XSS and bypassing an Imperva WAF with JSFuck
As many of you know I have been in the DFIR realm now for just over 6 years and during that time have been very fortunate to attend many interesting and varied training courses, including SANS, De Montfort University, XRY and others. I have learned a lot of great stuff from some excellent instructors over the years and always left brimming with new knowledge!
This is where I sometimes run into an issue though. I will return to work and possibly not need that new and exciting capability for weeks or maybe months and then the dreaded skill fade will kick in. Then the first time you get to use your shiny new skill is on site in a production environment where all the stress of messing up actually means something.
I like most of you have, using google-fu skills trawled the internet for numerous CTF, challenges, etc and although found them challenging they can be somewhat dated at times.
I recently was very fortunate to gain access to Immersive labs (Full disclosure one of the main developers is my very good friend Kev Breen) I used a code whilst registering that was made available by Kev via Twitter here and here (I am led to believe these are set to expire on Friday but keep your eyes open in the run up to 44Con for more.
Once registered I had access to a limited number of labs across different skill sets. The interesting point to note here is the ease of access from anywhere as long as you have an up to date web browser and have registered an account then you can complete the labs.
I really enjoyed the labs as they were all contained within their own virtual environments and came with question sets for you to answer. The labs were all pitched at levels from beginner, intermediate to advanced and the best part is they have a scoring system which places you on a leader board within your area of expertise, allowing you to compete against your fellow cyber geeks!
The main thing was I could play in the lab to my hearts content and if I messed things up I could simply reset the lab and continue, there was no pressure on me and I learned valuable lessons during the hands on interaction. I only had access to a small set of the labs and believe there are literally hundreds more with full access. As an individual I wont get full access but this is something that I am pushing to my current employers to see if we can integrate this into our current training solution to work alongside the residential courses we currently attend. Either way I recommend this as something you give a go and see if it helps you in the same way it has helped me!