customizing my personal blog

Author: T3chnocr4tX

Gemfile

@@ -12,3 +12,9 @@ platforms :mingw, :x64_mingw, :mswin, :jruby do
 end
 
 gem "wdm", "~> 0.2.0", :platforms => [:mingw, :x64_mingw, :mswin]
+
+gem "csv", "~> 3.3"
+
+gem "logger", "~> 1.7"
+
+gem "base64", "~> 0.3.0"

_config.yml

@@ -9,27 +9,27 @@ theme: jekyll-theme-chirpy
 lang: en
 
 # Change to your timezone › https://kevinnovak.github.io/Time-Zone-Picker
-timezone: Asia/Shanghai
+timezone: Africa/Lagos
 
 # jekyll-seo-tag settings › https://github.com/jekyll/jekyll-seo-tag/blob/master/docs/usage.md
 # ↓ --------------------------
 
-title: Chirpy # the main title
+title: T3chnocr4tX # the main title
 
-tagline: Secure Your Apps And APIs # it will display as the subtitle
+tagline: Practical tips to secure your apps & APIs. # it will display as the subtitle
 
 description: >- # used by seo meta and the atom feed
-  A minimal, responsive and feature-rich Jekyll theme for technical writing.
+  Discover practical techniques to identify vulnerabilities in apps and APIs, plus expert tips to secure them. Stay ahead with actionable insights on app security. #AppSecurity #APISecurity #VulnerabilityHunting #CybersecurityTips #SecureCoding #WebAppProtection #APIVulnerabilities #PracticalSecurity #CyberSec #SecureDevelopment
 
 # Fill in the protocol & hostname for your site.
 # E.g. 'https://username.github.io', note that it does not end with a '/'.
 url: "https://t3chnocr4tx.github.io"
 
 github:
-  username: t3chnocr4tx # change to your GitHub username
+  username: T3chnocr4tx # change to your GitHub username
 
 twitter:
-  username: t3chnocr4tx # change to your Twitter username
+  username: T3chnocr4tx # change to your Twitter username
 
 social:
   # Change to your full name.
@@ -38,7 +38,7 @@ social:
   email: [email protected] # change to your email address
   links:
     # The first element serves as the copyright owner's link
-    - https://x.com/t3chnocr4tx # change to your Twitter homepage
+    - https://twitter.com/t3chnocr4tx # change to your Twitter homepage
     - https://github.com/t3chnocr4tx # change to your GitHub homepage
     # Uncomment below to add more social links
     # - https://www.facebook.com/username
@@ -95,10 +95,10 @@ theme_mode: # [light | dark]
 # will be added to all media resources (site avatar, posts' images, audio and video files) paths starting with '/'
 #
 # e.g. 'https://cdn.com'
-cdn: "https://chirpy-img.netlify.app"
+cdn:
 
 # the avatar on sidebar, support local or CORS resources
-avatar: "/commons/avatar.jpg"
+avatar: https://pbs.twimg.com/profile_images/1911690195109322752/uZu8y-kY_400x400.jpg
 
 # The URL of the site-wide social preview image used in SEO `og:image` meta tag.
 # It can be overridden by a customized `page.image` in front matter.
@@ -223,4 +223,4 @@ jekyll-archives:
     tag: tag
   permalinks:
     tag: /tags/:name/
-    category: /categories/:name/
+    category: /categories/:name/

_posts/.placeholder

@@ -1 +0,0 @@
-

_posts/2024-05-24-Username-enumeration-via-different-responses.md

@@ -0,0 +1,79 @@
+---
+title: Username enumeration via different responses
+description: This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password.
+date: 2024-05-24 11:33:00 +0800
+categories: [Web Security Academy Labs]
+tags: [username enumeration, Authentication]
+pin: true
+math: true
+mermaid: true
+image:
+  path: https://static.vecteezy.com/system/resources/previews/025/463/773/non_2x/hacker-logo-design-a-mysterious-and-dangerous-hacker-illustration-vector.jpg
+  alt: password-reset-poisoning
+---
+
+
+***
+# Authentication
+### Lab#: Username enumeration via different responses
+***
+
+Hola 👋, welcome back! Here is my write-up on [Username Enumeration via Different Responses](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses) on Web Security Academy, where I will go through how I approached it. This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password.
+
+
+***
+### End Goal :#
+- Solve the lab, enumerate a valid username, brute-force the user's password
+- Then access the account page.
+
+### Username enumeration
+**_Username enumeration is when an attacker is able to observe changes in the website's behavior in order to identify whether a given username is valid._**
+
+***
+### Testing for vulnerabilities
+We are given a wordlists for the username and password:
+
+[Candidate usernames](https://portswigger.net/web-security/authentication/auth-lab-usernames)
+
+[Candidate passwords](https://portswigger.net/web-security/authentication/auth-lab-passwords)
+
+- Accessing the lab, let's check for the features and functionality of the web app to know what type of vulnerabilities to look for. It is a blog site 😎
+
+![1](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/69ac04d5-8bec-4a6f-9ffe-054cc1d102a9)
+
+- Let's go to the login page and submit an invalid username and password and see if we get an 'invalid username' message.
+
+![2](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/b3fd2771-27fa-4597-b9ad-f7d8c9e112ae)
+
+- In Burp, go to Proxy > HTTP history tab and find the POST /login request. Send it to the Repeater tab so we can see it clearly there.
+
+![3](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/79843416-420f-4713-bc31-7e551b408077)
+
+- Highlight the value of the username parameter in the request and send it to Burp Intruder. Go to Burp Intruder in the Positions tab. We can see that the username parameter is automatically set as a payload position, indicated by two § symbols. And select the attack type to sniper.
+
+![4](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/dcfa48b5-2543-4580-bd30-75f906872ebd)
+
+- After that, go to the Payloads tab and make sure that the Simple list payload type is selected. Under Payload settings, paste the list of candidate usernames. and, click Start attack.
+
+![5](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/1ecd1812-1058-4a27-abd6-3dd7ac1f0f82)
+
+- When the attack is complete, on the Results tab, check the Length column. Notice that one of the entries is longer than the others. Compare the response to this payload with the other responses. Notice that the other responses contain the message 'Invalid username,' but this response says 'Incorrect password,' i.e., we now know the username.
+
+![6](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/2d01de38-ea14-4417-8e63-b9c59194786a)
+
+- So, let's close the attack and go back to the Positions tab. Click Clear, then change the value of the username parameter to the username we found. Add a payload position to the password parameter.
+- On the Payloads tab, clear the list of usernames and replace it with the list of candidate passwords. Then click Start attack.
+- When the attack is finished, let's look at the Status column. Notice that each request received a response with a 200 status code except for one, which got a 302 response. This indicates that the login was successful.
+
+![7](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/20e27afa-5c21-48d4-b627-16b2adbc91e5)
+
+- Now that we know the username and password, let's log in to access the account and solve the labs.
+- Note: yours might be different because it unpredictable.
+
+![giphy](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/f676abd6-e5a8-4e9c-9f44-fa3f9c7408e0)
+
+![8](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/93d3fd11-55f6-42ec-9c2a-2edc07eee44c)
+
+That's all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @[T3chnocr4t](https://twitter.com/T3chnocr4t). Feel free to DM me if you have any issues with my write-up. Thanks!
+
+[Go Back Home](https://t3chnocr4t.github.io/)

_posts/2024-05-27-2fa-simple-bypass.md

@@ -0,0 +1,46 @@
+---
+title: "2FA simple bypass"
+description: >-
+  The web app has a two-factor authentication functionality that can be bypassed. We have already obtained a valid username and password but do not have access to the user's 2FA verification code.
+date: 2024-05-27 12:10:00 +0800
+categories: [Web Security Academy Labs]
+tags: [2FA Bypass]
+---
+
+
+
+# Authentication
+### Lab#: 2FA simple bypass
+
+
+Welcome 👋 back , friends! Here is my write-up on [2FA simple bypass](https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/authentication-apprentice/authentication/multi-factor/lab-2fa-simple-bypass) based on Web Security Academy labs. The web app has a two-factor authentication functionality that can be bypassed. We have already obtained a valid username and password but do not have access to the user's 2FA verification code. Our task is to bypass the verification code for the 2FA. Let's get started, guys.
+
+![giphyr,](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/04ba9281-a073-4bda-a980-020573be9162)
+
+### End Goal #:
+- Solve the lab and Access carlos account page.
+
+***
+### Testing for vulnerabilities
+- Let's check the functionality of the web app. The app is a blog site.
+
+![2fa1](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/6a25461a-0e83-486f-ad5c-ec9f21a0c5a3)
+
+- We are given an account; let's log in to our account. We are sent a 2FA verification code to our email. Let's check our email to get the code.
+
+![2fa3](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/d210e7eb-e944-4442-aee3-4e543da15341)
+
+![2fa2](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/a098854f-2990-47a0-9827-892f7f4f95c0)
+
+- By checking Burp, we can see that our username is the value of the ID parameter when we log in. Let's log out and log in as the user Carlos to access his account without his verification code.
+
+![2fa5](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/8f251da6-d38b-440e-8b1b-e439cee89e12)
+
+- Using the credentials for user Carlos, let's log in. Since we cannot access his email, let's send the request to the Repeater tab, modify the request, and navigate to `/my-account?id=carlos`. The lab is solved when the page loads.
+- Or, after we log in, go back to the main web page and click the login functionality again, and it will automatically log in as the user Carlos.
+
+![2fa6](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/19b17e60-a3cd-48c4-ba1b-f7592968c556)
+
+That's all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @[T3chnocr4t](https://twitter.com/T3chnocr4t). Feel free to DM me if you have any issues with my write-up. Thanks!
+
+[Go Back Home](https://t3chnocr4t.github.io/)

_posts/2024-11-07-Username-enumeration-via-subtly-different-responses.md

@@ -0,0 +1,67 @@
+---
+title: Username enumeration via subtly different responses
+description: >-
+  This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists.
+date: 2019-08-09 20:55:00 +0800
+categories: [Web Security Academy Labs]
+tags: [username enumeration, Authentication]
+pin: false
+---
+
+
+***
+# Authentication
+## Username enumeration via subtly different responses
+***
+
+Yo, people!😎 It's been a while. Here is another lab solution based on PortSwigger Labs. This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists. Our task is to find the valid credentials and log in. Let's go, guys!
+
+```
+
+    Candidate usernames
+    Candidate passwords
+
+```
+![hacking](https://github.com/user-attachments/assets/e5afe668-554f-49f1-93ff-b80660446e56)
+
+
+*** 
+### Authentication
+*Authentication vulnerability is a weakness in a system that allows attackers to bypass or break the process used to verify users' identities.*
+
+### End Goals:
+- Login valid credentials.
+
+***
+### Steps To Reproduce:
+
+![1](https://github.com/user-attachments/assets/46e049da-8937-48e8-bad6-39ccec7cdb81)
+
+- Check all the features and functionality of the application. Be sure to enable your proxy to capture and analyze the and then go to the login functionality pages.
+- Enter any username and password you want, then send the request to the Intruder tab and modify some settings.
+- In the Payloads make sure that the Simple list payload type is selected and the list of candidate usernames, then in the Settings side panel.Under Grep - Extract, click Add. in the response that appearwe show scroll down we will see `Invalid username or password.` Use the mouse to highlight the text content of the message. then click ok to start the attacks.
+
+![2](https://github.com/user-attachments/assets/4c1d23c3-45a2-46b5-9717-025031b21f32)
+
+![3](https://github.com/user-attachments/assets/b9a27553-c996-46af-99e8-013e116e9c2e)
+
+- In the results, we can see one response that doesn't have a period in the error message. This indicates it's valid. Let’s notice the username.
+
+![6](https://github.com/user-attachments/assets/d3377680-0090-4ca5-ab77-2e7ce9f319c7)
+
+- We have a valid username, so now let's enumerate the passwords to get the full credentials.
+- paste the list of passowrd in the payload configuration and start the attacks.
+
+![7](https://github.com/user-attachments/assets/9a8d2eb7-6741-49c3-8eb3-2af22aa25a48)
+
+- Only one response has a different code, 302, which means we have a valid password.
+
+![8](https://github.com/user-attachments/assets/d73e7c6f-f808-4938-8b6c-15256c8f3a49)
+
+- Logging in we sloved the labs.
+
+![9](https://github.com/user-attachments/assets/15493951-211a-4986-9c1a-76acf50d15c9)
+
+That's all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @[T3chnocr4t](https://twitter.com/T3chnocr4t). Feel free to DM me if you have any issues with my write-up. Thanks!
+
+[Go Back Home](https://t3chnocr4t.github.io/)