Introduction Hello everyone, in this post I am going to share the writeup of PortSwigger Lab( Web shell upload via Content-Type restriction bypass) . After signing in wiener account we will see a avatar upload function which is not allowing application/x-php file. After changing the content type, we can upload our…

Introduction Hello everyone, in this post I am going to share the writeup of all the PortSwigger Information disclosure Labs. Sensitive Information Disclosure (also known as Sensitive Data Exposure) happens when an application does not adequately protect sensitive information that may wind up being disclosed to parties that are not supposed…

Introduction Hello everyone in this post I am going to share the writeup of PortSwigger Lab( Exploiting XXE via image file upload) . The comment section is using upload avatar function which is using a older version of Apache Batik library that is vulnerable to XXE injection. …

Introduction Today in this post I am going to share my Walkthrough for PortSwigger Lab(Modifying serialized data types). The cookie used for creating session is php serialized . To become admin we are going to change the data type of access_token . PHP will effectively convert the entire string to an…

Introduction Today in this post I am going to share my Walkthrough for PortSwigger Lab (Modifying serialized objects) . In this lab after login we will find out our cookie which is php serialized then we will modify the cookie in such a way that we become admin . …

Introduction Hello everyone , in this post I will be showing the writeup of BurpSuite Lab (Web shell upload via path traversal) . After signin in we can see a avatar upload function , here we are going to upload a php webshell . The default folder where avatars are being…

Introduction Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur…

Introduction XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. …

Introduction Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only…