Portswigger - Access Control - Lab #10 URL based access control can be circumvented скачать в хорошем качестве
Portswigger - Access Control - Lab #10 URL based access control can be circumvented
1 год назад
Не удается загрузить Youtube-плеер. Проверьте блокировку Youtube в вашей сети.
Повторяем попытку...
Повторяем попытку...
Скачать видео с ютуб по ссылке или смотреть без блокировок на сайте: Portswigger - Access Control - Lab #10 URL based access control can be circumvented в качестве 4k
У нас вы можете посмотреть бесплатно Portswigger - Access Control - Lab #10 URL based access control can be circumvented или скачать в максимальном доступном качестве, видео которое было загружено на ютуб. Для загрузки выберите вариант из формы ниже:
-
Информация по загрузке:
Скачать mp3 с ютуба отдельным файлом. Бесплатный рингтон Portswigger - Access Control - Lab #10 URL based access control can be circumvented в формате MP3:
Если кнопки скачивания не
загрузились
НАЖМИТЕ ЗДЕСЬ или обновите страницу
Если возникают проблемы со скачиванием видео, пожалуйста напишите в поддержку по адресу внизу
страницы.
Спасибо за использование сервиса ClipSaver.ru
Portswigger - Access Control - Lab #10 URL based access control can be circumvented
Hello Hackers, in this video of URL based access control can be circumvented. You will see how to exploit, discover and find senstive information based on application logic flow to leak for potential attacks from Burp Suite in a lab from Web Security Academy powered by Portswigger ⚠️ Subscribe to my channel ➡️ @popo_hack ⚠️ 0:00 - About the Lab 0:50 - What's X-Original-URL header? 2:24 - Check admin panel endpoint 3:39 - Manipulate the header by using X-Original-URL 6:22 - Access to Admin panel 7:05 - Delete Carlos user 🔍 About the Lab Lab: URL-based access control can be circumvented Level: Practitioner This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header. To solve the lab, access the admin panel and delete the user carlos. 🔗 Resources Special HTTP Headers to Change Location: https://book.hacktricks.xyz/network-s... ✅ What to do ? 1. Try to load /admin and observe that you get blocked. Notice that the response is very plain, suggesting it may originate from a front-end system. 2. Send the request to Burp Repeater. Change the URL in the request line to / and add the HTTP header X-Original-URL: /invalid. Observe that the application returns a "not found" response. This indicates that the back-end system is processing the URL from the X-Original-URL header. 3. Change the value of the X-Original-URL header to /admin. Observe that you can now access the admin page. 4.To delete carlos, add ?username=carlos to the real query string, and change the X-Original-URL path to /admin/delete. Thank you for watching my video, if you have any questions or any topics recommendation feel free to write them on the comment below 🙋 #WebSecurityAcademy #portswigger #vulnerability
Comments
![[LIVE] Access Control Vulnerabilities - PortSwigger Labs](https://imager.clipsaver.ru/g-C9cNyFlTo/max.jpg)
