Accidentally found mass assignment bugs
- Details
- Written by: Oki
- Hits: 395
Mass assignment bugs occur when developers allow parameters from HTTP requests to bind directly to objects without any validation. This potentially allows attackers to modify or add parameters that they should not have access to.
Renew Lets Encrypt Certificate – NodeJS Express and Nginx
- Details
- Written by: Oki
- Hits: 766
Goals:
- Renew Lets Encrypt Certificate for NodeJS Express environment
- Renew Lets Encrypt Certificate for Nginx environment
Lab Setup:
First, we need to ensure that both servers (NodeJS and Nginx) are reachable from the internet.
Solving Lab - Exploiting NoSQL operator injection to extract unknown fields
- Details
- Written by: Oki
- Hits: 1365
I have solved one of the NoSQL Injection labs from PortSwigger and it was fun! The title of the lab is Exploiting NoSQL operator injection to extract unknown fields. The lab description is a little misguided here, it said the user lookup function has a NoSQL Injection vulnerability but after solving it the vulnerable part resides in the login function, where we can inject the NoSQL operator base payload inside the message body on POST /login endpoint.
Python - SSH Reverse Tunnelling
- Details
- Written by: Oki
- Hits: 3091
Goal and Scenario:
- - Access web server from Kali machine.
- - Kali machine have no access to web server directly
- - Assuming Ubuntu machine already compromised, running python script inside.
Page 1 of 3