Pwning Justin Bieber :D

Wrapping up the eWPT (eLearn Web-Application Penetration Testing) course. There are a series of exercises in the course that are built around a web-application that allows you to vote for your favorite music artist. When you log in...Justin Bieber is topping the charts. The goal of each of these exercises is to subvert the logic of the application to remove Justin Bieber from the top of the charts. Completing a challenge has never been so rewarding, lol.

Comments

  • beaucaldwellbeaucaldwell Posts: 53Member ■■□□□□□□□□
    NovaHax wrote: »
    Wrapping up the eWPT (eLearn Web-Application Penetration Testing) course. There are a series of exercises in the course that are built around a web-application that allows you to vote for your favorite music artist. When you log in...Justin Bieber is topping the charts. The goal of each of these exercises is to subvert the logic of the application to remove Justin Bieber from the top of the charts. Completing a challenge has never been so rewarding, lol.
    someone should win an award for this one
  • 5ekurity5ekurity Posts: 346Member ■■■□□□□□□□
    Yep that is pretty awesome!
  • cyberguyprcyberguypr Senior Member Posts: 6,665Mod Mod
    images?q=tbn:ANd9GcQEBX2Vt8N5u7VoIL8Hl9WRJXJ7zUklrjAebLAQzQ4DxCDQM28N
  • IristheangelIristheangel ABL - Always Be Labbin' Pasadena, CAPosts: 4,114Mod Mod
    Best exercise EVER! Unless your logic moves Miley Cyrus up to the top icon_sad.gif
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,125Admin Admin
    If Justin married Miley then he might avoid deportation from the USA on felony, I-egged-a-house-like-a-bratty-teenager, charges. On the other hand, he could marry Selena and opt for Mexican citizenship and form his own Captain-Morgans-and-Robitussin cartel.

    Now I just gotta figure a way to make those scenarios into a hacking challenge. icon_scratch.gif
  • IristheangelIristheangel ABL - Always Be Labbin' Pasadena, CAPosts: 4,114Mod Mod
    Hmm... A Miley Cyrus/Bieber marriage:



    Not sure who would wear the tux in that situation....

    Back to the original point of the thread, whoever came up with that course had a great sense of humor. I want to take that course now
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
  • JoJoCal19JoJoCal19 California Kid Posts: 2,745Mod Mod
    That lab sounds awesome! eLearnsecurity's courses look good.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, Pentesting
    Next Up:​ eCPPTv2, OSCP
    Studying:​ Code Academy (CLI, Git, Python)
  • NovaHaxNovaHax Posts: 502Member
    Hmm... A Miley Cyrus/Bieber marriage:



    Truly horrifying imagery Iris, lol
  • veritas_libertasveritas_libertas Audentis Fortuna Iuvat Greenville, SC USAPosts: 5,733Member ■■■■■■■■■■
    My eyes!!!

    Now I really want to take an eLearnsecurity course...
    Currently working on: Linux and Python
  • Master Of PuppetsMaster Of Puppets Posts: 1,210Member
    eLearnsecurity is looking better and better.
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • NovaHaxNovaHax Posts: 502Member
    The course has actually been a really good experience. A lot of the work that I do includes Web-Application PenTests for clients, so I wasn't sure how much I would actually get out of the course. But I felt like OSCP drastically under-covered the Web-App side of PenTesting and I wanted to do a professional course on that. Surprisingly, the course has actually added several skills and a few improved processes to my arsenal.

    Plus you are kind of forced to stop relying on SQLmap for automated SQL injection. Several of the exercises force you to do SQLi manually by including vulnerable parameters in JSON (Javascript Object Notation) format.

    If parameters are passed in the traditional sense....id=1&user=bob..., sqlmap parses it correctly and will test both the id and user parameters. But with JSON....cookie={"id":"1","user":"bob"}...you are kinda SOL when it comes to using sqlmap, because it will only attempt to inject payloads on the parameter as a whole. It sucks to have to manually do error based or union based injection. But a good learning experience nonetheless.
  • NovaHaxNovaHax Posts: 502Member
    I actually considered modifying sqlmap to designate a payload location with a reserved wildcard character, as an alternative to doing the injections manually.

    And I may still do that, as I think it would be a valuable edition to the program.
  • Jens-eLSJens-eLS Posts: 2Inactive Imported Users ■□□□□□□□□□
    Hi there and thanks for the nice words, we do appreciate that!
    Let me know if you have any questions regarding our (eLearnSecurity) courses. We just launched a new one less than a month ago, in case anyone likes to explore that a bit icon_wink.gif

    Mobile Application Security and Penetration Testing

  • kMastaFlashkMastaFlash Posts: 1,012Member ■■■■□□□□□□
    Best exercise EVER! Unless your logic moves Miley Cyrus up to the top icon_sad.gif
    images?q=tbn:ANd9GcQ1gjYcFDwjn_EmJSq-2lPMxGVI9uw78Qr0_pky_9TEIW7VzFVd
    2018: CCSK
    2019: CWSP,Cloud+,Project+,CASP,PenTest+,CWNA,CCNA Security,GXPN,GREM
    2021: LPIC-2,JNCIS-ENT,eLearnSecurity Courses
Sign In or Register to comment.