Capture the flag: vulnerabilities list

Lesson#11 of 12 in project Theory

🦆 1. XSS Deep Dive (Stored / Reflected / DOM)

🎯 Mission: Become the XSS Whisperer

🔍 Explore:

  • Product reviews

  • Profile bio

  • Search field

  • Contact forms

  • Any place that reflects your input back

🧪 Experiments:

  • Try breaking attributes:

    "><img src=x onerror=alert(1)>

  • Inject into JSON fields

  • Try SVG-based payloads

  • Test if HTML is sanitized but JS is not

🧠 Advanced angle:

  • Does the app use dangerouslySetInnerHTML?

  • Is there DOM manipulation with innerHTML?

  • Can you turn reflected → stored via admin panel?

🔐 2. Authentication & Authorization Attacks

🎯 Mission: Become the Fake Admin

🔍 Explore:

  • JWT tokens (decode them)

  • Cookie flags (HttpOnly, Secure)

  • Account credit field (you already spotted that 👀)

  • ID-based URLs (/user/2, /order/5)

🧪 Experiments:

  • Change JWT alg to none

  • Modify account_credit

  • Try accessing other users’ orders

  • Change user ID in API calls

🧠 Advanced angle:

  • Horizontal privilege escalation?

  • Vertical privilege escalation?

  • Is backend validating role or just frontend?

💰 3. Business Logic Attacks

🎯 Mission: Break the Store Without Hacking It

These are the fun ones.

🔍 Explore:

  • Add negative quantity to cart

  • Apply discount twice

  • Change price in request

  • Modify order total before checkout

🧪 Experiments:

  • Race condition: send 2 checkout requests fast

  • Apply promo code after payment step

  • Cancel order but still get item

🧠 Real-world thinking:

Most real breaches aren’t XSS. They’re logic flaws.

🗂 4. File Upload Exploitation

Since you already asked about large images 👀

🎯 Mission: Turn Image Upload Into Chaos

🔍 Explore:

  • Does it validate file extension?

  • Does it validate MIME type?

  • Does it rename the file?

  • Can you upload SVG with JS inside?

🧪 Experiments:

  • Upload:

    • .php disguised as .png

    • SVG with <script>

    • Huge file (DoS test)

  • Modify Content-Type header manually

🧠 Advanced:

  • Can uploaded file be accessed publicly?

  • Is it stored inside /public/?

🧨 5. SQL Injection Hunting

🎯 Mission: Break the Database

🔍 Explore:

  • Login form

  • Search bar

  • Filters

  • Order history

🧪 Payloads:

' OR 1=1 --
' UNION SELECT NULL,NULL --

🧠 Advanced:

  • Blind SQLi

  • Boolean-based

  • Time-based (SLEEP())

🌍 6. API Abuse

Open DevTools → Network → Watch everything.

🎯 Mission: Become the API Manipulator

🔍 Explore:

  • Hidden endpoints

  • Unused parameters

  • GraphQL? REST?

  • Rate limiting?

🧪 Experiments:

  • Send extra parameters

  • Remove required fields

  • Change HTTP method (POST → PUT)

  • Replay old requests

🧱 7. Client-Side Weaknesses

🎯 Mission: Break It From The Browser

🔍 Explore:

  • LocalStorage data

  • SessionStorage

  • JS source files

  • Comments in JS

  • Source maps (.map files)

🧪 Experiments:

  • Modify localStorage role

  • Change price in JS memory

  • Call hidden JS functions manually

🔥 8. CSRF

🎯 Mission: Make User Do Something Without Knowing

  • Is there CSRF token?

  • Can you change email via simple POST form?

  • Does logout require CSRF token?

🧠 9. Recon Mode (Think Like Pro Pentester)

Instead of random testing, try:

  • Build full attack surface map

  • List:

    • All inputs

    • All outputs

    • All state-changing actions

  • Mark:

    • Before auth

    • After auth

    • Admin only

This is how real pentests are done.

🧩 10. Combine Vulnerabilities

This is where you level up.

Example:

  • Stored XSS → Steal JWT → Privilege escalation

  • IDOR → Change email → Password reset takeover

  • File upload → Stored XSS → Admin compromise

Previous
Next