- Secret Key:
F5LABS4445663337899 - Coded:
F5LABS7776888678123 - UI Checks:
F5LABS3425563334219 - Authorization Mess:
F5LABS34255676246218 - Version Trouble:
F5LABS0099876655774 - Bypass Controls:
F5LABS9899877665588 - Weak Tokens:
F5LABS1116536788549 - Credentials Stuff:
F5LABS4445663337899,F5LABS8387288577236
- F5 Labs
- CORS
- OAuth 2.0
- 2019
1. Secret Key: Find the secret key sent over the API
2. Coded: You found a file in your local cache. Decipher it to find out what secret information it contains.
Secure data transmission: Always use encryption for transmitting sensitive data like secret keys, tokens, and credentials. Make use of HTTPS and other secure communication protocols to prevent eavesdropping and data manipulation.
3. UI Check: You suspect that that the application maintains more information about you than they are
letting on. Find out what secret score the system moderators given you.
Implement proper access controls: Ensure that your API has robust authentication and authorization mechanisms in place. Use role-based access control and limit the exposure of sensitive data to only the necessary parties.
4. Authorization Mess: You know your colleague Donna has an 'Appy! test account too, and you urgently need
to get a hold of her. You have a feeling that tampering with the API could let you get access to her
account and allow you to find her number.
Protect against tampering: Validate and sanitize input data on both client and server sides to prevent unauthorized manipulation of API requests.
5. Version Trouble: You discover that your account (username: ac007 / password:f5labs) isn't able to use
the "Add Credit" function in 'Appy! Find out how you can add credit without a valid card by tempering with
the API version.
Versioning and backward compatibility: When updating APIs, be cautious about introducing breaking changes. Maintain backward compatibility and ensure that older versions are adequately secured.
6. Bypass controls: You heard that 'Appy! had a Cross-Site Scripting (XSS) vulnerability in the username
field of the User Registration form on the home page. The report you read suggested that they had "added
protections" to address the issue. See if you can't find a way around it! Try sending alert("your message")
in the username field.
Defend against XSS attacks: Sanitize and escape user-generated input to prevent cross-site scripting (XSS) vulnerabilities. Implement Content Security Policy (CSP) headers to mitigate the risk of script injection attacks.
7. Weak Tokens: You have found that 'aPPy! administrators have secret access via a non disclosed url. An
anonymous tipster has sent you the user APIKEY sample (below). Manipulate the key to "admin" role to gain
full access to the 'aPPy! admin screen and capture the Flag. APIKEY = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJ1c2VyIjoieW91cmFjY291bnQiLCJyb2xlIjoidXNlciIsImlhdCI6MTUxNjIzOTAyMn0
gCYbejyhHfGc5iVoaiTPKq_zZCYb5mxkJ8816aveUNw Hidden URL = /admin/hidden
Token security: Use strong encryption algorithms and secure token generation techniques to protect against unauthorized access. Regularly rotate tokens and employ proper token validation and expiration mechanisms.
8. Credential Stuff: You found a password dump from a Yoodle! databreach on PasteBin (see the URL below).
See if you can find valid credentials from the Yoodle! breach that allow you to log in to 'Appy!. Find the
secret score of hacked account to capture the flag. https://pastebin.com/NdXy4Xf4
Prevent credential stuffing: Implement rate limiting and account lockout mechanisms to protect against credential stuffing attacks. Encourage users to use unique and strong passwords and enable multi-factor authentication (MFA) wherever possible.