Security Innovations - Shred - Command and Control

Security Innovations - Shred - Command and Control

March 9, 2023
Walkthroughs, Cmd+Ctrl
ctf

Ooooooh, yeah. I did it, because the range hasn’t changed for over a fucking year. That’s lazy on their part. The security industry evolves, your ranges should too. Here, I will be using https://caido.io/ instead of Burp or ZAProxy for this… why? No particular reason. Just to be fair and showcase that such a thing exists. There’s also Charles, and many others.

"><plaintext> - Breaks the search feature, there’s cross site scripting here.

https://52-53-226-7-shred.vulnerablesites.net/Shred/accountSettings?id=235963 - IDOR - Insecure Direct Object Reference (changing your ID after login gives access to other’s profiles, also gives access to tamper with their CC#s and Gift Cards)

https://52-53-226-7-shred.vulnerablesites.net/Shred/credits - View the credits page

test:test - account left over from development

Calendar March 17, 2023