blog: Add PortSwigger lab walkthrough (Broken brute-force protection, IP block) #2976
Conversation
|
Great job, no security vulnerabilities found in this Pull Request |
Wryhder
force-pushed
the
main
branch
5 times, most recently
from
f7f341e to
1e54b34
Compare
|
Leaving a comment here about force-pushed changes. I added the sign-off trailer. EDIT: @kingthorin I don't remember being prompted to sign the CLA when I created this PR. Do I need to create a PR to the CLA repo? |
|
Nope you're good, CLA isn't enabled for this repo. Thanks for checking though. |
|
@kingthorin I was working through a different lab and realized I got some details in this walkthrough mixed up with details from another lab. I'll correct the inaccuracies and let you know when this is ready for review again. |
|
Thanks for the heads up. I hadn't gone to look at the lab at all, so we easily could have missed that..... |
.../blog/2025-02-17-portswigger-lab-walkthrough-broken-brute-force-protection-ip-block/index.md
Outdated
Show resolved
Hide resolved
|
Thanks for this! As you've probably noticed we've got another Portswigger lab PR outstanding #2973 so we'll aim to get that one published first and then focus on this one 😁 |
|
This can be rebased now |
… IP block) Signed-off-by: chibbyalucard <[email protected]>
Signed-off-by: chibbyalucard <[email protected]>
Signed-off-by: chibbyalucard <[email protected]>
Signed-off-by: chibbyalucard <[email protected]>
Signed-off-by: chibbyalucard <[email protected]>
|
|
||
| For eagle-eyed readers, you may notice that the URLs in the screenshots vary slightly. This is because this article was written using multiple lab instances: | ||
|
|
||
| |
There was a problem hiding this comment.
Are these all really needed?
There was a problem hiding this comment.
Do you mean the ? I used them to add some extra spacing where the text feels too tight against images or code blocks. I was thinking it'd be good for readability. Should I use CSS instead?
There was a problem hiding this comment.
Hmmm leave it for now, I’ll try it live tomorrow
|
|
||
| ## Resources | ||
|
|
||
| 1. [Authentication vulnerabilities](https://portswigger.net/web-security/authentication) - PortSwigger Web Security Academy |
There was a problem hiding this comment.
Seems to be some extra leading space
| 1. [Authentication vulnerabilities](https://portswigger.net/web-security/authentication) - PortSwigger Web Security Academy | ||
| 2. [Burp to ZAP Feature Map](https://www.zaproxy.org/docs/burp-to-zap-feature-map/) - Zaproxy Docs | ||
| 3. [PortSwigger Lab Walkthroughs With ZAP](https://www.zaproxy.org/tags/portswigger-lab/) - Zaproxy Docs | ||
| 4. [Zaproxy Docs](https://www.zaproxy.org/docs/) | ||
| 5. [Migration Guide from Nashorn to GraalJS](https://www.graalvm.org/latest/reference-manual/js/NashornMigrationGuide/) - GraalJS Docs | ||
| 6. [GraalJS Compatibility](https://www.graalvm.org/latest/reference-manual/js/JavaScriptCompatibility/) - GraalJS Docs | ||
| 7. [Java Interoperability](https://www.graalvm.org/jdk21/reference-manual/js/JavaInteroperability/) - GraalJS Docs |
There was a problem hiding this comment.
The hyphen notes at the end don't really seem to add much
Alright, thank you! |
Signed-off-by: chibbyalucard <[email protected]>
Signed-off-by: chibbyalucard <[email protected]>
Signed-off-by: chibbyalucard <[email protected]>
| > This is due to the Fuzzer’s concurrency settings. You can enable sequential execution by setting the number of execution threads to 1. However, this slows down the Fuzzer a great deal. An alternative is to throttle requests with a small delay of 100–200 milliseconds. See [Options Fuzzer screen](https://www.zaproxy.org/docs/desktop/addons/fuzzer/options/) for more detail. | ||
|
|
There was a problem hiding this comment.
@kingthorin Just marking out sections where I'd especially appreciate your help whenever you can take a look. I tried to make sure the ZAP-specific details are accurate, but I'm not completely certain about some parts.
| `processMessage` is executed on each message before it is sent to the server. This enables us to alter payloads as needed or to introduce delays between requests. | ||
|
|
||
| We didn’t need to use the `utils` and `message` parameters in `processMessage`. Still, it’s worth noting that they are injected by default when `processMessage` is called. This is similar to how the `resolve` and `reject` functions are passed as arguments to the executor function in the JavaScript Promise API. In other words, these parameters are not defined in the script’s global scope; their scope is limited to `processMessage`. | ||
|
|
||
| Since our script manages the entire fuzzing session and `processMessage` is executed on every message, we can use the `count` variable as an iteration counter. It tracks the number of times `processMessage` is called. Or, in other words, how many requests the Fuzzer has processed. After every three requests, we pause for one minute before sending the next. | ||
|
|
||
| Finally, because ZAP runs on the Java Virtual Machine (JVM), we can access the Java API from guest languages like JavaScript. Depending on how you installed ZAP, you might have manually installed a JVM yourself beforehand, or it might have been installed automatically as a dependency. |
Signed-off-by: chibbyalucard <[email protected]>
@kingthorin I tried to add callouts/admonitions (called alerts in the Hugo docs) like this to match the look in the Notion doc, but it doesn't seem to work:
Can I add a template for alerts as shown in the docs here?