|
This is a special Bad Santa Challenge bypassing various authentication flaws that I have seen in the wild during my career testing applications. This was built not only to teach you hacking techniques but also to further your skills professionally. There are no flags and no prize for completing the levels. This is purely a learning experience.
The CTF has eight challenges:
1. Bypassing Weak Cookie Session Management
2. Brute force bypass with a known user name
3. Brute force bypass of common user names and passwords
4. Authentication bypass using session fixation
5. Decoding passwords
6. Cracking passwords
7. Authentication bypass
8. Referrer Authentication bypass
9. Bonus Level!
Professionalism
Remediation
Simply being able to hack something won't get you a job, and typically won't get you the respect you need to advance your career. Your value as a security assurance professional comes from your ability to effectively communicate how to remediate ("fix") the vulnerability, how to harden the weaknesses and how to objectively assess and communicate the risks. This CTF will focus not just on the exploit, but on the reason we were able to exploit the vulnerability.
Communication
How you describe your work can often be as important as how you did your work. In this CTF, we will "Totally pwn this site," "Hack passwords," "Bypass authentication," and "Demonstrate how to exploit 'CWE-287: Improper Authentication'." All of these effectively mean the same thing, but have very different connotations in how you are perceived professionally. We will emphasize terminology and language that conveys professionalism to help get you in the habit of communicating professionally.
Tools
Important!
Be sure to download the OWASP ZAP pen web pentesting tool. It is a free open source tool that runs on any platform. You do not need to know how to use it, just be have it installed an we will walk through every thing you need to know.
You will also need to save the password list and the user name list to you system as well.
Ready? Let's Go!
|