Lab: Inconsistent handling of exceptional input
This lab doesn't adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. To solve the lab, access the admin panel and delete Carlos.
- Open the lab then go to the "Target" > "Site map" tab in Burp. Right-click on the lab domain and select "Engagement tools" > "Discover content" to open the content discovery tool.
Click "Session is not running" to start the content discovery. After a short while, look at the "Site map" tab in the dialog. Notice that it discovered the path
Try and browse to
/admin. Although you don't have access, the error message indicates that
Go to the account registration page. Notice the message telling
DontWannaCryemployees to use their company email address. Register with an exceptionally long email address in the format:
You can find your email domain name by clicking the "Email client" button. The very long string should be at least 200 characters long.
- Go to the email client and click the link to complete the registration process.
- Log in and go to the "My account" page. Notice that your email address has been truncated to 255 characters.
- Log out and go back to the account registration page.
Register a new account with another long email address in the format:
Make sure that the
very-long-stringis the right number of characters so that the "
m" at the end of
Log in with your new account and notice that you now have access to the admin panel. The confirmation email was successfully sent to your exploit server address but, server-side, the address associated with your account was truncated to 255 characters. Therefore, it appears to be a valid
@dontwannacry.comaddress. You can confirm this from the "My account" page.
- Go to the admin panel and delete Carlos to solve the lab.