AJAY N

201573004101
Web Penetration Testing Internals
23-02-2022
Attacker IP :-192.168.200.8
Victim IP :- 192.168.75.105

1. Purschase all the four items for the price of Zero Bypassing client side
validation to get 100% discount using coupon code SILVER Path:-> Webgoat
-> AJAX Security -> Insecure Client Storage

Log into the IP address using credentials webgoat / webgoat

Webgoat -> AJAX Security -> Insecure Client Storage

Let’s buy all the items given and put the coupon code SILVER

Now let’s make the price 0 dollars. Click on purchase button and intercept
request in burpsuite
Send to repeater

But the request body is encoded. Let’s decode it using smart decode option in
decoder
Now change grand total to zero in repeater and send
See the response in browser, we can buy for zero dollars.

2. Fetch profile details of Jerry Mouse user by logging into Curly Stooge user,
using Indirect Object Reference Path:-> Webgoat -> Access Control Flaws ->
LAB: Role Based Access Control
Enter the path Webgoat -> Access Control Flaws -> LAB: Role Based Access
Control and log in as curly stooge

Click on view profile and intercept request in burpsuite

Send to repeater
Change employee id to 106 and click send, see response in browser

Thus we can see jerry’s data even if it is not allowed.

3. Fetch salary details of username "Neville Bartholomew" bypassing Client
Side Filtering Path:-> Webgoat -> AJAX Security -> LAB: Client Side
Filtering

Go to path Webgoat -> AJAX Security -> LAB: Client Side Filtering and choose
larry
Send to repeater and change user ID to * and send
We get neville’s salary along with other employee’s salaries

4. Fetch /etc/passwd details of the server using Xml External Entities XXE
Path:- Mutillidae -> Others -> XML External Entity Injection -> XML Validator

Exit webgoat and go to location Mutillidae -> Others -> XML External Entity
Injection -> XML Validator
Enter the XML code and click validate XML

We obtain sensitive data (here the /etc/passwd file).

5. By logging to Tom Cat user delete the profile of David Giambi using Vertical
Privilege Escalation Path:-> Webgoat -> Access Control Flaws -> LAB: Role
Based Access Control

Let’s go back to webgoat to preferred path

Login as someone with permission to delete employee, an admin like john

Delete sean(109) and intercept the request

Send to repeater and copy the request body

Now logout and login as tom(105)

Intercept the request for view profile and send to repeater

Now clear the request body and insert the copied request body of john, change
the employee id to 107(david)
Log out and we see that david has been deleted.

6. Login with credentials user:user and escalte the user privileges to admin using
Privilege escalation Path:- Mutillidae -> OWASP 2013 -> A1 Injection ->
SQLi Bypass Authentication -> Login

Go to the path and login with credentials user:user

Intercept response in burpsuite

Send to repeater and change uid to 1

We get root access and are logged in as admin

7. Send 4000 from the user without his knowledge using CSRF attack Path:->
Webgoat -> Cross-Site Scripting (XSS) -> LAB: Cross Site Scripting ->
Stage 1

Before going onto the location, go to XSS->CSRF tab and copy the url location
192.168.75.105/WebGoat/attack?Screen=52&menu=900&transferFunds=4000

above is the location to be redirected

log in as larry and edit profile, in street tab enter the code :

<script>window.location="http://192.168.75.105/WebGoat/attack?Screen=52&
menu=900&transferFunds=4000" </script>
4000 is transferred without user’s knowledge.