Field Training

*1.Insecure Direct Object References

First Challenge is "Insecure Direct Object Reference" The Key for this level is stored on Administrator Profile.

We enter the "Refresh Your Profile Button" and Capture the Request using Burp Proxy

From the Captured request we found that "username = guest"

We Changed the user name from "guest" to "admin" and forward the request to the server.

and the Server Response with the Result Key

*2.Poor Data Validation

Second challenge is "Poor Data Validation", We can get the result key by entering " Negative Number"

Checked whether we can enter the Negative value in the form itself, however the system shows the error message "*An error Occurred: Number Must be Greater that 0 *"

So we enter the positive value and can tried to change the value using BurpSuite proxy

We enter the positive value of "35" and captured that request

Changed the Value "userdata=35" to "userdata=-35" and forward the request to the server

And we got the Result Key

*3.Security Misconfiguration

Third Challenge is Simple We can get the credentials by entering default admin creadentials "Username: admin and Password:passsword"

And we got the Result Key for Challenge 3

*4.Broken Session Management

In this challenge we have to make the server to believe that we have already completed this challenege.

So we press the Complete this lesson submit button and capture the request using Burpsuite.

Change the "lessonComplete=lessonNotComplete" to "lessonComplete" and forward the request

System believes we completed this challenge and responded with the result key

*5.Failure to Restrict URL Access

In this Challenge we have to access the link, only administrator to have access to that link.

Go through the source using "Inspect elements" or use tools like firebug

so we delete the none, therefore we can view the administrator result page link

And we got the result key for this challenge by clicking the link.

*6.Cross Site Scripting

This challenge is Simple Cross Site Scripting (XSS)

We enter the Basic Script ""

and we got the pop up, so this page is vulnerable to XSS

and we got the *result key *for this challenge

*7.Cross Site Scripting 1

This Challenge is another Cross Site Scripting (XSS)

By going through the Source, we found that this page has iframe..

So we tried the XSS by including the script into the iframe ""

and we got the pop up, so this page is vulnerable to "XSS"

we got the result key as well.

Private

*1.Insecure Data Storage

First Challenge in Private is Android Challenge, You have to access the database to get the user credentials and admin password is the key

All challenge directories and files are available in data/data

first challenge is insecure data so access the com.mobshep.insecuredata directory

passwords are available under "com.mobshep.insecuredata/databases" directory and Members file can be access using cat command and password is Battery777

password is Battery777

*2.Insecure Cryptographic Storage

This challenge is cryptograpic challenge, however the result key is encoded using "base64"

I have decoded using "Hackbar" addon

*3.SQL Injection

This one is SQL Injection Challenge

Its a simple SQL injection, you can beat it using 'or'1'='1 command. Result key available in the db.

*4.Insecure Cryptographic Storage Challenge1

Another Cryptographic challenge, this time result key is encrypted using *Roman Cipher(Ceaser Cipher) *

Wrote a simple python script to brute force the Key.

Shift Key is 21 and got the Result Key as well

*5.Insecure Direct Object Reference Challenge 1

In this challenge you have to access the user who is not listed in the drop down list

By accessing source could identify ID of users (1,3,5,7,9)

SO select the last user and send the request through Burpsuite

UserID is 9

Changed the ID from 9 to 11 (which could be next number, you can also brute force the ID using Burp Intruder)

and the server respond with the result key

*6.Poor Data Validation 1

This is data validation challenge, you have to buy free trolls

select 1 Troll and -100 on the meme which $30, therefore your total will be $0 and you will get the Result Key

*7.SQL Injection 1

Another SQL Injection Challenge

First test the *'OR'1'='1 *which is not working

From the hint found SQL Query start with "

So we tried SQL injection with double colon "OR"1"="1 and got the Key

*8.Session Management Challenge 1

Another Session Management Challenge only administrator has access to the application

Press the administrator only Submit button and capture the request using Burpsuite. and you can see the Check-sum value

That checksum value is encoded with base64, once you decode it you can see the value "userRole=user"

Change the "userRole=user" to "userRole=administrator"

Encode "userRole=administrator" using base64

Change the checksum value in Burpsuite with base64 new encoded value and forward the request to server

Server will respond with the result key

*9.Failure to Restrict URL Access

Failure to Restrict URL Access Challenge.

Press the "Get server Status" Button and capture the request using Burpsuite

If you go through the source, you will find out the JavaScript code with two form urls one for "leform" and other one is "leadminform"

You can view that from the Burpsuite captured request client forwarding the normal "leform" url

Change that url with "leadminform" url and forward the request to server

Server will respond with the key

*10. Unintended Data Leakage

Another Android Challenge, Here You have to access the logs to find the result ey

If you cd the /data/data you can view the udataleakage directory

inside the directory you can see three files, under the files folder the log file is saved. once you cat the file you can view the key

*11.Cross Site Request Forgery

Cross site request forgery challenge

You have to send the url with the temp userid to administrator

server will repsond with the key

*12.Content Provider Leakage

Android Challenge, Content Providers are intended to be accessed by other applications, however with the Android Debug Bridge, they can be accessed by anyone with access to a device.

Used "adb shell content query --uri content://com.somewhere.hidden.SecretProvider/data" to get the result key

Corporal

*1. Unvalidated Redirects and Forwards

This lesson s CSRF, To exploit you have to include the your intended link to the normal link. This link sent to mar this lesson as completed

Server will reply with the result key

*2. Client Side Injection

In this challenge we have to exploit the SQL injection flow on the Android

We have included Admin'OR'user='user command to inject server sad legged in.

And gave the key for this for challenge

*3. SQL Injection 2

Another SQL injection Challenge..

Inject the flow using 'or'1'!='shan@yahoo.com and db gave us the Key..

*4. Poor Authentication

This is authentication challenge in the Android

First You have to open the "Poor Authentication" App

Next screen you have to enter username and password since we do not now the password go for** reset function.**

Next Screen Reset screen you have to enter the answers for some security questions.

Since we do not know the answers, we access the "com.mobshep.poorauthentication/files" inside directory *logs files *are available (the App is leaking logs of what the user has typed during previous uses of the App. This information will provide you with the data you need to reset the password and get the key.)

From That logs you can get the answers for security questions. "Favorite Food: Chicken & Mother's Maiden Name : Meade" Once you enter the correct answers system will give you the temp password

You can find the username from the log files and with the temp password you can Login.

And you can get the result key.

*5. Broken Crypto

This is Crypto challenge is Android..

First you have to access the Broken Crypto app.

You will get some encrypted text.

But they used HEX encode to encrypt these text. And last text contains the key.

And that completes the broken crypto...