13:["$","$L29",null,{"dojo":{"id":"intro-to-cybersecurity","name":"Intro to Cybersecurity","description":"Can you feel it?\nThe sun is beginning to rise on your journey of cybersecurity.\nArmed with the fundamentals, you begin to push ever deeper into the realms of knowledge that previously eluded you.\nFear not: with perseverance, grit, and gumption, you will lay the groundwork for a towering mastery of security in your future.\n","official":true,"award":{"belt":"orange"},"modules":[{"id":"web-security","name":"Web Security","description":"You have learned Linux and HTTP.\nNow, let's put these together!\n\nWeb content is served up via the internet by _web servers_, and like everything else, these web servers, and the pages that they serve up, contain vulnerabilities!\nIn this module, you will wrap yourself in the mysteries of the web, exploring various types of vulnerabilities that can occur.\nAs you work through this module, keep in mind, these aren't theoretical curiosities: these are common, critical vulnerabilities that occur _all the time_ in the modern web and can lead to massive data breaches, account takeover, and more.\n\nNow, dive in, and hack!\n","unified_items":[{"item_type":"resource","id":"resource-0","name":"Web Security: Introduction","type":"lecture","content":null,"video":"AKTYVWCi6ss","playlist":"PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg","slides":"1ATO_U0aUlk2LRhlnIwdqTkDfu-lWRb5xoLDv0NQLPs8","expandable":null,"description":null,"required":null},{"item_type":"resource","id":"resource-1","name":null,"type":"header","content":"Content Injection","video":null,"playlist":null,"slides":null,"expandable":null,"description":null,"required":null},{"item_type":"resource","id":"resource-2","name":"Web Security: Structured Query Language","type":"lecture","content":null,"video":"433mRGcpHeA","playlist":"PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg","slides":"1KpvjoFnlC9HcUJbkg-_VASf2JETMwEZjpzO0uGSoCo4","expandable":null,"description":null,"required":null},{"item_type":"resource","id":"resource-3","name":"Web Security: Injection","type":"lecture","content":null,"video":"sdStLx3_Q0M","playlist":"PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg","slides":"1rP8IIc_6B8Z7KpqBGxkneIzAjURRQ-YlkJV-_4dF-SM","expandable":null,"description":null,"required":null},{"item_type":"challenge","id":"path-traversal-1","name":"Path Traversal 1","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"This level will explore the intersection of Linux path resolution, when done naively, and unexpected web requests from an attacker.\nWe've implemented a simple web server for you --- it will serve up files from /challenge/files over HTTP.\nCan you trick it into giving you the flag?\n\nThe webserver program is `/challenge/server`.\nYou can run it just like any other challenge, then talk to it over HTTP (using a different terminal or a web browser).\nWe recommend reading through its code to understand what it is doing and to find the weakness!\n\n----\n**HINT:**\nIf you're wondering why your solution isn't working, make sure what you're trying to query is what is actually being received by the server! \n`curl -v [url]` can show you the exact bytes that curl is sending over.\n","required":true},{"item_type":"challenge","id":"path-traversal-2","name":"Path Traversal 2","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"The previous level's path traversal happened because of a disconnect between:\n\n1. The developer's awareness of the true range of potential input that an attacker might send to their application (e.g., the concept of an attacker sending characters that have special meaning in paths).\n2. A gap between the developer's intent (the implementation makes it clear that we only expect files under the `/challenge/files` directory to be served to the user) and the reality of the filesystem (where paths can go \"back\" up a directory level).\n\nThis level tries to stop you from traversing the path, but does it in a way that clearly demonstrates a further lack of the developer's understanding of how tricky paths can truly be.\nCan you still traverse it?\n","required":true},{"item_type":"challenge","id":"cmdi-ls-semicolon","name":"CMDi 1","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"$2a","required":true},{"item_type":"challenge","id":"cmdi-ls-pipe","name":"CMDi 2","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Many developers are aware of things like command injection, and try to prevent it.\nIn this level, you may not use `;`!\nCan you think of another way to command-inject?\nRecall what you learned in the [Piping](/linux-luminarium/chaining) module of the [Linux Luminarium](/linux-luminarium)...\n","required":true},{"item_type":"challenge","id":"cmdi-ls-quote","name":"CMDi 3","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"An interesting thing about command injection is that you don't get to choose where in the command the injection occurs: the developer accidentally makes that choice for you when writing the program.\nSometimes, these injections occur in uncomfortable places.\nConsider the following:\n\n```python\nos.system(f\"echo Hello '{word}'\")\n```\n\nHere, the developer tried to convey to the shell that `word` should really be only one word.\nThe shell, when given arguments in single quotes, treats otherwise-special characters like `;`, `$`, and so on as just normal characters, until it hits the closing single quote (`'`).\n\nThis level gives you this scenario.\nCan you bypass it?\n\n----\n**HINT:**\nKeep in mind that there will be a `'` character right at the end of whatever you inject.\nIn the shell, all quotes must be matched with a partner, or the command is invalid.\nMake sure to craft your injection so that the resulting command is valid!\n","required":true},{"item_type":"challenge","id":"cmdi-env","name":"CMDi 4","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Calling shell commands to carry out work, or \"shelling out\" as it is often termed, is dangerous.\nAny part of a shell command is potentially injectible!\nIn this level, we'll practice injecting into a slightly different part of a slightly different command.\n","required":true},{"item_type":"challenge","id":"cmdi-touch-blind","name":"CMDi 5","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Programs tend to shell out to do complex internal computation.\nThis means that you might not always get sent the resulting output, and you will need to do your attack _blind_.\nTry it in this level: without the output of your injected command, get the flag!\n","required":true},{"item_type":"challenge","id":"cmdi-ls-filter","name":"CMDi 6","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Sometimes, developers try very hard to filter out potentially dangerous characters.\nThe success in this challenge is almost perfect, but not quite...\nYou'll be stumped for a while, but will laugh at its familiarity when you figure out the solution!\n","required":true},{"item_type":"challenge","id":"auth-bypass-param","name":"Authentication Bypass 1","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Of course, web applications can have security vulnerabilities that have nothing to do with the shell.\nA common type of vulnerability is an _Authentication Bypass_, where an attacker can bypass the typical authentication logic of an application and log in without knowing the necessary user credentials.\n\nThis level challenges you to explore one such scenario.\nThis specific scenario arises because, again, of a gap between what the developer expects (that the URL parameters set by the application will only be set by the application itself) and the reality (that attackers can craft HTTP requests to their hearts content).\n\nThis level assumes a passing familiarity with SQL, which you can develop in the [SQL Playground](/fundamentals/sql-playground).\nSQL will become incredibly relevant later, but for now, it is an incidental part of the challenge.\n\nAnyways, go and bypass this authentication to log in as the `admin` user and get the flag!\n","required":true},{"item_type":"challenge","id":"auth-bypass-cookie","name":"Authentication Bypass 2","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Authentication bypasses are not always so trivial.\nSometimes, the logic of the application might look correct, but again, the gap between what the developer expects to be true and what will actually be true rears its ugly head.\nGive this level a try, and remember: _you_ control the requests, including all the HTTP headers sent!\n","required":true},{"item_type":"challenge","id":"sqli-pin","name":"SQLi 1","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"$2b","required":true},{"item_type":"challenge","id":"sqli-password","name":"SQLi 2","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"The previous level's SQL injection was quite simple to pull off and still have a valid SQL query.\nThis was, in part, because your injection happened at the very end of the query.\nIn this level, however, your injection happens partway through, and there is (a bit) more of the SQL query afterwards.\nThis complicates matters, because the query must remain valid despite your injection.\n","required":true},{"item_type":"challenge","id":"sqli-union","name":"SQLi 3","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"If you recall, your command injection exploits typically caused _additional_ commands to be executed.\nSo far, your SQL injections have simply modified the conditions of existing SQL queries.\nHowever, similar to how the shell has ways to chain commands (e.g., `;`, `|`, etc), some SQL queries can be chained as well!\n\nAn attacker's ability to chain SQL queries has extremely powerful potential.\nFor example, it allows the attacker to query completely unintended tables or completely unintended fields in tables, and leads to the types of massive data disclosures that you read about on the news.\n\nThis level will require you to figure out how to chain SQL queries in order to leak data.\nGood luck!\n","required":true},{"item_type":"challenge","id":"sqli-tablename","name":"SQLi 4","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"So far, the database structure has been known to you (e.g., the name of the `users` table), allowing you to knowingly craft your queries.\nAs a developer, you might be tempted to prevent this by, say, randomizing your table names, so that an attacker can't specify them to query data that they are not supposed to.\nUnfortunately, this is not the slam dunk that you might think it is.\n\nDatabases are complex and much too clever for their own good.\nFor example, almost all modern databases keep the database layout specification itself _in a table_.\nAttackers can query this table to get the table names, field names, and whatever other information they might need!\n\nIn this level, the developers have randomized the name of the (previously known as) `users` table.\nFind it, and find the flag!\n","required":true},{"item_type":"challenge","id":"sqli-blind","name":"SQLi 5","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"SQL injection happen in all sorts of places in an application and, like command injections, sometimes the result of the query is not sent back to you.\nWith command injections, this case is easier: the commandline is so powerful that you can do a lot of things even blindly.\nWith SQL injections, this is sometimes not the case.\nFor example, unlike some other databases, the SQLite database used in this module cannot access the filesystem, execute commands, and so on.\n\nSo, if the application does not show you the data resulting from your SQL injection, how do you actually leak the data?\nSometimes, even if the actual data is not shown, you can recover one bit!\nIf the result of a query can make the application act two different ways (say, redirecting to an \"Authentication Success\" page versus an \"Authentication Failure\" page), then an attacker can carefully craft yes/no questions that they can get answers to.\n\nThis challenge gives you exactly this scenario.\nCan you leak the flag?\n","required":true},{"item_type":"resource","id":"resource-19","name":null,"type":"header","content":"Cross Site Scripting","video":null,"playlist":null,"slides":null,"expandable":null,"description":null,"required":null},{"item_type":"resource","id":"resource-20","name":"Tooling Documentation","type":"markdown","content":"- [python -m http.server](https://docs.python.org/library/http.server.html)\n- [JavaScript Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch)\n","video":null,"playlist":null,"slides":null,"expandable":true,"description":null,"required":null},{"item_type":"challenge","id":"xss-stored-html","name":"XSS 1","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"$2c","required":true},{"item_type":"challenge","id":"xss-stored-alert","name":"XSS 2","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"$2d","required":true},{"item_type":"challenge","id":"xss-reflected","name":"XSS 3","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"$2e","required":true},{"item_type":"challenge","id":"xss-context","name":"XSS 4","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Like with SQL injection and command injection, sometimes your XSS occurs in the middle of some non-optimal context.\nIn SQL, you have dealt with injecting into the middle of quotes.\nIn XSS, you often inject into, for example, a textarea, as in this challenge.\nNormally, text in a textarea is just, well, text that'll show up in a textbox on the page.\nCan you bust out of this context and `alert(\"PWNED\")`?\n\nAs before, the `/challenge/victim` of this challenge takes a URL argument on the commandline, and it will visit that URL.\n","required":true},{"item_type":"challenge","id":"xss-rf-get","name":"XSS 5","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"$2f","required":true},{"item_type":"challenge","id":"xss-rf-post","name":"XSS 6","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Once an attacker has code execution inside a victim's browser, they can do a lot of things.\nYou've made a `GET` request in your previous attack, but typically, it's the `POST` requests that will change application state.\nThis challenge ratchets up the realism: the `/publish` now needs a `POST` request.\nLuckily, `fetch` supports this!\n\nGo figure out how to `POST`, and get the flag.\n","required":true},{"item_type":"challenge","id":"xss-exfil-cookie","name":"XSS 7","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Depending on the attacker's goals, what they might actually be after is the victim's entire account.\nFor example, attackers might use XSS to exfiltrate victim authentication data and then use this data to take over the victim's account.\n\nAuthentication data is often stored via browser cookies, such as what happened in `Authentication Bypass 2` (but, typically, much more secure).\nIf an attacker can leak these cookies, the result can be disastrous for the victim.\n\nThis level stores the authentication data for the logged in user in a cookie.\nYou must use XSS to leak this cookie so that you can, in turn, use it in a request to impersonate the `admin` user.\nThis exfiltration will happen over HTTP to a server that you run, and everything you need is available via JavaScript's `fetch()` and its ability to access (some) site cookies.\n\n----\n**HINT:**\nBy \"server that you run\", we really mean that listening on a port with `nc` will be sufficient.\nLook at the `-l` and `-v` options to `nc`.\n","required":true},{"item_type":"resource","id":"resource-28","name":null,"type":"header","content":"Cross-Site Request Forgery","video":null,"playlist":null,"slides":null,"expandable":null,"description":null,"required":null},{"item_type":"resource","id":"resource-29","name":"Web Security: Same-Origin Policy","type":"lecture","content":null,"video":"b1NOCHm4t_s","playlist":"PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg","slides":"1KkiR8B_9xQilW_yq6W9FZ6xBN78V0S1aH1XvQfufYIk","expandable":null,"description":null,"required":null},{"item_type":"challenge","id":"csrf-get","name":"CSRF 1","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"$30","required":true},{"item_type":"challenge","id":"csrf-post","name":"CSRF 2","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Recall that requests that originate from JavaScript run into the Same-Origin Policy, which slightly complicated our CSRF in the previous level.\nYou figured out how to make a `GET` request without JavaScript.\nCan you do the same for `POST`?\n\nRecall that a typical `POST` request is a result of either a JavaScript-invoked request (no good for SOP) or an HTML form submission.\nYou'll need to do the latter.\nOf course, the `/challenge/victim` won't click the `Submit` button for you --- you'll have to figure out how to do that yourself (HINT: JavaScript can click that button; the request will still count as originating from the form!).\n\nGo `POST`-CSRF to the flag!\n","required":true},{"item_type":"challenge","id":"csrf-reflected-alert","name":"CSRF 3","type":null,"content":null,"video":null,"playlist":null,"slides":null,"expandable":null,"description":"Let's start putting a few things together...\nA CSRF can lead to many things, including other injections!\nUse the CSRF in this level to trigger a XSS and invoke an `alert(\"PWNED\")` somewhere in `http://challenge.localhost`!\n\n----\n**HINT:**\nYou will likely want to use JavaScript on your `http://hacker.localhost:1337` page to send a `GET` request with `` in a string (the URL parameter).\nThis string `` will actually be parsed by your browser as the closing tag of your page's actual `` in a string (the URL parameter).\nThis string `` will actually be parsed by your browser as the closing tag of your page's actual `

Binary Exploitation

Corrupting Memory

Writing Shellcode

Using Shellcode