Whitehat Wargame websecurity challenges
Walkthrough of some Web security challenges that are present at Whitehat wargame
Note: It is the walkthrough of challenge that is present not at the above link.
It is not a CTF
WebSecurity Challenge Web001
Visiting the URL mentioned.
So the flag is on web page itself. Lets check the view source.
The flag was in the view source as shown above.
WebSecurity Challenge Web002
Visiting the URL.
So nothing on this page.
Lets check the view source.
Search engines are guided by robots file.
Checking out for robots.txt file.
There was one entry.
Visiting the URL gave me the flag as shown below.
WebSecurity Challenges Web003
Checking out view source:
Tried to login with username as test and password as test.
1)The user name test goes in the request.
2)The error on the page says that you are not admin.
So I refreshed the page and replaced test with admin as shown below:
Send the request.
And I got the Flag.
WebSecurity Challenges Web004
Quite a tricky challenge
Visiting the URL shows a password page.
There was also a script embed in the page. This challenge was all about decoding the script.
Encoding type is "6 character encoding jsfuck" It took lot of struggle to know about it and execute.
Executing the script gave the password.
Entering the password gave the flag.
WebSecurity Challenges Web005
Login page. I can think of 3 ways to bypass login page.
1) Sql injection.
2) Parameter tampering.
3) Session fixation
Starting with some SQL injection payloads. I used many custom made payload and available fuzzers to solve it.
I used the following to get the Flag
Submitted the request and got the flag.