Comprendere il fuzzing nella sicurezza informatica | TryHackMe L'avvento del cyber

Premessa

In this video walkthrough, we covered the concept of fuzzing in computer programs and web applications. We used an example lab from TryHackMe Advent of Cyber 2 / Day 4 / Santa’s watching

Descrizione della sfida

We’re going to be taking a look at some of the fundamental tools used in web application testing. You’re going to learn how to use Gobuster to enumerate a web server for hidden files and folders to aid in the recovery of Elf’s forums. Later on, you’re going to be introduced to an important technique that is fuzzing, where you will have the opportunity to put theory into practice.

Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf’s forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD

Ottieni le note sul certificato OSCP

Camera Collegamento

Recommended Rooms:

TryHackMe | ZTH: Web 2

TryHackMe | CC: Pen Testing

Domande di sfida

• Given the URL “http://shibes.xyz/api.php“, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Nota: For legal reasons, do non actually run this command as the site in question has not consented to being fuzzed!

• Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?
• Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Answers / Day 4

Videoprocedura dettagliata