Disclaimer : This subject is made with root-me challenges but you still must enter the flag you found in the CTF platform of this pool with the format PoC{flag you found}.
Web server are a major component of web services. It is the part dealing with databases and user authentication. If a security issue is detected is a web server, it can lead to severe security problems : credentials stealing, code injection, modification of the user interface etc.
A useful tool to play with Web Server security is the Burp Community Suite which will allow you to see and edit your HTTP requests. Do not hesitate to ask a PoC helper for installation issues !
Take some paper and a pen (or go to paint online :p) and represent all the interactions between the frontend, the backend API and the database for a Login page.
You must represent your HTTP requests as clearly as possible (with at least the verb and the targeted url).
Show it to a helper once you're proud of your scheme !
In this first part, we are going to learn to detect and exploit basic server misconfigurations which can lead to severe security issues.
Start with these challenges :
Some token and cookies system were invented in order to be able to recognize a user when he is logged in. These tokens must be really secured in their implementation, otherwise you can make some serious damages... This challenge will make you exploit a vulnerable configuration of a JSON Web Token.
PHP has known a lot of severe security vulnerabilities which make it a meme in the security community. Let's start our PHP joke discovery with Type Juggling !
File Inclusions are misconfigurations that lead to the execution / exploitation of files that are not supposed to be treated by the web server application...