VIP Lab: PortSwigger BSCP Mindset Map Using the Nmap Recon Lab
A premium BSCP study map that turns PortSwigger topics into a practical testing workflow, using the same fictional Northstar Nmap lab as the starting point.
Key takeaways
- BSCP preparation becomes easier when topics are grouped by testing intent: entry point, authority expansion, and data proof.
- Nmap does not solve PortSwigger labs, but it builds the same professional habit: observe, classify, test, validate, and report.
- A strong web assessment starts by asking where input enters, where identity is enforced, and where sensitive data can be proven.
- The premium skill is chaining small signals into a clear security story without overclaiming the evidence.
This VIP lesson rebuilds the PortSwigger BSCP topic list as a practical operator map.
Instead of memorizing a long list of vulnerability names, you will group each topic by what you are trying to prove:
- Can I get meaningful interaction with the application?
- Can I do something my current identity should not be allowed to do?
- Can I prove access to sensitive data or a high-impact system behavior?
That is the mindset behind strong BSCP preparation.
The same logic also matches the Nmap lab we already built. In that lab, the fictional target was 10.10.56.24, an internal Northstar Clinic training server with exposed services such as HTTP, SMB, MySQL, Jenkins, and Webmin.
Nmap helped us map the outside of the system. PortSwigger-style testing helps us map the inside of the application.
The target is fictional. The workflow is for authorized labs only.
The VIP framing
Most students study BSCP topics as isolated chapters:
- SQL injection
- XSS
- access control
- SSRF
- XXE
- authentication
- cache attacks
- request smuggling
- business logic
- API testing
That works for reading, but it is weak for real lab solving.
In a lab, the better question is:
What kind of progress am I trying to make right now?
For VIP-level thinking, split every lab into three lanes:
| Lane | Main question | Typical result |
|---|---|---|
| Entry point | Where can I influence the app? | A foothold, signal, callback, reflected output, changed response, or working primitive |
| Authority expansion | Can I cross a permission boundary? | User-to-admin, tenant escape, workflow bypass, role abuse, or unauthorized action |
| Data proof | Can I prove business impact? | File read, record dump, secret exposure, token leak, callback evidence, or sensitive action |
This keeps your brain organized when a lab throws multiple hints at you.
Lab anchor: Northstar Nmap findings
From the previous VIP Nmap lab, our simulated scan found:
Target: 10.10.56.24
22/tcp open ssh
80/tcp open http Northstar Clinic Document Portal
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
8080/tcp open http Build Server - Login
10000/tcp open http Webmin LoginNmap gave us the external attack surface. Now we translate that into web testing hypotheses:
| Nmap signal | PortSwigger-style question |
|---|---|
| Document portal on 80 | What input exists? Login, search, upload, document IDs, cookies, redirects? |
| Jenkins on 8080 | Is access restricted? Are builds, logs, or endpoints visible without authorization? |
| Webmin on 10000 | Is an admin panel exposed to the wrong network? Are version clues useful for risk reporting? |
| MySQL on 3306 | Is the app leaking database errors, IDs, backups, or credentials? |
| SMB on 445 | Are backup files, shares, or internal hostnames connected to the web app story? |
The web tester does not stop at "port open." The web tester asks what the port means for identity, input, state, and data.
Lane 1: Entry point thinking
Entry point thinking is about proving that the application accepts your influence.
You are looking for the first real lever.
In PortSwigger labs, this often appears as:
- SQL injection
- NoSQL injection
- command injection
- path traversal
- file upload flaws
- server-side request forgery
- XML external entity injection
- cross-site scripting
- DOM-based behavior
- server-side template injection
- insecure deserialization
- prototype pollution
- GraphQL weaknesses
- API parameter abuse
- WebSocket input handling
The VIP question is not "which vulnerability do I like?"
The VIP question is:
Where does my input travel, and what changes when I touch it?
Entry point decision map
[Open the lab]
|
v
[List every input]
|
+-- forms
+-- URL parameters
+-- JSON bodies
+-- cookies
+-- headers
+-- file names
+-- upload content
+-- WebSocket messages
+-- GraphQL queries
|
v
[Send a harmless marker]
|
v
[Does the marker come back, change behavior, or reach another system?]
|
+-- no -> test a different endpoint, method, role, or content type
|
+-- yes -> classify the behavior
|
+-- reflected in HTML -> XSS or template context
+-- affects database output -> SQLi or NoSQLi
+-- changes file path -> traversal or upload handling
+-- triggers callback -> SSRF, blind XXE, blind injection
+-- changes object state -> logic, access control, API abuse
+-- affects server command -> command injection or SSTINorthstar example
The document portal has:
/login.php/documents?id=1042/upload/search?q=invoice- a session cookie
- a visible
/backup/directory from the Nmap HTTP enumeration
A beginner might immediately try random payloads.
A VIP workflow records each input and asks what system component is probably behind it:
| Input | Likely backend behavior | First safe test |
|---|---|---|
id=1042 |
Object lookup | Change ID and compare authorization |
q=invoice |
Search query | Add a unique marker and watch response shape |
| Upload file | File storage and content handling | Upload safe text files with controlled names |
| Session cookie | Identity state | Compare unauthenticated, user, and admin views |
/backup/ |
Accidental exposure | Check listing and file types inside the lab only |
The first win is not exploitation. The first win is understanding where your influence enters the system.
Lane 2: Authority expansion thinking
Authority expansion is where BSCP labs become interesting.
This lane asks:
I am one identity. Can I reach an action, object, or workflow that belongs to another identity?
This lane includes:
- access control vulnerabilities
- authentication bypass
- password reset flaws
- MFA bypass
- JWT attacks
- OAuth flaws
- CORS misconfiguration
- business logic vulnerabilities
- race conditions
- HTTP host header attacks
- HTTP request smuggling
- client-side access control mistakes
This is the "permission boundary" lane.
Authority decision map
[You have a working request]
|
v
[What authority does this request assume?]
|
+-- current user identity
+-- role
+-- tenant or organization
+-- object owner
+-- workflow step
+-- trusted header
+-- browser origin
|
v
[Replay the same request with a weaker identity]
|
+-- succeeds -> authority expansion candidate
|
+-- fails -> change one boundary at a time
|
+-- object ID
+-- role value
+-- method
+-- content type
+-- redirect target
+-- host header
+-- origin header
+-- sequence order
+-- timing
+-- token claimsNorthstar example
Suppose the portal has this request:
GET /documents?id=1042 HTTP/1.1
Host: northstar-lab-web01
Cookie: PHPSESSID=user-sessionThe VIP test is not only "does id=1043 work?"
The VIP test matrix is:
| Boundary | Test |
|---|---|
| Object ownership | Can user A read user B's document ID? |
| Role | Can a normal user reach admin document actions? |
| Workflow | Can approval be skipped by calling the final endpoint directly? |
| Method | Does POST block but GET or PATCH succeed? |
| Client-side controls | Is the button hidden while the endpoint still works? |
| Token trust | Can role or tenant claims be modified or confused? |
That is how access control, logic, API testing, JWT, and OAuth thinking connect.
They are not random chapters. They are different ways an application may confuse "who you are" with "what you are allowed to do."
Lane 3: Data proof thinking
Data proof is the impact lane.
This lane asks:
What sensitive thing can I prove, without exaggerating and without causing damage?
Common topics here include:
- information disclosure
- SQL injection data extraction
- NoSQL enumeration
- XXE file reads
- SSRF metadata access
- web cache deception
- web cache poisoning
- CSRF with meaningful impact
- clickjacking with action abuse
- Web LLM attacks
- client-side leaks such as tokens and secrets
Data proof is where reports become credible.
Data proof decision map
[You have a primitive]
|
v
[What can the primitive access?]
|
+-- records
+-- files
+-- environment data
+-- internal services
+-- tokens
+-- admin-only actions
+-- cache entries
+-- logs
|
v
[Can you prove impact safely?]
|
+-- no -> collect response differences, headers, timing, or safe callbacks
|
+-- yes -> capture minimal evidence
|
+-- one redacted record
+-- one safe internal URL response
+-- one harmless callback
+-- one changed low-risk setting
+-- one authorization bypass request pairNorthstar example
The Nmap lab found an exposed web portal, MySQL, and a backup directory.
In a real authorized lab, the safe data-proof questions might be:
| Signal | Safe proof |
|---|---|
/backup/ exists |
Record file names, sizes, and whether listing is enabled |
| Database errors appear | Capture redacted error output and affected parameter |
| Document IDs are sequential | Show user A can access one unauthorized test document |
| SSRF callback works | Use a controlled collaborator endpoint and record the request |
| Admin panel exposed | Screenshot login page, version, and network reachability |
Notice the discipline: prove enough to show risk, but do not loot the system.
VIP work is measured, not theatrical.
Topic map by testing intent
Use this as your BSCP study board.
| Topic | Primary lane | What you are trying to prove |
|---|---|---|
| SQL injection | Entry point, data proof | User input changes database query behavior |
| NoSQL injection | Entry point, data proof | Query logic can be altered or enumerated |
| Authentication flaws | Authority expansion | Identity checks can be bypassed or weakened |
| Access control | Authority expansion | A user can access another user's object or action |
| Business logic | Authority expansion | The workflow allows an unintended path |
| Race conditions | Authority expansion | Timing breaks an intended state check |
| Path traversal | Entry point, data proof | File paths can escape the intended directory |
| File upload | Entry point | Uploaded content can be stored, executed, or abused |
| Command injection | Entry point | Input reaches an operating system command context |
| SSRF | Entry point, data proof | Server can be induced to make internal or external requests |
| XXE | Entry point, data proof | XML parsing can access files or trigger callbacks |
| XSS | Entry point, authority expansion | Script reaches a victim context or privileged viewer |
| DOM vulnerabilities | Entry point | Browser-side code trusts unsafe sources |
| SSTI | Entry point | Input reaches a server-side template engine |
| Insecure deserialization | Entry point | Object parsing creates unexpected behavior |
| Prototype pollution | Entry point | Object properties can poison application behavior |
| GraphQL | Entry point, authority expansion | Schema, queries, or resolvers expose unintended behavior |
| API testing | All lanes | Auth, objects, methods, and logic must hold outside the UI |
| OAuth | Authority expansion | Trust between app, provider, and redirect flow is broken |
| JWT | Authority expansion | Token validation or claims can be abused |
| CORS | Authority expansion, data proof | Browser trust allows cross-origin data exposure |
| Host header | Authority expansion | Password reset, routing, or links trust attacker-controlled host data |
| Request smuggling | Authority expansion, data proof | Front-end and back-end parsing disagree |
| Cache attacks | Data proof | Shared caches store or serve attacker-influenced content |
| CSRF | Data proof | A victim can be made to perform a meaningful state change |
| Clickjacking | Data proof | UI framing can trick a user into sensitive actions |
| Web LLM attacks | Data proof | Model-connected tools can leak or misuse trusted context |
| WebSockets | Entry point | Persistent messages bypass normal request assumptions |
The same topic can appear in more than one lane. SQL injection can start as an input issue, become login bypass, then become data proof. SSRF can start as a callback and end as internal metadata exposure.
Chain recipes
BSCP labs reward chain thinking. Use these patterns to recognize what might come next.
Injection to authority
SQLi or NoSQLi
-> authentication bypass
-> role or account discovery
-> admin-only function
-> data proofXSS to privileged action
Stored XSS
-> admin reviews content
-> browser executes script
-> token, action, or request trigger
-> authority expansionSSRF to internal discovery
SSRF primitive
-> internal host or metadata request
-> secret, token, or service clue
-> stronger access path
-> data proofXXE to secret exposure
XML parser accepts external entity
-> safe file read proof
-> configuration clue
-> credential or endpoint discovery
-> impact statementLogic flaw to privilege
Normal workflow
-> skipped step
-> mismatched price, role, state, or approval
-> unauthorized outcome
-> business impactNmap to web lab thinking
Open HTTP service
-> enumerate inputs
-> classify trust boundary
-> test identity and object ownership
-> prove minimal impact
-> write remediationThis is the bridge between the Nmap lab and PortSwigger practice.
Nmap tells you what is listening. BSCP thinking tells you how trust can break.
The universal lab checklist
Use this checklist before you decide a lab is "hard."
1. Inventory
- What pages exist?
- What endpoints exist?
- What parameters exist?
- What cookies exist?
- What roles exist?
- What content types does the app accept?
- What happens if the method changes?
- What happens if the path changes?
2. Input behavior
- Is input reflected?
- Is input stored?
- Is input transformed?
- Is input used in a file path?
- Is input used in a query?
- Is input sent to another service?
- Is input interpreted by the browser?
- Is input interpreted by the server?
3. Identity and authorization
- What can anonymous users do?
- What can normal users do?
- What can admin users do?
- Can user A access user B's object?
- Can a hidden UI action still be called directly?
- Can a token claim, object ID, or role parameter be trusted incorrectly?
4. State and workflow
- Does the app enforce the intended order?
- Can a step be skipped?
- Can a request be replayed?
- Can two requests race?
- Can an old token still work?
- Can a price, quantity, email, redirect, or approval value be changed?
5. Data and impact
- What sensitive data is visible?
- What sensitive action is possible?
- Can impact be proven with one minimal example?
- Is the proof redacted?
- Is there a clean request and response pair?
- Can the issue be retested after a fix?
VIP reporting model
When you solve or simulate a PortSwigger-style issue, write it like an assessor.
Finding:
Unauthorized document access through predictable object ID
Affected area:
Northstar Clinic Document Portal
Evidence:
User A can request /documents?id=1043 and receive a document owned by User B.
Impact:
A normal user could access another user's private document if they know or guess the document identifier.
Why it happens:
The application checks whether the user is logged in, but does not verify ownership of the requested document.
Recommendation:
Enforce object-level authorization on the server for every document request. The server should verify that the authenticated user is allowed to access the requested document before returning content.
Retest:
Login as User A and request a document owned by User B. The expected result is 403 Forbidden or a generic not-found response.This structure works for access control, injections, SSRF, cache issues, authentication flaws, and logic bugs.
What to avoid
Avoid these common BSCP study mistakes:
- treating every topic as a separate memory card
- running payloads before mapping inputs
- trusting the browser UI as the real authorization model
- assuming version banners prove exploitability
- calling every Nmap result a vulnerability
- skipping negative evidence
- writing impact without proof
- collecting too much sensitive data
- ignoring retest steps
The premium habit is restraint. A clean proof beats a noisy guess.
Practice drill
Use the Northstar lab as a mental warm-up before PortSwigger labs.
For each exposed web surface, answer:
| Surface | Entry point | Authority boundary | Data proof |
|---|---|---|---|
| Portal on 80 | Search, login, upload, document ID | User vs admin, owner vs non-owner | One redacted test document or backup listing |
| Jenkins on 8080 | Login, job names, build logs | Anonymous vs authenticated, job permissions | One non-sensitive visible job or version clue |
| Webmin on 10000 | Login panel, version banner | Admin-only management plane | Reachability and version evidence only |
Then move into PortSwigger with the same rhythm:
- Find the input.
- Prove the behavior.
- Identify the trust boundary.
- Cross it safely if the lab requires it.
- Prove impact with minimal evidence.
- Explain the fix.
Bottom line
BSCP is not only a vulnerability checklist. It is a thinking exam.
The strongest students do not ask "which payload should I paste?"
They ask:
- Where does my input go?
- Which trust boundary protects this action?
- What evidence proves the impact?
- How do I explain the fix clearly?
That is the same professional muscle we built in the Nmap lab: map the surface, classify the signal, test carefully, validate evidence, and report what matters.
Once you think this way, PortSwigger topics stop feeling like a pile of chapters. They become a workflow.
VIP is free during early access.
Read the full premium labs and private guides while Cyberaro VIP is growing. Later, advanced labs, downloads, and private walkthroughs may become members-only.
Open beta
The current VIP library is open so readers can learn, share, and help the section grow before the member experience launches.
