BOOK THIS SPACE FOR AD
ARTICLE ADSo, here’s the plan: my lab CMS is running, and I’m ready to test it on dev.zeroscorpion.cms before fixing the issues on the main site zeroscorpion.cms. Seems logical, right? After all, it’s just a lab, and I’m learning — what’s the harm in diving in headfirst?
Enter my shiny, licensed copy of Burp Suite Pro. Armed with the enthusiasm of a noob and zero strategy, I confidently set out to find all the vulnerabilities and become the ultimate web hacker. Spoiler alert: it didn’t quite go as planned.
As a seasoned system administrator, you’d think I’d know better. I mean, I’d never run random programs I downloaded off the internet on a production network. (Wink, wink.) And of course, I always give my SOC team a heads-up before introducing new tools…right? Let’s just say, my machine has been locked down faster than I could say “pentesting practice” a few times.
Before we dive in, let’s take a quick look at the original user count in the database: a total of 6 users. Seasoned pros out there are probably already guessing where this is headed…
So fired up burp selected scan type “Crawl and Audit”.
Entered the my target https://dev.zeroscorpion.cms.
Without fully understanding or researching what each scan actually does, I jumped straight into running a DEEP scan.
The scan is complete, and Burp Suite has identified multiple issues with my custom CMS, which was expected given how it was built. There are 11 high-severity vulnerabilities, so I’ll focus on addressing those first. My initial thought was, “Great, fixing these should make the CMS secure, right”? However, reflecting on the brainstorming sessions with ChatGPT during the CMS development, I realize there may still be several intentionally introduced vulnerabilities that haven’t been identified yet. But that’s all part of the learning process, isn’t it?
I logged into my CMS and immediately noticed that something was seriously wrong — multiple popups started appearing.
Then I navigated to the user section, and OMG — my 6 users had somehow multiplied into 597! Turns out, Burp Suite had gone on a user-creation spree. Where did all these users come from? A quick glance at the email addresses revealed they were all from burpcollaborator.net. Clearly, I didn’t fully understand the options I had selected, and I ended up flooding my CMS with hundreds of users. Big lesson learned: always double-check & understand those settings before unleashing chaos!
All humor aside, this incident highlights the critical importance of fully understanding the tools you’re about to use and being aware of the potential issues they might cause. While this happened in a controlled lab environment — and thankfully, I had an in-built database reset function specifically for scenarios like this — in the real world, such mistakes could have serious consequences. Blindly running scans on production websites not only risks breaching the scope of the assessment but could also lead to embarrassment or even legal issues.
This is exactly why creating your own lab environment is so important. It provides a safe space to make and learn from mistakes without real-world repercussions. By practicing in a lab, you can refine your techniques, avoid costly errors, and gain the confidence needed before tackling external live sites. Mistakes like this become valuable learning experiences rather than potential disasters.