Another poke around and see what you can see class of vulnerabilities. A web crawler would definitely come in handy. I’d currently put this second (after directory traversal and before command injection) if you are just starting out. The only kind of tricky lab was the final one that involved version control and Git, but that’s quick enough to find info on.
Information disclosures are kind of like finding the end of the thread that you’ve got to keep pulling on and untangling until you get things working. Most are probably in the ‘meh’ category, but occasionally you might find a doozy. Definitely more of a starting point than a destination.
I didn’t script these out because I didn’t find it necessary. Not a value add for this section. I thought about how I could script some of it, but there are a lot of available tools to look for directories and what not, so unless I needed something specific or things were banned, I probably would let my toolset do its job for these. I did learn about some additional methods (
TRACE) and headers (
X-Custom-IP-Authorization) that I hadn’t messed with before. Which is why I’m doing the academy content. I know I need more experience with appsec.
I’ve also been thinking about how I can take the blue team skills I’m working on and apply them to bug bounty type work to get some additional practice. It’s not as straight forward, but I’m connecting some dots. Thinking like an attacker is good. It’s one of those things where I have to keep priorities in mind though.