A wargame is a strategy game which can also be called conflicit simulations. TRY2HACK is a website providing a wargame aimimg at the domain of information security. There are plenty of levels that has a login page or program containing security holes waiting for you to hack. Here. I choose to use Google chrome and Firefox to play this wargame since the developer console of these two browser have many functionalities, such as elements, console, sources, network, timeline, profiles, resources, and audits.
level 1
Press the START button on the right of the menu, and a input of password is shown.
I randomly type in some nonsence words, such as qwer and an message of incorrect password is shown.
The page is redirceted to the webpage of Disney. How humor the author of this webpage is.
There may be some security holes hidding in the source code. Right click on the input and choose the inspect.
From the elements tab, we could see that there is a javascript function, Try, called upon the clicking event of the button, click here to continue.
Searching for the script tag in this file where javascript is declared, I've found it at several lines above.
Extend this tag and the javascript would appear.
Viewing the following code inside the script tag, we may observe that the function, Try, called upon the clicking event of the button is simply comparing the input parameter with a string. If the condition is not met, an alert message would be thrown and the webpage would be redirected to Disney
<!--functionTry(passwd){if(passwd=="*****"){alert("Alright! On to level 2...");location.href="level2-xfdgnh.xhtml";}else{alert("The password is incorrect. Please don't try again.");location.href="http://www.disney.com/";}}//-->
Enter the comparing string in the javascript and the passed message would appear.
Conclusion
This techniques needed in this level are
HTML
Javascript
This level is relativly easy. Though only a serveral steps necessary to pass this level but still there's still possibilities that a programmer would accidentally write the checking of input inside the HTMl code. The validatation of user's input should always be done at the server's side and keep from revealing sensitive data.
I randomly type in some nonsence words, such as qwer and an message of incorrect password is shown.
The page is redirceted to the webpage of Disney. How humor the author of this webpage is.
There may be some security holes hidding in the source code. Right click on the input and choose the inspect.
From the elements tab, we could see that there is a javascript function, Try, called upon the clicking event of the button, click here to continue.
Searching for the script tag in this file where javascript is declared, I've found it at several lines above.
Extend this tag and the javascript would appear.
Viewing the following code inside the script tag, we may observe that the function, Try, called upon the clicking event of the button is simply comparing the input parameter with a string. If the condition is not met, an alert message would be thrown and the webpage would be redirected to Disney
