Pwning Justin Bieber :D

NovaHax

Wrapping up the eWPT (eLearn Web-Application Penetration Testing) course. There are a series of exercises in the course that are built around a web-application that allows you to vote for your favorite music artist. When you log in...Justin Bieber is topping the charts. The goal of each of these exercises is to subvert the logic of the application to remove Justin Bieber from the top of the charts. Completing a challenge has never been so rewarding, lol.

beaucaldwell

NovaHax wrote: »

Wrapping up the eWPT (eLearn Web-Application Penetration Testing) course. There are a series of exercises in the course that are built around a web-application that allows you to vote for your favorite music artist. When you log in...Justin Bieber is topping the charts. The goal of each of these exercises is to subvert the logic of the application to remove Justin Bieber from the top of the charts. Completing a challenge has never been so rewarding, lol.

someone should win an award for this one

5ekurity

Yep that is pretty awesome!

cyberguypr

Iristheangel

Best exercise EVER! Unless your logic moves Miley Cyrus up to the top

JDMurray

If Justin married Miley then he might avoid deportation from the USA on felony, I-egged-a-house-like-a-bratty-teenager, charges. On the other hand, he could marry Selena and opt for Mexican citizenship and form his own Captain-Morgans-and-Robitussin cartel.

Now I just gotta figure a way to make those scenarios into a hacking challenge.

Iristheangel

Hmm... A Miley Cyrus/Bieber marriage:



Not sure who would wear the tux in that situation....

Back to the original point of the thread, whoever came up with that course had a great sense of humor. I want to take that course now

JoJoCal19

That lab sounds awesome! eLearnsecurity's courses look good.

NovaHax

Iristheangel wrote: »

Hmm... A Miley Cyrus/Bieber marriage:

Truly horrifying imagery Iris, lol

veritas_libertas

My eyes!!!

Now I really want to take an eLearnsecurity course...

Master Of Puppets

eLearnsecurity is looking better and better.

NovaHax

The course has actually been a really good experience. A lot of the work that I do includes Web-Application PenTests for clients, so I wasn't sure how much I would actually get out of the course. But I felt like OSCP drastically under-covered the Web-App side of PenTesting and I wanted to do a professional course on that. Surprisingly, the course has actually added several skills and a few improved processes to my arsenal.

Plus you are kind of forced to stop relying on SQLmap for automated SQL injection. Several of the exercises force you to do SQLi manually by including vulnerable parameters in JSON (Javascript Object Notation) format.

If parameters are passed in the traditional sense....id=1&user=bob..., sqlmap parses it correctly and will test both the id and user parameters. But with JSON....cookie={"id":"1","user":"bob"}...you are kinda SOL when it comes to using sqlmap, because it will only attempt to inject payloads on the parameter as a whole. It sucks to have to manually do error based or union based injection. But a good learning experience nonetheless.

NovaHax

I actually considered modifying sqlmap to designate a payload location with a reserved wildcard character, as an alternative to doing the injections manually.

And I may still do that, as I think it would be a valuable edition to the program.

Jens-eLS

Hi there and thanks for the nice words, we do appreciate that!
Let me know if you have any questions regarding our (eLearnSecurity) courses. We just launched a new one less than a month ago, in case anyone likes to explore that a bit

Mobile Application Security and Penetration Testing

[Deleted User]

Iristheangel wrote: »

Best exercise EVER! Unless your logic moves Miley Cyrus up to the top