Hey everybody!
Isn’t May a merry month? And for our first release of challenges for May, we have four webapp challenges that range in difficulty from fairly basic to OMG! Looks like a good time to make sure your copy of Burp Suite is up to date. 😉
For screenshots and descriptions of this week’s additions, see below.
Good luck and have fun!
The Cyber Range Team
P.S. If you’re not already signed up for the BHIS Antisyphon Cyber Range, the following page has screenshots, info, and, of course, a link where you can sign up and join in the fun:
https://www.antisyphontraining.com/cyber-range/
![Part 1 of OAuth problem series These days you'll find "Login with Google," "Login with Facebook," or "Login with $provider" buttons on plenty of sites. In order to power this feature, client sites communicate with authorization/resource servers (ie Google, Facebook, etc) according to RFC 6749 which defines the OAuth 2.0 Standard. We've created two sites for you to poke at, a Client Site and our own Authorization & Resource Server. As it turns out, OAuth is somewhat hard to do right. Many major sites have messed this up... For this problem, all you need to do is send the admin a link to click via the Contact form on the Client Site. Your goal will be to steal the admin's authorization code (basically you trick them into clicking a link and when they click through the "Authorize" button, you get the code instead of the Client Site). For now, just steal the code. In a later problem, you'll have to utilize this stolen code to essentially take over the admin's account :)](https://www.antisyphontraining.com/wp-content/uploads/2023/05/2112-anywhere-you-want.png)
![After a few months of using this file sharing service successfully, they stopped sending my hard earned payouts! I wonder if they stopped doing it for others too. Can you help me out?](https://www.antisyphontraining.com/wp-content/uploads/2023/05/2143-bit-power.png)
![Part 2 of OAuth problem series Remember in part 1 where you just had to steal the authorization_code? Well now it's time to steal it again (you'll get a real code instead of the flag when you steal it this time). I trust that you'll be able to put this token to good use if you're able to use it in time. If you haven't solved part 1, make sure to go back and solve that before starting this challenge. The sites and the flaw you already exploited are basically the same; however, please use the links listed below when performing your exploitation (they are different URLs).](https://www.antisyphontraining.com/wp-content/uploads/2023/05/2113-my-code-your-code.png)
![Employees of ACMEcorp must submit reimbursement requests whenever they go on trips to refund gas, meals, hotel expenses, etc through an online portal. The company rejected your latest request due to "excessive spending on desserts". HR manually reviews these requests, maybe you can steal some chocolate chip cookies from them.](https://www.antisyphontraining.com/wp-content/uploads/2023/05/2115-acmecorp.png)