Labs

Web cache Poisoning Web cache poisoning is not web cache deception, is not response splitting or request smuggling web cache deception tricking caches into storing sensitive information so the attackers can access to it. web cache poisoning is serve payloads to users via cache responses Cache keys: The unique identifier that the server wont cache (refresh based on that: only host + path) “Everything that is not part of the cache key is part of the cache poisoning attack surface” ...

Cloudgoat RCE_WEB_APP Scenario Introduction CloudGoat is a training and learning platform developed by Rhino Security Labs to help individuals and organizations understand the risks and vulnerabilities associated with cloud-based applications. One of the scenarios available on CloudGoat is the RCE_web_app scenario, which allows users to practice exploiting remote code execution vulnerabilities in a web application running on the cloud. In this blog post, we will walk through the RCE_web_app scenario in CloudGoat and provide a step-by-step guide on how to exploit the vulnerability and gain access to the application’s backend. We will also discuss the significance of this vulnerability and how it can be prevented in real-world scenarios. By the end of this post, you should have a better understanding of the risks and challenges associated with web application security in the cloud and how to mitigate them. So, let’s get started! ...

Templated Dificulty: easy Description: Can you exploit this simple mistake? Solution First we visit the site and see that uses jinja2, this template is susceptible to SSTI attacks. We see that the directory searched is rendered in the page with 25, so its vulnerable to SSTI. We use the payload that will allow us to RCE on the server to read the file flag.txt, we extract it from PayloadsAllTheThings. ...

OS command injection allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. OS command injection, simple case This lab contains an OS command injection vulnerability in the product stock checker. The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response. ...

Also known as file path traversal allows to read arbitrary files on the servers. in some cases an attacker might be able to write arbitrary files on the server, allowing them to modify application data or behavior. Reading arbitrary files via directory traversal We can use the .. characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter. For example the url takes a filename parameter and returns the content of the file, the aplicaciones appends the requested filename to this base directort and uses an API to read the contents, so the application implements no defenses against directory traversal attacks,so an attacker can request the following URL to retrieve an arbitrary file from the server’s filesystem: ...