# WEB REQUESTS MANIPULATIONS
## INTRODUCTION
Hey there fellow hackers, cyb4x here!
As I continue on my red teaming journey today, I wanted to share a cool challenge I tackled that involved hunting down hidden secrets on a website. It felt like a real-life digital escape room, and to crack it, we had to use some sneaky tricks! We're talking manipulating website requests to find hidden pathways and exploiting special cookies to unlock secret messages. Buckle up, because I'm about to break down exactly how we found all 10 hidden pages and snagged the ultimate prize – the flag!
## 1. THE CHALLENGE
### Challenge 1
My first step involved a classic hacker technique – viewing the website's source code. This might sound simple, but it's like peeking behind the website's curtain. Sometimes, developers leave comments or hidden messages within the code, and these can be treasure troves for hackers.
By scrolling through the source code, we were able to spot a hidden comment with a path that wasn't publicly listed – a secret doorway into the website's hidden depths! This is why viewing the source code is so important in web hacking; it can reveal hidden clues that lead you to secret content or vulnerabilities.
### Challenge 2
In the next challenge, I used a tool called Burp Suite (although a command called curl can also achieve this). These tools let us tinker with the messages sent between your browser and the website, kind of like intercepting a conversation. We focused on something called the "HTTP Request Header," which is like a note attached to the message telling the website what kind of information you're requesting.
In this case, we changed the header to a specific format – "wolvsec: rocks." This special message might have been a secret knock recognized by the website, granting us access to a hidden page.
### Challenge 3
We also needed to get creative with the website's language – imagine it like different ways to ask a question. Normally, clicking a link uses a method called "GET," which is like politely requesting a page.
But these hidden pages were playing coy! They wouldn't show up with the usual methods. So, I tried different options, which is basically asking the website, "Hey, what can I do here?" By using this less common method, OPTIONS worked and I successfully tricked the website into revealing a hidden page that wouldn't respond to a regular request.
### Challenge 4
This step involved a sneaky trick with website addresses. You see, website addresses can only understand certain characters. Special symbols like "&" or "+" have special meanings in website addresses, and using them normally can confuse the website.
In this challenge, we had to set a parameter called "wolvsec" with a value of "c#+l". The problem was, the "+" symbol might have been getting misinterpreted by the website because it's also used to separate things in addresses. To fix this, I used a technique called "**encoding**." Encoding is like disguising the "**+**" symbol into a special code (**%2B**) that the website understands. By encoding the value, I made sure the website saw "**c#+l**" exactly as we intended, granting me access to the another hidden page.
### Challenge 5
This challenge got tricky, we needed to send information to the website without a regular form. Imagine forms as those boxes you fill out on websites, but this time, there was none!
To overcome this hurdle, I used a tool called Burp Suite (remember, tools like curl can also achieve this). Burp Suite lets us tinker with the behind-the-scenes communication between your browser and the website.
I included a special label called "Content-Type: application/www-form-urlencoded." This label tells the website the information is formatted like a form, even though it wasn't submitted through a traditional form. By using Burp Suite and sending POST data as instructed, I could deliver the required information and finally unlocked the another hidden page.
### Challenge 6
This challenge presented a hidden path that was cleverly disguised within the existing webpage. It wasn't hiding in the source code we saw earlier, but somewhere deeper. Here's where things got interesting, the website used a technique called "**JavaScript Obfuscation**" to hide the path. Obfuscated JavaScript is like a secret code written in a confusing way.
At first, I decided to tackle this code head-on. I did reverse engineering to decipher the obfuscated JavaScript and understand what path it was revealing. This involved analyzing the code and translating it back into a more readable format. After some effort, I was able to extract the hidden path from the JavaScript and access the hidden page.
However, during the write-up process, I discovered a simpler solution! By using the browser's built-in "**inspect tool**" (also known as developer tools), I could directly examine the elements on the webpage. This tool often reveals hidden elements and data, and in this case, the hidden path was lurking within the inspected code!
### Challenge 7
Initially, I simply pasted the path into the address bar and hit refresh. But instead of landing on the hidden page, the website redirected me somewhere else.
Here's where Burp Suite came in handy once again. Remember, Burp Suite lets us intercept the communication between your browser and the website. I used Burp Suite to capture the request for the hidden page. Then, I sent this request to the Repeater tool within Burp Suite. This tool allows us to resend requests and manipulate them.
The key here was to bypass the redirection. Normally, when you follow a link, the website might send you to a different location. But by using the Repeater and specifically telling it **not to follow the redirection**, we essentially forced the website to show us the hidden page at the original path we discovered.
This technique of manipulating requests and bypassing redirects is a valuable skill for us, as it allows them to access hidden content or bypass security measures that rely on redirects.
### Challenge 8
This challenge threw a tedious curveball, I needed to visit the same page 500 times! Manually clicking through that many times would be a huge waste of time. As a resourceful hacker, I started thinking about automation. Scripts can be written to automate repetitive tasks, but that might require some coding knowledge.
Instead, I leveraged Burp Suite's power once again. After intercepting a request to the page, I took a closer look at the details, specifically the cookies. Cookies are like tiny pieces of information websites store on your browser. In this case, I noticed a cookie named "**cookie-counter**" that likely kept track of the number of times the page had been visited.
With a clever move, I edited the value of the "**cookie-counte**r" cookie directly in Burp Suite to **500**. This essentially tricked the website into thinking we had already visited the page 500 times! By resending the modified request with the inflated visit count, we bypassed the requirement and gained access to the hidden path.
### Challenge 9
This challenge required visiting a page 500 times. Using Burp Suite, I found a cookie tracking visits. By cleverly editing this cookie to 500 and resending the request, the website thought the requirement was met, revealing the hidden page.
Direct modification wouldn't work. The website's response, however, contained a hidden clue – a JWT secret key! Using an online tool and a secret key identified from the response, I modified the JWT to reflect 500 visits. Resending the request with this modified JWT tricked the website and granted access to the hidden page.
### Challenge 10
This time we were required to visit the page 1000 times also we were not able to edit the cookie because we were not given a secret key also it will not work by bruteforcing, the method was using the response cookie from the response to send another request using that response cookie. to make it easier i automated it using my script created together with one of my best friend **ChatGPT** and wait the magic. See my script below. After a certain time of waiting there we go i got the final hidden path.
```
#Author: cyb4x
#Date: 16 March 2024
#Description: This is a python script that sends requests to browser using different cookies extracted from the response headers.
import requests
url = "URL_HERE"
total_visits = 1000
current_visit = 1
cookies = {}
while current_visit <= total_visits:
response = requests.get(url, cookies=cookies)
request_number = current_visit
response_cookies = response.cookies.get_dict()
print(f"Request {request_number}: Cookie used - {response_cookies}")
cookies.update(response_cookies)
print("Response Content:", response.text)
current_visit += 1
```
Opening the final hidden path revealed the grand prize, the **flag**! This journey through website manipulation and JWT exploitation was a thrilling testament to the resourcefulness required in the world of web hacking.
# 2. LESSONS
### Importance of Viewing Page Source.
Inspecting the source code can reveal hidden comments, paths, or messages left by developers.
### Manipulating Request Headers and Methods.
Understanding HTTP requests allows you to send custom messages to the website, potentially unlocking hidden functionalities.
### HTTP Request Methods.
Knowing methods like "OPTIONS" can help uncover hidden functionalities that don't respond to standard methods like "GET".
### Encoding.
Encoding for Special Characters: Encoding ensures the website interprets special characters in URLs correctly, preventing confusion.
### Sending POST Data without Forms.
Techniques like sending POST data through Burp Suite allow interaction with the website even without traditional forms.
### Inspect Elements.
The browser's developer tools can sometimes reveal hidden elements and data, offering a simpler approach than reverse engineering complex code.
### Bypassing Redirects.
Bypassing redirects with tools like Burp Suite can help access hidden content the website might be trying to conceal.
### Manipulating Cookies for Bypassing Security.
Understanding cookies and their purpose allows hackers to potentially exploit them and bypass security measures.
### Identifying and Manipulating JWT.
JWTs are becoming a common security measure. Understanding how to identify and potentially manipulate them is crucial for modern web hacking.
### Exploiting Response Cookies.
Even seemingly harmless response cookies can hold clues that hackers can exploit to bypass security measures.
# CONCLUSION
Thanks for joining me on this web hacking adventure! This challenge pushed our boundaries and demonstrated the fascinating world of web manipulation and JWT exploitation. There's always more to learn in the world of cybersecurity, and I'm excited to share more explorations and discoveries in future articles. Remember, everyone starts somewhere, so don't hesitate to point out any mistakes or areas for improvement – your feedback helps me grow as a writer and a security enthusiast. Stay tuned for more exciting content to come!
Sign in with Wallet
Connect another wallet