Writeups of All Apprentice Labs in Portswigger — All Lab’s Solution| Karthikeyan Nagaraj

The Blog Contains a series of all writeups of Apprentice labs in Portswigger with an Explanation of Each Vulnerability. Labs are solved with and Without using Burpsuite | 2023

Karthikeyan Nagaraj
11 min readNov 20

--

Serer Side Topics

1. SQL Injection

Understanding of SQL Injection and Types of SQL Injection

Unveiling the Depths of SQL Injection Vulnerabilities | Karthikeyan Nagaraj

cyberw1ng.medium.com

1.1 Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data — 1 | 2023

To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products…

cyberw1ng.medium.com

1.2 Lab: SQL injection vulnerability allowing login bypass — 2 | 2023

To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user |…

cyberw1ng.medium.com

2. Authentication

Understanding How to Find and Exploit Authentication Vulnerabilities in Web Applications | 2023

Unveiling the Secrets of Authentication Vulnerabilities in Web Applications | Karthikeyan Nagaraj

cyberw1ng.medium.com

2.1 Lab: Username enumeration via different responses — 3 | 2023

To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page |…

cyberw1ng.medium.com

2.2 Lab: 2FA simple bypass using Burpsuite— 2023

This lab’s two-factor authentication can be bypassed. To solve the lab, access Carlos’s account page | Karthikeyan…

cyberw1ng.medium.com

2.3 Lab: Password reset broken logic using Burpsuite | 2023

This lab’s password reset functionality is vulnerable. To solve the lab, reset Carlos’s password then log in and access…

cyberw1ng.medium.com

3. Path Traversal

Basic Understanding of Directory Traversal | 2023

Navigating the Depths of Directory Traversal Vulnerabilities | Karthikeyan Nagaraj

cyberw1ng.medium.com

Directory Traversal in Web App Penetration Testing | 2023

Unveiling Vulnerabilities and Ensuring Robust Security Measures | Karthikeyan Nagaraj

cyberw1ng.medium.com

3.1 Lab: File path traversal, simple case | 2023

To solve the lab, retrieve the contents of the /etc/passwd file | Karthikeyan Nagaraj

cyberw1ng.medium.com

4. Command Injection

Command Injection in Web App Penetration Testing: Exploring Vulnerabilities and Best Practices |…

Unveiling the Risks and Remedies of Command Injection Vulnerabilities | Karthikeyan Nagaraj

cyberw1ng.medium.com

OS Command Injection in Web App Penetration Testing | 2023

A Comprehensive Guide to Identifying and Mitigating This Critical Web Security Vulnerability | Karthikeyan Nagaraj

cyberw1ng.medium.com

4.1 Lab: OS command injection, simple case | 2023

To solve the lab, execute the whoami command to determine the name of the current user | Karthikeyan Nagaraj

cyberw1ng.medium.com

5. Business Logic Vulnerabilities

Business Logic Vulnerability in Web App Penetration Testing | 2023

Unveiling the Hidden Threats in Web App Security | Karthikeyan Nagaraj

cyberw1ng.medium.com

Understanding and Exploiting Business Logic Vulnerability in Web App Penetration Testing | 2023

Unveiling the Hidden Threats of Business logic Vulnerabilities in Web Application Security | Karthikeyan Nagaraj

cyberw1ng.medium.com

5.1 Lab: Excessive trust in client-side controls | 2023

To solve the lab, buy a “Lightweight l33t leather jacket”, You can log in to your own account using the following…

cyberw1ng.medium.com

5.2 Lab: High-level logic vulnerability | 2023

To solve the lab, buy a “Lightweight l33t leather jacket”. You can log in to your own account using the following…

cyberw1ng.medium.com

5.3 Lab: Inconsistent security controls | 2023

This lab’s flawed logic allows arbitrary users to access administrative functionality, To solve the lab, access the…

cyberw1ng.medium.com

5.4 Lab: Flawed enforcement of business rules | 2023

To solve the lab, exploit this flaw to buy a “Lightweight l33t leather jacket”, You can log in to your own account…

cyberw1ng.medium.com

6. Information Disclosure

Basics of Information Disclosure Vulnerability in Web App Penetration Testing | 2023

Unveiling the Secrets of Information Disclosure Vulnerabilities | Karthikeyan Nagaraj

cyberw1ng.medium.com

How to Find Information Disclosure Vulnerability in Web App Penetration Testing | 2023

Uncovering Hidden Weaknesses in Web Applications using Information Disclosure | Kart

cyberw1ng.medium.com

How to Find Information Disclosure Vulnerability in Web App Penetration Testing | 2023

Uncovering Hidden Weaknesses in Web Applications using Information Disclosure | Kart

cyberw1ng.medium.com

6.1 Lab: Information disclosure in error messages | 2023

This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the…

cyberw1ng.medium.com

6.2 Lab: Information disclosure on debug page | 2023

This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and…

cyberw1ng.medium.com

6.3 Lab: Source code disclosure via backup files | 2023

This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the…

cyberw1ng.medium.com

6.4 Lab: Authentication bypass via information disclosure | 2023

To solve the lab, obtain the header name then use it to access the admin interface and delete the user carlos |…

cyberw1ng.medium.com

7. Access Control

Understanding Access Control Vulnerability in Web App Penetration Testing | 2023

Navigating the Complex World of Access Control Vulnerabilities | Karthikeyan Nagaraj

cyberw1ng.medium.com

7.1 Lab: Unprotected admin functionality | 2023

This lab has an unprotected admin panel. Solve the lab by deleting the user carlos | Karthikeyan Na

cyberw1ng.medium.com

7.2 Lab: Unprotected admin functionality with unpredictable URL | 2023

This Lab has an unprotected admin panel. It’s located at an unpredictable location, Solve the lab by accessing the…

cyberw1ng.medium.com

7.3 Lab: User role controlled by request parameter | 2023

This Lab has an admin panel at /admin, which is using a forgeable cookie. Solve the lab by accessing the admin panel…

cyberw1ng.medium.com

7.4 Lab: User role can be modified in user profile | 2023

This Lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of 2, Solve the lab by…

cyberw1ng.medium.com

8. File Upload Vulnerabilities

Understanding File Upload Vulnerabilities in Web App Penetration Testing

Unraveling the Intricacies of File Upload Vulnerabilities | Karthikeyan Nagaraj

cyberw1ng.medium.com

8.1 Lab: Remote code execution via web shell upload | 2023

This Lab contains a vulnerable image upload function. It doesn’t perform any validation on the files upload before…

cyberw1ng.medium.com

8.2 Lab: Web shell upload via Content-Type restriction bypass | 2023

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file…

cyberw1ng.medium.com

9. Race Conditions

Understanding Race Conditions Vulnerabilities in Web App Penetration Testing | 2023

Navigating the Complex World of Race Conditions | Karthikeyan Nagaraj

cyberw1ng.medium.com

Limit Overrun Race Conditions in Web App Penetration Testing | 2023

The most well-known type of race condition enables you to exceed some kind of limit imposed by the business logic of…

cyberw1ng.medium.com

9.1 Lab: Limit overrun Race conditions | 2023

This lab’s purchasing flow contains a race condition that enables you to purchase items for an unintended price. To…

cyberw1ng.medium.com

10. SSRF — Server-Side Request Forgery

Server-side request forgery (SSRF) in Web App Penetration Testing | 2023

Understanding the Concept of SSRF in Web Application Penetration Testing for Bug Bounty | Karthikeyan Nagaraj

cyberw1ng.medium.com

Understanding Server-side Request Forgery (SSRF) in Web App Penetration Testing — 2

Navigating the Intricacies of SSRF for Enhanced Web Security | Karthikeyan Nagaraj

cyberw1ng.medium.com

10.1 Lab: Basic SSRF against the local server | 2023

This lab has a stock check feature which fetches data from an internal system.To solve the lab, change the stock check…

cyberw1ng.medium.com

10.2 Lab: Basic SSRF against another back-end system | 2023

This lab has a stock check feature that fetches data from the internal system. Use the stock check functionality to…

cyberw1ng.medium.com

11. XXE Injection — XML External Entity Injection

XML External Entity (XXE) Injection in Web App Penetration Testing | 2023

In this section, we’ll explain what XML external entity injection is, describe some common examples, explain how to…

cyberw1ng.medium.com

11.1 Lab: Exploiting XXE using external entities to retrieve files | 2023

This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response. To solve…

cyberw1ng.medium.com

11.2 Lab: Exploiting XXE to perform SSRF attacks | 2023

The lab server is running a (simulated) EC2 metadata endpoint at the default URL, http://169.254.169.254/. To solve the…

cyberw1ng.medium.com

12. NOSQL Injection

NoSQL in Web App Penetration Testing by Portswigger | 2023

In this section, we’ll explain what NoSQL is, describe some common examples, explain how to find and exploit various…

cyberw1ng.medium.com

12.1 Lab: Detecting NoSQL injection | 2023

The product category filter for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection…

cyberw1ng.medium.com

12.2 Lab: Exploiting NoSQL operator injection to bypass authentication | 2023

The login functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection using…

cyberw1ng.medium.com

Client-Side Topics

13. XSS — Cross Site Scripting

Cross-Site Scripting (XSS) in Web App Penetration Testing | 2023

In this section, we’ll explain what XSS is, describe some common examples, explain how to find and exploit various…

cyberw1ng.medium.com

XSS and its Types in Web App Penetration Testing | 2023

Uncovering Cross-Site Scripting Vulnerabilities

cyberw1ng.medium.com

13.1 Lab: Reflected XSS into HTML context with nothing encoded | 2023

This lab contains a simple reflected cross-site scripting vulnerability in the search functionality. To solve the lab…

cyberw1ng.medium.com

13.2 Lab: Stored XSS into HTML context with nothing encoded | 2023

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a…

cyberw1ng.medium.com

13.3 Lab: DOM XSS in document.write sink using source location.search | 2023

This lab contains a DOM-based XSS in the search query. It uses document.write function to writes data out to the page…

cyberw1ng.medium.com

13.4 Lab: DOM XSS in innerHTML sink using source location.search | 2023

This lab contains a DOM-based XSS vulnerability in the search blog functionality. It uses an innerHTML assignment…

cyberw1ng.medium.com

13.5 Lab: DOM XSS in jQuery anchor href attribute sink using location.search source | 2023

This lab contains a DOM-based XSS vulnerability in the submit feedback page. It uses the jQuery library’s $ selector…

cyberw1ng.medium.com

13.6 Lab: DOM XSS in jQuery selector sink using a hashchange event | 2023

This lab contains a XSS vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a…

cyberw1ng.medium.com

13.7 Lab: Reflected XSS into attribute with angle brackets HTML-encoded | 2023

This lab contains a reflected XSS vulnerability in the search blog functionality where angle brackets are HTML-encoded…

cyberw1ng.medium.com

13.8 Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded | 2023

This lab contains a stored XSS vulnerability in the comment functionality. To solve this lab, submit a comment that…

cyberw1ng.medium.com

13.9 Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded | 2023

This lab contains a reflected XSS vulnerability in the search query tracking functionality where angle brackets are…

cyberw1ng.medium.com

14. CSRF — Cross-Site Request Forgery

Cross-site request forgery (CSRF) in Web App Penetration Testing | 2023

In this section, we’ll explain what CSRF is, describe some types, explain how to find and exploit various kinds of CSRF…

cyberw1ng.medium.com

14.1 Lab: CSRF vulnerability with no defenses | 2023

This lab’s email change functionality is vulnerable to CSRF. To solve the lab, craft some HTML that uses a CSRF attack…

cyberw1ng.medium.com

15. CORS — Cross-Origin Resource Sharing

Cross-origin resource sharing (CORS) in Web App Penetration Testing | 2023

In this section, we’ll explain what CORS is, describe some types, explain how to find and exploit various kinds of…

cyberw1ng.medium.com

15.1 Lab: CORS vulnerability with basic origin reflection | 2023

This website has an insecure CORS configuration in that it trusts all origins. To solve the lab, craft some JavaScript…

cyberw1ng.medium.com

16. Clickjacking

Clickjacking in Web App Penetration Testing | 2023

In this section, we’ll explain what Clickjacking is, describe some types, explain how to find and exploit various kinds…

cyberw1ng.medium.com

What is Clickjacking and How to Find it in Web Application

Unmasking the Deceptive World of Clickjacking | Karthikeyan Nagaraj

cyberw1ng.medium.com

16.1 Lab: Basic clickjacking with CSRF token protection | 2023

This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click…

cyberw1ng.medium.com

16.2 Lab: Clickjacking with form input data prefilled from a URL parameter | 2023

The goal of the lab is to change the email address of the user by prepopulating a form using a URL parameter and…

cyberw1ng.medium.com

16.3 Lab: Clickjacking with a frame buster script | 2023

This lab is protected by a frame buster which prevents the website from being framed. Can you get around the frame…

cyberw1ng.medium.com

17. Websockets

Web Sockets in Web App Penetration Testing | 2023

In this section, we’ll explain what Web sockets is, describe some types, explain how to find and exploit various kinds…

cyberw1ng.medium.com

17.1 Lab: Manipulating WebSocket messages to exploit vulnerabilities 2023

This online shop has a live chat feature implemented using WebSockets. Chat messages that you submit are viewed by a…

cyberw1ng.medium.com

Advanced Topics

18. Insecure Deserialization

What is Insecure deserialization?

In this section, we’ll cover what insecure deserialization is and describe how it can potentially expose websites to…

cyberw1ng.medium.com

18.1 Lab: Modifying serialized objects | 2023

This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve…

cyberw1ng.medium.com

19. GrapQL Vulnerabilities

GraphQL API Vulnerabilities in Web App Penetration Testing | 2023

In this section, we’ll explain what GraphQL is, describe some types, explain how to find and exploit various kinds of…

cyberw1ng.medium.com

19.1 Lab: Accessing private GraphQL posts | 2023

The blog page for this lab contains a hidden blog post that has a secret password. Find the hidden blog post and enter…

cyberw1ng.medium.com

20. HTTP Host Header Attacks

HTTP Host Header Attacks in Web App Penetration Testing | 2023

In this section, we’ll explain what Host Header Attack is, describe some types, explain how to find and exploit Host…

cyberw1ng.medium.com

Host HTTP Header Attacks: Safeguarding Against Vulnerabilities | 2023

Unveiling and Defending Against Host HTTP Header Vulnerabilities | Karthikeyan Nagaraj

cyberw1ng.medium.com

20.1 Lab: Basic password reset poisoning | 2023

This lab is vulnerable to password reset poisoning. The user Carlos will carelessly click on any links in emails that…

cyberw1ng.medium.com

20.2 Lab: Host header authentication bypass | 2023

This lab makes an assumption about the privilege level of the user based on the HTTP Host header. To solve the lab…

cyberw1ng.medium.com

21. OAuth Vulnerabilities

OAuth 2.0 Authentication Vulnerabilities in Web App Penetration Testing | 2023

In this section, we’ll explain what an OAuth Attack is, describe some types, explain how to find and exploit OAuth, and…

cyberw1ng.medium.com

21.1 Lab: Authentication bypass via OAuth implicit flow | 2023

This lab uses an OAuth service to allow users to log in with their social media accounts. Flawed validation by the…

cyberw1ng.medium.com

22. JWT Attacks

JWT attack vulnerabilities in Web App Penetration Testing | 2023

In this section, we’ll explain what an JWT Attack is, describe some types, explain how to find and exploit JWT, and…

cyberw1ng.medium.com

22.1 Lab: JWT authentication bypass via unverified signature | 2023

This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn’t verify the…

cyberw1ng.medium.com

22.2 Lab: JWT authentication bypass via flawed signature verification | 2023

This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs…

cyberw1ng.medium.com

23.1 Lab: CORS vulnerability with trusted null origin | 2023

This website has an insecure CORS configuration in that it trusts the “null” origin.To solve the lab, craft some…

cyberw1ng.medium.com

23. CORS and Access Control

23.1 Lab: CORS vulnerability with trusted null origin | 2023

This website has an insecure CORS configuration in that it trusts the “null” origin.To solve the lab, craft some…

cyberw1ng.medium.com

23.2 Lab: User ID controlled by request parameter | 2023

This lab has a horizontal privilege escalation vulnerability on the user account page. To solve the lab, obtain the API…

cyberw1ng.medium.com

23.3 Lab: User ID controlled by request parameter, with unpredictable user IDs | 2023

This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs…

cyberw1ng.medium.com

If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng

Thank you for Reading!

Happy Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials

Cybersecurity
Careers
Bug Bounty
Penetration Testing
Hacking

--

--

Karthikeyan Nagaraj

Written by Karthikeyan Nagaraj

1.3K Followers

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams