The Purple Team Journey: My Cybersecurity Chronicles.

 The Bypassing Access Controls Using Email Address Parsing Discrepancies vulnerability is a sophisticated example of how inconsistencies between different parsing mechanisms can undermine otherwise well-intentioned access control restrictions. In this lab, the application attempts to restrict account registration to users with email addresses belonging to a trusted internal domain. The intention is to ensure that only legitimate users associated with the organization can create accounts and access privileged features. However, the application validates email addresses using one interpretation method while the underlying email delivery system parses them differently. This discrepancy creates an opportunity for attackers to craft specially encoded email addresses that pass validation but deliver confirmation emails to attacker-controlled inboxes. The attack begins by identifying the registration restriction enforced by the application. When opening the registration page and attempti...

 The Authentication Bypass via Encryption Oracle vulnerability demonstrates how cryptographic functionality can be abused when an application exposes both encryption and decryption behavior to the client. In this lab, the application uses encrypted cookies to store authentication and notification data. Although the encryption itself may be technically strong, the application leaks enough information through different endpoints to act as an encryption oracle and a decryption oracle , allowing an attacker to forge valid authentication tokens and impersonate another user. The attack begins by logging in as a normal user with the “Stay logged in” option enabled. After authentication, the server issues a stay-logged-in cookie. By inspecting the request and response in Burp Suite, it becomes clear that this cookie is encrypted rather than plain text. This suggests that the application uses the cookie to persist authentication state securely. At this point, the attacker does not know ...

 The Infinite Money Logic Flaw is a business logic vulnerability that allows an attacker to generate unlimited store credit by abusing the interaction between the application’s discount system and gift card functionality. Unlike common technical vulnerabilities such as SQL injection or broken authentication, this issue arises because individually legitimate features interact in an unintended way. The application allows users to purchase gift cards, apply discount coupons to reduce the purchase price, and later redeem those gift cards at full value. Because the redemption value is greater than the discounted purchase cost, the attacker can generate profit from each cycle and repeat the process indefinitely. The attack begins when the user logs into the application and signs up for the newsletter. As part of the signup process, the application provides a promotional coupon code: SIGNUP30 This coupon grants a 30% discount on purchases. Normally, such coupons are meant to encourage p...

Understanding the Vulnerability This vulnerability demonstrates a serious flaw in session state management and workflow enforcement , where the application incorrectly assigns privileges when an expected intermediate step is skipped. Instead of securely requiring completion of the role-selection process, the backend mishandles incomplete session states and grants elevated access by default. This type of vulnerability can lead to privilege escalation , allowing a normal authenticated user to gain unauthorized administrator access without exploiting traditional issues such as SQL injection or broken passwords. Step 1: User Logs In Normally The attack starts with a legitimate login attempt using valid credentials. The user submits a request like: POST /login At this stage, the application verifies the username and password successfully. However, instead of immediately taking the user to the dashboard, the application triggers an additional step before finalizing the session. Step 2: Ba...

This vulnerability demonstrates insufficient workflow validation , where the application fails to enforce the correct sequence of actions during the purchasing process. Instead of verifying that each critical step in the workflow has been legitimately completed, the application trusts that users will follow the intended process and allows direct access to later stages without confirming earlier requirements. The issue becomes visible when observing the checkout process through Burp Suite. After logging in and purchasing an item that can be afforded with the available store credit, the request flow reveals multiple steps involved in completing an order. When the user places the order, the application sends a POST /cart/checkout request, which processes the payment and then redirects the user to an order confirmation page. The confirmation page is accessed through a request such as: GET /cart/order-confirmation?order-confirmation=true Under normal conditions, this page should only be ac...

 This vulnerability demonstrates weak isolation on a dual-use endpoint , where a single backend function is used for multiple operations without properly separating privilege levels or enforcing appropriate validation. In this case, the password change functionality is intended for normal users to update their own credentials, but due to poor access control and missing validation, it can be abused to reset another user’s password—including an administrator’s. The issue begins by analyzing the password change feature available on the user account page. Under normal circumstances, changing a password should require the user to provide their current password as proof of identity before setting a new one. This ensures that only the legitimate account owner can perform the operation, even if their session is compromised. By intercepting the POST /my-account/change-password request in Burp Suite and sending it to Repeater, the request structure can be examined. It contains parameters su...

 This vulnerability demonstrates a case of inconsistent handling of exceptional input , where different components of the application process unusually large input values differently, leading to a mismatch in how user identity is stored, validated, and later trusted for authorization. The attack begins by discovering a hidden administrative endpoint ( /admin ) through content discovery tools. Direct access to this endpoint is blocked, but the response reveals an important condition: only users with a specific corporate email domain are allowed access. This indicates that administrative authorization is based on email address matching rather than a proper role-based access control system. The registration process suggests that employees should use a company email address, but it does not strictly enforce this rule. At this stage, the system already relies on email-based assumptions for identity. However, the key vulnerability is revealed when testing how the system handles exception...

 This vulnerability demonstrates a low-level logic flaw caused by integer overflow , where the application incorrectly handles numeric limits in its backend pricing calculations. Instead of safely validating or constraining arithmetic operations, the system uses a fixed-size integer type, which can overflow when pushed beyond its maximum allowed value, resulting in unexpected negative values and broken pricing logic. The issue begins during the normal checkout flow, where the user attempts to purchase a high-value item (the leather jacket). The application correctly rejects the order initially due to insufficient store credit. However, by intercepting the request flow using Burp Suite, the user observes that the quantity parameter in the POST /cart request is restricted to a two-digit value. This suggests a superficial client-side or input-layer restriction, but not a true backend limitation. By sending the request to Burp Intruder, the quantity parameter is aggressively manipulat...

 This vulnerability demonstrates a flawed enforcement of business rules , where the application attempts to restrict coupon usage but fails to properly enforce constraints across multiple inputs. Instead of validating discount rules in a centralized and secure manner, the system relies on weak state tracking in the frontend or session logic, which can be bypassed by alternating inputs in a specific sequence. The application provides two discount mechanisms: a fixed welcome coupon ( NEWCUST5 ) and a newsletter signup coupon ( SIGNUP30 ). Both coupons are intended to be used under certain limitations, typically with restrictions such as one-time use or single application per order. However, the enforcement of these rules is inconsistent. When a user applies the same coupon code twice consecutively, the system correctly rejects the second attempt, indicating that some form of duplicate detection exists. This suggests that the application is tracking previously applied coupons, but onl...