Hacker101 课程作业(一)

0xff 简介
国外知名漏洞平台HackerOne刚刚上线了一个在线web安全学习网站hacker101,课程比较基础,内容很全面。当然,我感兴趣的还是最后的9个课程作业 🙂

0x00 Level 0: Breakerbank
In this exercise, you’re presented with a bank account interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
Hint: A logic flaw in the application will give you a sample report for one of the bugs, giving you a nice template to work from.

先看一下源码,提示了我们共有4个漏洞
In this level, there are 4 vulnerabilities, falling into the following classes:
CSRF
Reflected XSS
Authorization Bypass/Direct Object Reference
Have fun!

  • CSRF
  • 转账操作直接由html中的post请求提交,可以在本地构造请求

    <body onload="javascript:csrf()"></body>
    <script type="text/javascript">
    	function csrf(){
    		document.getElementById("button").click();
    	}
    </script>
    <form action="https://levels-a.hacker101.com/levels/0/" method="POST">
    	<input type="input" name="from" value="1">
    	<input type="input" name="to" value="588">
    	<input type="input" name="amount" value="1000000">
    	<input id="button" type="submit" value="Transfer" >
    </form>
    
  • 权限绕过
  • 表单中自己创建一个from字段,就可以自定义转账的发起人

    和CSRF结合起来的效果

  • 反射型XSS
  • 0x01 Level 1: Breakbook
    In this exercise, you’re presented with a simple social network. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
    Hint: Pay attention to the first message posted.

    去发现社交网络里的漏洞吧

    还是先看源码,还是四个漏洞
    In this level, there are 4 vulnerabilities, falling into the following classes:
    CSRF
    Stored XSS
    Forced Browsing
    Have fun!

  • 存储型XSS
  • 第一眼看上去就知道肯定会在输入框那里,不过又给出了说明html不被允许,但链接可以点击
    通过构造一个网址,会自动生成相应的

  • 枚举
  • 自己的留言链接为https://levels-a.hacker101.com/levels/1/post?id=247
    通过改变id的值可以看到别人的留言

  • CSRF
  • 我在做这一题时感觉有一点小问题,此题中有csrf token应该不存在csrf漏洞,但是生成token的算法过于简单–MD5(),可以轻松构造token所以依然存在csrf。不过,不管我把token换成谁的,只要是32位hash都显示是我自己发的,其他的则显示bad token无法发送。

    此处存疑,不知道是题目出错了,还是我思路有问题。

    0x02 Level 2: Breaker Profile

    In this exercise, you’re presented with a profile management and viewing interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
    Hint: Think about what we learned about special handling with respect to XSS.

    档案管理
    有整整七个漏洞
    In this level, there are 7 vulnerabilities, falling into the following classes:
    Stored XSS
    Reflected XSS
    Unrelated Bonus
    Have fun!

  • XSS-1
  • 头像处,加上.jpg后缀绕过图片检测

  • XSS-2
  • 字体颜色处,随意修改

  • XSS-3-反射型
  • 崩溃了…哪来7个漏洞,还有那什么Unrelated Bonus是什么意思??? 🙁

    4 评论

    1. 你好,可以告知一下 level 0 里的 reflected xss 是怎么做的吗?我尝试在 ?to= 参数上做注入但是没能成功,谢谢

    发表评论

    电子邮件地址不会被公开。 必填项已用*标注