当前位置:网站首页>Solution to the problem of breakthrough in OWASP juice shop shooting range
Solution to the problem of breakthrough in OWASP juice shop shooting range
2022-07-06 07:07:00 【smarthome_ man】
1、 Find hidden scoreboard
/#/score-board Will jump directly to the scoreboard
2、 Log in to the administrator account
Here you can try to use sql Enter the administrator interface by injecting
1、 No account number , No password to enter
’ or 0=0 –
2、 Have an account , No password to enter
**[email protected]'--**
3、xss attack
Enter in the search box <iframe src=“javascript:alert(xss
)”>
4、 Log in to the administrator interface , And don't report mistakes
stay url Input administration that will do
5、 To the store ⼀ A devastating sporadic feedback
Modify page code , Delete disabled that will do
6、 Register as ⽤ Household
1. Use fiddler The packet capturing tool captures the registered user's packet
2. Catch /api/Users Submit a request
3. add to “role”:“admin” jurisdiction
7、 Delete all 5 Star customer feedback
Enter the hidden administrator interface and enter /administration
Delete the five-star comment
8、 Make your order rich
utilize fiddler Tools , Grab the bag of goods in the shopping cart , Change the quantity of goods to a negative number , Send a request , Just finish shopping
9、 See more ⽤ Household shopping cart
1、 utilize fiddler Caught tools , Grab the shopping cart id, Then put the shopping cart id Change to other users id, Send a request
10、 Find the picture of the cat ⽚ Concurrent display ⽰
11、 send ⽤ The administrator's ⽤ Login with user credentials , Violent ⼒ Crack
12、 With other ⽤ Account name release ⼀ Some feedback
adopt fiddler Caught tools , Catch the feedback package , Then modify the user id, Just send
13、 With other ⽤ Household ⾝ Published product reviews or editors
whatever ⽤ Existing comments of users
adopt fiddler Caught tools , Catch the bag of comments , Then modify the user name , Just send
14、 Frequent sending Can I have a coupon code? Get excellent
benefit !
Brute force cracking
15、 Uploading is not .pdf or .zip Extended name ⽂ Pieces of ,
xml
Find... In the front-end code
You can modify it.
16、 Upload ⼤ On 100 kB Of ⽂ Pieces of , Other types
17、Nosql notes ⼊- Update multiple product reviews at the same time
18、 modify bender⽤ The password of the user - Don't make ⽤ notes ⼊ Of ⽅
type
1、 Login with universal password bender user
2、 Use the packet capture tool to grab the packet that changes the password
3、 Delete the original password url And send it
19、 Put other products ⼊ another ⼀ individual ⽤ Household shopping basket
20、 change OWASP SSL⾼ Level evidence ⼯ have (O-Saft) in
Of the link href by https://owasp.slack.com
边栏推荐
- Practical guidance for interface automation testing (Part I): what preparations should be made for interface automation
- UNIPRO Gantt chart "first experience": multi scene exploration behind attention to details
- 升级版手机检测微信工具小程序源码-支持多种流量主模式
- Raspberry pie 3B update VIM
- 19.段页结合的实际内存管理
- 树莓派3B更新vim
- Hydra common commands
- OpenGL ES 学习初识(1)
- The difference between get and post request types
- Short video, more and more boring?
猜你喜欢
Proteus -- Serial Communication parity flag mode
呆错图床系统源码图片CDN加速与破解防盗链功能
win10 64位装三菱PLC软件出现oleaut32.dll拒绝访问
升级版手机检测微信工具小程序源码-支持多种流量主模式
Depth residual network
Raspberry pie serial port login and SSH login methods
C language_ Double create, pre insert, post insert, traverse, delete
Visitor tweets about how you can layout the metauniverse
The author is dead? AI is conquering mankind with art
Attributeerror: can 't get attribute' sppf 'on < module' models. Common 'from' / home / yolov5 / Models / comm
随机推荐
UNIPRO Gantt chart "first experience": multi scene exploration behind attention to details
The first Baidu push plug-in of dream weaving fully automatic collection Optimization SEO collection module
开源的网易云音乐API项目都是怎么实现的?
ROS学习_基础
Raspberry pie 3B update VIM
作者已死?AI正用艺术征服人类
What does UDP attack mean? UDP attack prevention measures
PCL realizes frame selection and clipping point cloud
ROS learning_ Basics
A method to measure the similarity of time series: from Euclidean distance to DTW and its variants
漏了监控:Zabbix对Eureka instance状态监控
Leetcode35. search the insertion position (simple, find the insertion position, different writing methods)
【JDBC】快速入门教程
Thought map of data warehouse construction
【Hot100】739. 每日溫度
When my colleague went to the bathroom, I helped my product sister easily complete the BI data product and got a milk tea reward
Configure raspberry pie access network
BUU的MISC(不定时更新)
ROS2安装及基础知识介绍
Top test sharing: if you want to change careers, you must consider these issues clearly!