Journal
ffuf -u 'http://localhost/labs/e0x02.php?account=FUZZ' -w numbers.txt -mr 'admin'the command above is running fuff fuzzing the account number in the URL above. The “-w” tag adds the wordlist we are fuzzing by and the “-mr ‘admin’” is allowing us to filter results that come back with admin on the page.
LISTEN ‘-mr’ tag is case sensitive “admin” and “Admin” will give different results see if there is a tag to remove the case sensitivity or you are going to have to do multiple scans…
todo see if you can fuzz the ‘-mr’ filter tag
Raw Notes
- Go to practical API hacking after this course
- JWT tags look like a fun area to hack around. Out of scope for this class so I am looking forward to the next class.
- Revisit testing with Autorize tonighttodo
- File Inclusion Attacks
- Remote File Inclusion (RFI)
- Allows the attacker to include a file from a remote location
- Local File Inclusion (LFI)
- Allows an attacker to include files that are already on a server like data base config files
- Example of a file inclusion attack is if we try to change the language of the site to German but instead we try to run terminal commands to do directory traversal.
- Remote File Inclusion (RFI)