• Post category:StudyBullet-14
  • Reading time:19 mins read


Master professional of Web Application Penetration Testing and prepare for the Burp Suite Certified Practitioner (BSCP)

What you will learn

advanced web application vulnerabilities

get to a professional level in web application penetration testing

get to a professional level in web application bug bounty

get prepared for the Burp Suite Certified Practitioner (BSCP) certification

145+ ethical hacking & security videos

Burp practitioner labs solved and explained step by step

SQL injection

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

Clickjacking

DOM-based vulnerabilities

Cross-origin resource sharing (CORS)

XML external entity (XXE) injection

Server-side request forgery (SSRF)

HTTP request smuggling

OS command injection

Server-side template injection

Directory traversal

Access control vulnerabilities

Authentication

WebSockets

Web cache poisoning

Insecure deserialization

Information disclosure

Business logic vulnerabilities

HTTP Host header attacks

OAuth authentication

File upload vulnerabilities

JWT

Essential skills

Prototype pollution

Description

Burp Suite Professional Labs – Web Application Penetration Testing & Bug Bounty Hunting

Welcome to the Burp Suite Professional – Web Application Penetration Testing & Bug Bounty Hunting training course.

Your instructor is Martin Voelk. He is a Cyber Security veteran with 25 years of experience. Martin holds some of the highest certification incl. CISSP, OSCP, OSWP, Portswigger BSCP, CCIE, PCI ISA and PCIP. He works as a consultant for a big tech company and engages in Bug Bounty programs where he found thousands of critical and high vulnerabilities.

This course features all current 145+ Practitioner labs. Martin is solving them all and giving useful insight on how to find and exploit these vulnerabilities. He is not just inserting the payload but explains each step on finding the vulnerability and why it can be exploited in a certain way. The videos are easy to follow along and replicate. Martin is also dropping a lot of tips and tricks for those who wish to get the Burp Suite Certified Practitioner certification (BSCP). This training is highly recommended for anyone who wants to become a professional in Web Application Penetration Testing, Web Application Bug Bounty Hunting or take the Burp Suite Certified Practitioner certification (BSCP) certification.

It will feature all apprentice labs in the following sections:

· SQL injection

· Cross-site scripting

· Cross-site request forgery (CSRF)

· Clickjacking

· DOM-based vulnerabilities

· Cross-origin resource sharing (CORS)

· XML external entity (XXE) injection

· Server-side request forgery (SSRF)

· HTTP request smuggling

· OS command injection

· Server-side template injection


Get Instant Notification of New Courses on our Telegram channel.


· Directory traversal

· Access control vulnerabilities

· Authentication

· WebSockets

· Web cache poisoning

· Insecure deserialization

· Information disclosure

· Business logic vulnerabilities

· HTTP Host header attacks

· OAuth authentication

· File upload vulnerabilities

· JWT

· Essential skills

· Prototype pollution

Notes & Disclaimer

Portswigger labs are a public and a free service from Portswigger for anyone to use to sharpen their skills. All you need is to sign up for a free account. I will update this course with new labs as they are published. I will to respond to questions in a reasonable time frame. Learning Web Application Pen Testing / Bug Bounty Hunting is a lengthy process, so please don’t feel frustrated if you don’t find a bug right away. Try to use Google, read Hacker One reports and research each feature in-depth. This course is for educational purposes only. This information is not to be used for malicious exploitation and must only be used on targets you have permission to attack.

English
language

Content

Introduction

Introduction

SQL injection

SQL injection UNION attack, determining the number of columns returned by the qu
SQL injection UNION attack, finding a column containing text
SQL injection UNION attack, retrieving data from other tables
SQL injection UNION attack, retrieving multiple values in a single column
SQL injection attack, querying the database type and version on Oracle
SQL injection attack, querying the database type and version on MySQL and MS
SQL injection attack, listing the database contents on non-Oracle databases
SQL injection attack, listing the database contents on Oracle
Blind SQL injection with conditional responses
Blind SQL injection with conditional errors
Blind SQL injection with time delays
Blind SQL injection with time delays and information retrieval
Blind SQL injection with out-of-band interaction
Blind SQL injection with out-of-band data exfiltration
SQL injection with filter bypass via XML encoding

Cross-site scripting (XSS)

DOM XSS in document.write sink using source location.search inside a select elem
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-enc.
Reflected DOM XSS
Stored DOM XSS
Exploiting cross-site scripting to steal cookies
Exploiting cross-site scripting to capture passwords
Exploiting XSS to perform CSRF
Reflected XSS into HTML context with most tags and attributes blocked
Reflected XSS into HTML context with all tags blocked except custom ones
Reflected XSS with some SVG markup allowed
Reflected XSS in canonical link tag
Reflected XSS into a JavaScript string with single quote and backslash escaped
Reflected XSS into a JavaScript string with angle brackets and double quotes esc
Stored XSS into onclick event with angle brackets and double quotes HTML-encoded
Reflected XSS into a template literal with angle brackets, single, double quotes

Cross-site request forgery (CSRF)

CSRF where token validation depends on request method
CSRF where token validation depends on token being present
CSRF where token is not tied to user session
CSRF where token is tied to non-session cookie
CSRF where token is duplicated in cookie
SameSite Lax bypass via method override
SameSite Strict bypass via client-side redirect
SameSite Strict bypass via sibling domain
SameSite Lax bypass via cookie refresh
CSRF where Referer validation depends on header being present
CSRF with broken Referer validation

Clickjacking

Exploiting clickjacking vulnerability to trigger DOM-based XSS
Multistep clickjacking

DOM-based vulnerabilities

DOM XSS using web messages
DOM XSS using web messages and a JavaScript URL
DOM XSS using web messages and JSON.parse
DOM-based open redirection
DOM-based cookie manipulation

Cross-origin resource sharing (CORS)

CORS vulnerability with trusted insecure protocols

XML external entity (XXE) injection

Blind XXE with out-of-band interaction
Blind XXE with out-of-band interaction via XML parameter entities
Exploiting blind XXE to exfiltrate data using a malicious external DTD
Exploiting blind XXE to retrieve data via error messages
Exploiting XInclude to retrieve files
Exploiting XXE via image file upload

Server-side request forgery (SSRF)

SSRF with blacklist-based input filter
SSRF with filter bypass via open redirection vulnerability
Blind SSRF with out-of-band detection

HTTP request smuggling

HTTP request smuggling, basic CL.TE vulnerability
HTTP request smuggling, basic TE.CL vulnerability
HTTP request smuggling, obfuscating the TE header
HTTP request smuggling, confirming a CL.TE vulnerability via differential resp.
HTTP request smuggling, confirming a TE.CL vulnerability via differential respon
Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE
Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL
Exploiting HTTP request smuggling to reveal front-end request rewriting
Exploiting HTTP request smuggling to capture other users’ requests
Exploiting HTTP request smuggling to deliver reflected XSS
Response queue poisoning via H2.TE request smuggling

OS command injection

Blind OS command injection with time delays
Blind OS command injection with output redirection
Blind OS command injection with out-of-band interaction
Blind OS command injection with out-of-band data exfiltration

Server-side template injection

Basic server-side template injection
Basic server-side template injection (code context)
Server-side template injection using documentation
Server-side template injection in an unknown language with a documented exploit
Server-side template injection with information disclosure via user-supplied obj

Directory traversal

File path traversal, traversal sequences blocked with absolute path bypass
File path traversal, traversal sequences stripped non-recursively
File path traversal, traversal sequences stripped with superfluous URL-decode
File path traversal, validation of start of path
File path traversal, validation of file extension with null byte bypass

Access control vulnerabilities

URL-based access control can be circumvented
Method-based access control can be circumvented
Multi-step process with no access control on one step
Referer-based access control

Authentication

Username enumeration via subtly different responses
Username enumeration via response timing
Broken brute-force protection, IP block
Username enumeration via account lock
2FA broken logic
Brute-forcing a stay-logged-in cookie
Offline password cracking
Password reset poisoning via middleware
Password brute-force via password change

WebSockets

Manipulating the WebSocket handshake to exploit vulnerabilities
Cross-site WebSocket hijacking

Web cache poisoning

Web cache poisoning with an unkeyed header
Web cache poisoning with an unkeyed cookie
Web cache poisoning with multiple headers
Targeted web cache poisoning using an unknown header
Web cache poisoning via an unkeyed query string
Web cache poisoning via an unkeyed query parameter
Parameter cloaking
Web cache poisoning via a fat GET request
URL normalization

Insecure deserialization

Modifying serialized data types
Using application functionality to exploit insecure deserialization
Arbitrary object injection in PHP
Exploiting Java deserialization with Apache Commons
Exploiting PHP deserialization with a pre-built gadget chain
Exploiting Ruby deserialization using a documented gadget chain

Information disclosure

Information disclosure in version control history

Business logic vulnerabilities

Low-level logic flaw
Inconsistent handling of exceptional input
Weak isolation on dual-use endpoint
Insufficient workflow validation
Authentication bypass via flawed state machine
Infinite money logic flaw
Authentication bypass via encryption oracle

HTTP Host header attacks

Web cache poisoning via ambiguous requests
Routing-based SSRF
SSRF via flawed request parsing
Host validation bypass via connection state attack

OAuth authentication

Forced OAuth profile linking
OAuth account hijacking via redirect_uri
Stealing OAuth access tokens via an open redirect
SSRF via OpenID dynamic client registration

File upload vulnerabilities

Web shell upload via path traversal
Web shell upload via extension blacklist bypass
Web shell upload via obfuscated file extension
Remote code execution via polyglot web shell upload

JWT

JWT authentication bypass via weak signing key
JWT authentication bypass via jwk header injection
JWT authentication bypass via jku header injection
JWT authentication bypass via kid header path traversal

Essential skills

Discovering vulnerabilities quickly with targeted scanning

Prototype pollution

DOM XSS via client-side prototype pollution
DOM XSS via an alternative prototype pollution vector
Client-side prototype pollution via flawed sanitization
Client-side prototype pollution in third-party libraries
Client-side prototype pollution via browser APIs
Privilege escalation via server-side prototype pollution
Detecting server-side prototype pollution without polluted property reflection
Bypassing flawed input filters for server-side prototype pollution
Remote code execution via server-side prototype pollution