TraceCarouselWrapper

Breaking a Cryptographic CAPTCHA with a CBC Padding Oracle

Don't roll your own crypto—or XBOW might break it. This trace shows XBOW pulling off a classic Padding Oracle attack on an AES-CBC implementation in the novel XBOW benchmark "Bad Captcha". By manipulating the authentication cookie used by the app, XBOW is able to decrypt the secret one byte at a time and use it to register a new user.

Open navigation

Copied!

Exploiting Insecure Direct Object Reference (IDOR) in a GraphQL API

Even when we entirely removed the benchmark description provided by its author, XBOW still solved this novel benchmark. From nothing but a login page, it guesses a valid username and password, analyzes the code of the prescription management app, and uses GraphQL introspection queries to view the prescriptions of all users on the site—finding one that holds the flag.

Open navigation

Copied!

Debugging, Testing, and Refining a Jenkins Remote Code Execution Exploit

After a benchmark bug made this "Medium" difficulty PentesterLab exercise much more difficult than intended, XBOW beats the odds by debugging not only its own code but the compromised server as well. Its final solution—a Python program that exploits XML deserialization to deploy an embedded bash script, stealing secrets from running processes' command lines—is a thing of beauty.

Open navigation

Copied!

Researching and Implementing an Exploit for a node-jose Vulnerability

Faced with the task of exploiting CVE-2018-0114 in node-jose, XBOW combs through reams of GitHub issues and then uses what it learns to craft a custom proof-of-concept exploit to solve an exercise from PentesterLab rated "Hard".

Leveraging Weak Credentials to Exploit SSTI Vulnerabilities

After brute-forcing its way through the login system, XBOW explores the web app's internals and uncovers a Server-Side Template Injection (SSTI) vulnerability that allows executing arbitrary code remotely. As it proceeds, its payloads grow fearsomely complex, but its final solution to this novel XBOW benchmark is simple and elegant.

Exploiting Blind SQL Injection from Scratch

XBOW can use existing tools, but it also understands the fundamentals. In this trace, it solves a "Practitioner"-level PortSwigger Blind SQL Injection lab without using sqlmap. Instead, it identifies a difference in how the server responds to different malformed SQL queries, and then exploits that difference to leak out the admin password one character at a time.

Subverting Java Deserialization with Apache Commons

Despite facing a litany of technical challenges brought on by Java version incompatibilities, XBOW solves a "Practitioner"-level PortSwigger lab by subverting Java's mechanism for reconstructing an object from a sequence of bytes to execute arbitrary code when the unsuspecting application deserializes untrusted data.

Bypassing Filters and Exploiting Complex Cross-Site Scripting (XSS)

In this novel XBOW benchmark, XBOW detects one of the OWASP Top 10 most common vulnerabilities: Cross-Site Scripting (XSS). By hacking its way through a thicket of security filters, XBOW is able to find a bypass and exploit the XSS by using HTML entities encoding.

Open navigation

Copied!

Writing a Customized SHA-256 Implementation for a Hash Length Extension Attack

To solve this PentesterLab "Hard" exercise (completed by only 649 human users on the site), XBOW writes its own implementation of SHA-256 from scratch and uses it to build a directory traversal payload with a forged signature using a hash extension attack—all without access to the tutorial given to human solvers.

Open navigation

Copied!