeremy    ### Auth0x03  ### Auth0x04 `Insecure Direct Object Reference (IDOR)` allows a user to access other accounts' details by simply modifying the direct object reference (the account ID) in the URL parameter `?account=`. The application fails to perform an authorization check to ensure the logged-in user owns the requested account ID.   ### Auth0x05 Introducing the API through [cat facts API](https://catfact.ninja/).    `curl -X PUT -H "Content-Type: application/json" -d '{"token": "<token_Jeremy>", "username": "Jeremy", "bio": "New bio information."}' http://localhost/labs/api/account.php` This endpoint, combined with a `weak JWT` or a lack of proper ID/token linking, is the attack vector used to demonstrate the `Broken Object Level Authorization (BOLA)` or `Insecure Direct Object Reference (IDOR)` on the `API`.   ### Auth0x06 This lab silimar Auth0x05 but use extension `Autorize` in BurpSuite.   `Autorize` automatically repeats every single request made by a `high-privileged user session` using the cookies of a `low-privileged user session`.   As shown in the tool's interface, the `PUT /labs/api/account.php` requests resulted in a `"Bypass..."` status in the `Autoriz is on` columns, confirming that the authorization checks could be easily bypassed.  ## 2. Injection ### File inclusion `Local File Inclusion (LFI)`: An attack where the attacker forces the web server to read a file that is located on the server itself. This vulnerability is typically caused by unvalidated input being passed to file-handling functions like `include()` or `require()`. `Remote File Inclusion (RFI)`: An attack where the attacker forces the server to download and execute a file hosted on the attacker's own machine, usually via a URL. ### File inclusion 0x01      ### File inclusion 0x02   Try to bypass filter.  Use this payload`..././..././..././` to bypass filter.    ### File inclusion 0x03      Quite a lot of payloads return `words 19, 20`; now we just need to filter them out.    ### SQL injection Some queries in MySQL:      ### SQL injection 0x01 Some basic sqli payload:         ### SQL injection 0x02   First, i'll test for SQL injection vulnerabilities by injecting payloads into the login form, where untrusted data is most likely to occur.      It seems SQLI isn't happening here. Try the payload in a different request that contains cookies.  I used blind sqli to test and found that this one was sqlied.   Test with sqlmap:       Use `substring` to test blind sqli to find database version.     ### SQL injection 0x03    This is `UNION-based SQLi`     ### SQL injection 0x04  Another very popular method is `SQLi Authentication Bypass`.    Signed up as `' or 1=1 --` and the database just gave me the keys to the db. Seeing my SQL payload being `welcome` on the dashboard. ### XSS  `Reflected`: The payload is bounced off the server and executed immediately in the response, usually via a malicious link.  `Stored`: The payload is saved permanently in the database and attacks anyone who views the infected page by far the most dangerous.  `DOM-based`: The vulnerability exists entirely in the client-side code. The payload is processed by the browser without ever touching the server. ### XSS 0x01    Using `textContent` safely converts dangerous characters like `< >` into plain text, preventing HTML execution and script injection. Even if a user enters `<script>alert(1)</script>`, it is rendered as harmless string and never runs. But then it immediately self-destructed: `newItem.innerHTML = newItem.textContent;` => This has rendered all security efforts of the previous line ineffective. When converted back to `innerHTML`, the browser will parse that text as HTML code.   ### XSS 0x02  ### XSS 0x03    ### Command injection   `eval()` is a high-risk function that executes strings as actual code. Using it with untrusted user input is a massive security hole, as it allows for immediate `Command Injection`. ### Command injection 0x01   `; (Semicolon)`: Executes the first command, then the second, regardless of whether the first one succeeded or failed.  `& (Background Operator)`: Runs the first command in the background and immediately starts the second one, often used to bypass certain execution flows.   `# (Hash/Comment)`: Used to comment out the rest of the original command string, effectively neutralizing any legitimate code that follows your payload.   Try reverse shell =)) ### Command injection 0x02   It still executes and returns `OK`, but the semicolon is changed to a space. Blind injection might need to be tried.    ### Command injection 0x03     ### SSTI SSTI (Server-Side Template Injection) is a vulnerability that occurs when user input is directly fed into the template engine on the server, allowing an attacker to execute code (RCE), read files, query the database, etc., depending on the capabilities of the template engine. ### SSTI 0x01  =))     ### SSTI 0x02         ### XXE `XXE` is a vulnerability where an application's `XML parser` is tricked into processing malicious external entities. This allows attackers to read local files on the server, perform internal port scanning, or even trigger `Remote Code Execution (RCE)`. ### XXE 0x01      ## 3. Other attack ### File upload Unrestricted File Upload occurs when a server allows users to upload malicious files (like `.php` or `.jsp`) without proper validation. This can lead to a complete system takeover via a `Web Shell` or `Remote Code Execution (RCE)`. If you encounter this bug, you can fix it as follows.   ### File upload 0x01      Change the `filename="..."` from `.png` to `.php` and remove the `magic bytes`.   ### File upload 0x02     ### File upload 0x03     Test some payload to bypass file upload filter.   ### CSRF `CSRF`: Tricking a `user` into performing unintended actions on a site where they're logged in. ### CSRF 0x01      ### CSRF 0x02     ### SSRF `SSRF`: Tricking a `server` into making requests to internal or unintended locations. ### SSRF 0x01      ### SSRF 0x02      ### Open redirect 0x01     ### Input Validation 0x01