Get Origin Headers
This function returns the origin server headers (received by the origin server). To interpret the client
classification headers, visit [
this
] documentation page. The custom headers starts with BCH.
Generate BOLA Script
Click "Cenerate BOLA Script" to generate ready-to-go BOLA exploitation one-line bash script.
When executed, the whole user database will be extracted abusing the BOLA vulnerability in
/api/GetUserDetails endpoint. You need to be authenticated to generate it (as it needs a session identifier).
Run Brute-Force Attack
This script will generate brute-force attack against authentication endpoints.
You need to provide number of failed attempts before the successful attempt is tried. Please
provide valid username and password as the last attemp will use the credentials provided. In needs to be
valid if you want to simulare the successful attempt.
Run WAF Attack
You can select the attack template and send the malicious payload towards the application. You can also provide
your own payload. The payload will be sent towards /api/ReflectInput endpoint and shuold be block if the WAF
works correctly.
Test WAF/ABP Challenges
Please select one of the the available challenges and they WAF will be forced to run this
challenge against your browser. If you fail to solve the challenge, you will get blocked. Some challenges
are interactive, some doesn't require user interaction.
Run Request Flood Attack
This script will generate a large amoung of request sent to /api/ReflectInput endpoint. This endpoint
is protected by rate-limiting rule which will allow only up to 20 request in a given minute. If you send more,
the subsequent request shuold be blocked.
Upload an (infected) file
This script emulate the file upload activity. You can provide file name and payload. You can also select
from the provided templates. The payload will be sent as multipart/form-data content type. It shuold get blocked if
recognized as malicious by AV engine.