Proxy Pursuit
LoadMesh's ops console shows live connection telemetry. Behind the login, one of the pages trusts a header the user fully controls. Login with admin / admin. The injection is not on any form.
The Scenario
LoadMesh's ops console trusts X-Forwarded-For for per-IP connection filtering — a classic oversight for infra that normally sits behind a trusted reverse proxy. The moment the console is exposed directly, that trust is a free SELECT. Credentials are admin / admin.
Challenge Intel
Synopsis
A master-tier SQL injection lab where the vulnerable surface sits inside request metadata, not a form.
What It Is
LoadMesh's operations console was built to sit behind a trusted reverse proxy and takes that assumption for granted when logging and filtering connections. Exposed directly, that assumption opens a side channel that has nothing to do with any visible input field. Credentials are handed to you up front so you can focus entirely on the injection surface.
Who It's For
Seasoned testers who want to practise finding SQLi outside the obvious form fields.
Skills You'll Practice
- Auditing request metadata as an injection surface
- SQL injection beyond form inputs
- Reasoning about reverse-proxy trust assumptions
- Exploiting infrastructure-flavoured oversights
- Working an attack from inside an authenticated session
What You'll Gain
- A sharp lesson in where SQLi actually lives in real apps
- Intuition for proxy-trust bugs that survive production hardening
- Experience exercising injection against non-body inputs
- Confidence tackling authenticated internal consoles