Destinys Blog

Portswigger Labs CTF Writeups

3 min read

SQL Injection Vulenerabilities

Video Walkthrough :

Writeups :

Lab NameVisit
SQL injection UNION attack, determining the number of columns returned by the queryView
SQL injection UNION attack, finding a column containing textView
SQL injection attack, listing the database contents on OracleView
SQL injection attack, listing the database contents on non-Oracle databasesView
SQL injection attack, querying the database type and version on MySQL and MicrosoftView
SQL injection attack, querying the database type and version on OracleView
SQL injection vulnerability allowing login bypassView
SQL injection vulnerability in WHERE clause allowing retrieval of hidden dataView
Blind SQL injection with conditional errorsView
Blind SQL injection with conditional responsesView
Blind SQL injection with time delaysView
SQL injection UNION attack, retrieving multiple values in a single columnView
SQL injection with filter bypass via XML encodingView
Visible error-based SQL injectionView

Authentication Vulnerabilities

Video Walkthrough :

Writeups :

Lab NameVisit
2FA simple bypassView
Password reset broken logicView
Username enumeration via different responsesView
2FA broken logicView
Brute-forcing a stay-logged-in cookieView
Offline password crackingView
Password brute-force via password changeView
Password reset poisoning via middlewareView
Username enumeration via account lockView
Username enumeration via response timingView
Username enumeration via subtly different responsesView
Broken brute-force protection, IP blockView
Broken brute-force protection, multiple credentials per requestView

Access Control Vulnerabilities

Video Walkthrough :

Writeups :

Lab NameVisit
Insecure direct object referencesView
Method-based access control can be circumventedView
Multi-step process with no access control on one stepView
Referer-based access controlView
URL-based access control can be circumventedView
Unprotected admin functionality with unpredictable URLView
Unprotected admin functionalityView
User ID controlled by request parameter with data leakage in redirectView
User ID controlled by request parameter with password disclosureView
User ID controlled by request parameterView
User role can be modified in user profileView
User role controlled by request parameterView
User ID controlled by request parameter, with unpredictable user IDsView

Path Traversal

Video Walkthrough :

Writeups :

Lab NameVisit
File path traversal, simple caseView
File path traversal, traversal sequences blocked with absolute path bypassView
File path traversal, traversal sequences stripped non-recursivelyView
File path traversal, traversal sequences stripped with superfluous URL-decodeView
File path traversal, validation of file extension with null byte bypassView
File path traversal, validation of start of pathView

SSRF

Video Walkthrough :

Writeups :

Lab NameVisit
Basic SSRF against another back-end systemView
Basic SSRF against the local serverView
Lab - SSRF with blacklist-based input filterView
Lab - SSRF with whitelist-based input filterView
Lab - SSRF with filter bypass via open redirection vulnerabilityView
Lab - Blind SSRF with out-of-band detectionView

File Upload Vulnerabilities

Writeups :

Lab NameVisit
Remote code execution via polyglot web shell uploadView
Remote code execution via web shell uploadView
Web shell upload via Content-Type restriction bypassView
Web shell upload via extension blacklist bypassView
Web shell upload via obfuscated file extensionView
Web shell upload via path traversalView

CSRF

Writeups :

CategoryLab NameVisit
CSRFCSRF vulnerability with no defensesView
CSRFCSRF where token validation depends on request methodView

Command Injection

Writeups :

CategoryLab NameVisit
Command InjectionOS command injection, simple caseView

Cross-Site Scripting (XSS)

Writeups :

CategoryLab NameVisit
Cross Site Scripting (XSS)(No labs listed yet)

Essential Skills

Writeups :

CategoryLab NameVisit
Essential SkillsDiscovering vulnerabilities quickly with targeted scanningView

Host Header Attacks

Writeups :

CategoryLab NameVisit
Host Header AttacksHost header authentication bypassView
Host Header AttacksWeb cache poisoning via ambiguous requestsView

JWT Vulnerabilities

Writeups :

CategoryLab NameVisit
JWT VulnerabilitiesJWT authentication bypass via unverified signatureView

SSTI

Writeups :

CategoryLab NameVisit
SSTIBasic server-side template injection (code context)View
SSTIBasic server-side template injectionView
SSTIServer-side template injection in an unknown language with a documented exploitView
SSTIServer-side template injection using documentationView
SSTIServer-side template injection with information disclosure via user-supplied objectsView

XXE

Writeups :

CategoryLab NameVisit
XXEBlind XXE with out-of-band interaction via XML parameter entitiesView
XXEBlind XXE with out-of-band interactionView
XXEExploiting XXE to perform SSRF attacksView
XXEExploiting XXE using external entities to retrieve filesView
XXEExploiting blind XXE to exfiltrate data using a malicious external DTDView

0 items under this folder.