Please visit "Hack This Site" for further information.
The "Hack This Site" helps improve your penetration testing. The requirements include: HTML, common sense, email address, and JavaScript.
This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue.
- Right-click anywhere on the web page, choose
view page source. - Scroll down until we find the word
passwordorCtrl + fand type the wordpassword.
- Copy the
passwordand paste it back on the password button and clicksubmit.
- Passwords should never be stored in plaintext in the source code. We can store it as a hashed value in a separate file or kept in an encrypted file. Hashing is more secure.
Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file...
- Leave the
passwordbutton blank and clicksubmit.
- Always test the application by submitting an empty blank password field.
This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.
- Right-click anywhere on the web page, choose
view page source. - On the
hiddenform, the value ispassword.php. So, please visithttps://www.hackthissite.org/missions/basic/3/password.php.
- The password will appear.
- Copy and paste it on the
passwordbutton and clicksubmit.
- Map out the directory structure of a web application before deploying it.
This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:
- Right-click anywhere on the web page, choose
view page source. - On the
type: hiddeninput, the value should be changed from[email protected]to whatever email address corresponds to your account.
- Click
send password to Sam. Please check the email address you put it down before.
- Copy and paste the password on the
passwordbutton. Submit the password.
- Sensitive information should not be included in the code if it is carried out on the client-side.
- Protect the sensitive information from being accessed by unauthorized personnels.
Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.
- Right-click anywhere on the web page, choose
view page source. - On the
type: hiddeninput, the value should be changed from[email protected]to whatever email address corresponds to your account.
- Click
send password to Sam. Please check the email address you put it down before.
- Copy and paste the password on the
passwordbutton. Submit the password.
- Sensitive information should not be included in the code if it is carried out on the client-side.
- Protect the sensitive information from being accessed by unauthorized personnels.
- Part 1 consists of HTML knowledge and common sense.