BurpSuite
Found 3 related articles
Back to Tags- 2024-11-12
Broken Access Control (BAC) Analysis and Mitigation
Technical analysis of Access Control failures (A01:2021) leading to resource exposure or privilege escalation. Covers identification of IDOR, Horizontal, and Vertical BAC vulnerabilities, presenting a Proof of Concept (PoC) using Burp Suite, alongside key mitigation strategies like RBAC.
- 2024-11-06
Whiterose - IDOR, EJS SSTI (CVE-2022-29078), and Sudoedit Bypass (CVE-2023-22809)
Technical writeup detailing the compromise of the Whiterose machine. Initial access involves subdomain enumeration via wFuzz and exploiting an IDOR vulnerability to retrieve privileged user credentials. This leads to a Server-Side Template Injection (SSTI) RCE via CVE-2022-29078 (EJS Template Engine vulnerability). Privilege escalation is achieved by exploiting the Sudoedit vulnerability CVE-2023-22809 to gain root access via modifying the /etc/sudoers file.
- 2024-10-20
TwoMillion - API Enumeration, Information Disclosure, and Kernel Privilege Escalation (CVE-2023-0386)
Technical writeup detailing the compromise of the TwoMillion machine. Initial access involves decoding ROT13-encrypted data from JavaScript to find an API endpoint, followed by manipulating API parameters to gain administrator privileges via Insecure Direct Object Reference (IDOR), leading to a reverse shell injection. Local Privilege Escalation is achieved by disclosing plaintext credentials from a '.env' file for SSH access, and finally, exploiting the unpatched Linux Kernel vulnerability, CVE-2023-0386 (OverlayFS/FUSE), to gain root privileges.