Pwning Justin Bieber :D

NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
Wrapping up the eWPT (eLearn Web-Application Penetration Testing) course. There are a series of exercises in the course that are built around a web-application that allows you to vote for your favorite music artist. When you log in...Justin Bieber is topping the charts. The goal of each of these exercises is to subvert the logic of the application to remove Justin Bieber from the top of the charts. Completing a challenge has never been so rewarding, lol.

Comments

  • beaucaldwellbeaucaldwell Member Posts: 53 ■■□□□□□□□□
    NovaHax wrote: »
    Wrapping up the eWPT (eLearn Web-Application Penetration Testing) course. There are a series of exercises in the course that are built around a web-application that allows you to vote for your favorite music artist. When you log in...Justin Bieber is topping the charts. The goal of each of these exercises is to subvert the logic of the application to remove Justin Bieber from the top of the charts. Completing a challenge has never been so rewarding, lol.
    someone should win an award for this one
  • 5ekurity5ekurity Member Posts: 346 ■■■□□□□□□□
    Yep that is pretty awesome!
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Best exercise EVER! Unless your logic moves Miley Cyrus up to the top icon_sad.gif
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    If Justin married Miley then he might avoid deportation from the USA on felony, I-egged-a-house-like-a-bratty-teenager, charges. On the other hand, he could marry Selena and opt for Mexican citizenship and form his own Captain-Morgans-and-Robitussin cartel.

    Now I just gotta figure a way to make those scenarios into a hacking challenge. icon_scratch.gif
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Hmm... A Miley Cyrus/Bieber marriage:



    Not sure who would wear the tux in that situation....

    Back to the original point of the thread, whoever came up with that course had a great sense of humor. I want to take that course now
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    That lab sounds awesome! eLearnsecurity's courses look good.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    Hmm... A Miley Cyrus/Bieber marriage:



    Truly horrifying imagery Iris, lol
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    My eyes!!!

    Now I really want to take an eLearnsecurity course...
  • Master Of PuppetsMaster Of Puppets Member Posts: 1,210
    eLearnsecurity is looking better and better.
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    The course has actually been a really good experience. A lot of the work that I do includes Web-Application PenTests for clients, so I wasn't sure how much I would actually get out of the course. But I felt like OSCP drastically under-covered the Web-App side of PenTesting and I wanted to do a professional course on that. Surprisingly, the course has actually added several skills and a few improved processes to my arsenal.

    Plus you are kind of forced to stop relying on SQLmap for automated SQL injection. Several of the exercises force you to do SQLi manually by including vulnerable parameters in JSON (Javascript Object Notation) format.

    If parameters are passed in the traditional sense....id=1&user=bob..., sqlmap parses it correctly and will test both the id and user parameters. But with JSON....cookie={"id":"1","user":"bob"}...you are kinda SOL when it comes to using sqlmap, because it will only attempt to inject payloads on the parameter as a whole. It sucks to have to manually do error based or union based injection. But a good learning experience nonetheless.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    I actually considered modifying sqlmap to designate a payload location with a reserved wildcard character, as an alternative to doing the injections manually.

    And I may still do that, as I think it would be a valuable edition to the program.
  • Jens-eLSJens-eLS Inactive Imported Users Posts: 2 ■□□□□□□□□□
    Hi there and thanks for the nice words, we do appreciate that!
    Let me know if you have any questions regarding our (eLearnSecurity) courses. We just launched a new one less than a month ago, in case anyone likes to explore that a bit icon_wink.gif

    Mobile Application Security and Penetration Testing

  • [Deleted User][Deleted User] Senior Member Posts: 0 ■■□□□□□□□□
    Best exercise EVER! Unless your logic moves Miley Cyrus up to the top icon_sad.gif
    images?q=tbn:ANd9GcQ1gjYcFDwjn_EmJSq-2lPMxGVI9uw78Qr0_pky_9TEIW7VzFVd
Sign In or Register to comment.