Welcome to Neo-Tokyo

Solving Portswigger Labs with ZAP: 2FA bypass using a brute-force attack Lab Info: This lab’s two-factor authentication is vulnerable to brute-forcing. You have already obtained a valid username and password, but do not have access to the user’s 2FA verification code. Victim’s credentials: carlos:montoya Goal: To solve the lab, brute-force the 2FA code and access Carlos’s account page. Rel...

Solving Portswigger Labs with ZAP: 2FA bypass using a brute-force attack Lab Info: This lab’s two-factor authentication is vulnerable to brute-forcing. You have already obtained a valid username and password, but do not have access to the user’s 2FA verification code. Victim’s credentials: carl...

Solving Portswigger Labs with ZAP: Password brute-force via password change Lab Info: This lab’s password change functionality makes it vulnerable to brute-force attacks. To solve the lab, use the list of candidate passwords to brute-force Carlos’s account and access his “My account” page. Goal: Access Carlos “My account” page Steps: 1) Always test the application’s functionalities using ...

Solving Portswigger Labs with ZAP: Password brute-force via password change Lab Info: This lab’s password change functionality makes it vulnerable to brute-force attacks. To solve the lab, use the list of candidate passwords to brute-force Carlos’s account and access his “My account” page. Goa...

Solving Portswigger Labs with ZAP: Broken brute-force protection, multiple credentials per request Lab Info: This lab is vulnerable due to a logic flaw in its brute-force protection. Victim’s username: carlos Goal: To solve the lab, brute-force Carlos’s password, then access his account page. Steps: 1) After stress testing the login panel, we quickly found that there’s a blocking mechanis...

Solving Portswigger Labs with ZAP: Broken brute-force protection, multiple credentials per request Lab Info: This lab is vulnerable due to a logic flaw in its brute-force protection. Victim’s username: carlos Goal: To solve the lab, brute-force Carlos’s password, then access his account page....

Solving Portswigger Labs with ZAP: Password reset poisoning via middleware Lab Info: This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server. Goal: T...

Solving Portswigger Labs with ZAP: Password reset poisoning via middleware Lab Info: This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. You can log in to your own account using the following credentials: wiener:pete...