Exploiting Server-side Parameter Pollution in a Query String
👩🎓👨🎓 Learn about API testing (and server-side parameter pollution)! To solve this lab, we'll need to log in as the administrator and delete the user carlos.
If you're struggling with the concepts covered in this lab, please review https://portswigger.net/web-security/api-testing 🧠
🔗 Portswigger challenge: https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-query-string
🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register
👾 Join our Discord - https://go.intigriti.com/discord
🎙️ This show is hosted by https://twitter.com/_CryptoCat ( @_CryptoCat ) & https://twitter.com/intigriti
👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com
Overview:
0:00 Intro
0:26 Server-side parameter pollution
1:21 Testing for server-side parameter pollution in the query string
1:57 Truncating query strings
3:03 Injecting invalid parameters
3:42 Injecting valid parameters
4:20 Overriding existing parameters
5:24 Lab: Exploiting server-side parameter pollution in a query string
5:37 Explore site functionality
6:18 Analyse javascript
7:03 Probe password reset for parameter pollution
9:19 Brute-force parameter with burp intruder
10:25 Reset administrator password with leaked token
10:53 Conclusion
Видео Exploiting Server-side Parameter Pollution in a Query String канала Intigriti
If you're struggling with the concepts covered in this lab, please review https://portswigger.net/web-security/api-testing 🧠
🔗 Portswigger challenge: https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-query-string
🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register
👾 Join our Discord - https://go.intigriti.com/discord
🎙️ This show is hosted by https://twitter.com/_CryptoCat ( @_CryptoCat ) & https://twitter.com/intigriti
👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com
Overview:
0:00 Intro
0:26 Server-side parameter pollution
1:21 Testing for server-side parameter pollution in the query string
1:57 Truncating query strings
3:03 Injecting invalid parameters
3:42 Injecting valid parameters
4:20 Overriding existing parameters
5:24 Lab: Exploiting server-side parameter pollution in a query string
5:37 Explore site functionality
6:18 Analyse javascript
7:03 Probe password reset for parameter pollution
9:19 Brute-force parameter with burp intruder
10:25 Reset administrator password with leaked token
10:53 Conclusion
Видео Exploiting Server-side Parameter Pollution in a Query String канала Intigriti
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
h4rmony - Hacker Interview
Multi-endpoint Race Conditions
Hacker Heroes #1 - @samengmg (Interview)
Hacker Tools - CyberChef
kuromatae - Hacker Interview
Why Every Company Should Run a Live Hacking Event (#1337up0622 Aftermovie)
Announcement: Intigriti secures more than €21M in Series B funding
Intigriti Customer Story: CM.com
JWT Authentication Bypass via jwk Header Injection
Bypassing Rate Limits via Race Conditions
XXE to SSH access?! - Mustacchio by @RealTryHackMe
Second order NoSQL injection? - Solution to January '23 Challenge
Can You Spot The Vulnerability?
FFUF by @joohoi (Behind The Tool #1)
Intigriti Customer Story: Brussels Airlines discovers critical vulnerability via ethical hackers
Ethernaut - 2 - Fallout
Meet Stijn Jans, Intigriti's Founder
Cheat Engine: Shared Code (tutorial 9, part 1) - Game Hacking Series
Single-endpoint Race Conditions
Can You Spot The Vulnerability?
Exploiting Server-side Parameter Pollution in a REST URL