Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

New OWASP Challenge

Comments

  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Looks good.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Got them all. How's everybody doing?


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    dlofnep wrote: »
    Got them all. How's everybody doing?

    Should number three load another page when you hit XSS me?
    I've tried the usual ways of making and alert box appear submitted as plain text and encoded in various ways but the page just sits there:confused: like nothing at all happens when you push the button

    Number 2 was easy, I had a quick look at 1 but haven't got it yet


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Redshift wrote: »
    Should number three load another page when you hit XSS me?
    I've tried the usual ways of making and alert box appear submitted as plain text and encoded in various ways but the page just sits there:confused: like nothing at all happens when you push the button

    Number 2 was easy, I had a quick look at 1 but haven't got it yet

    Its a bit of a silly challenge to be honest. I was stuck on that one. Challenge one is a bit badly described also.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Redshift wrote: »
    Should number three load another page when you hit XSS me?

    Yes, it will confirm the challenge is compete after the alert box opens. It's actually straight forward. Try not to think too hard.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    dlofnep wrote: »
    Yes, it will confirm the challenge is compete after the alert box opens. It's actually straight forward. Try not to think too hard.

    Can I keep testing this with alert(1) and then change it, or does every attempt have to include "Appsec2011 Rocks!".

    In other words can I get an alert without "Appsec2011 Rocks!" in the post ?

    *edit

    The site still has http://www.appseceu.org/?s=900913 %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%41%70%70%73%65%63%32%30%31%31%20%52%6F%63%6B%73%21%22%29%3B%3C%2F%73%63%72%69%70%74%3E


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    It has to contain that exact string for you to pass the challenge.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    900913 wrote: »
    Can I keep testing this with alert(1) and then change it, or does every attempt have to include "Appsec2011 Rocks!".

    In other words can I get an alert without "Appsec2011 Rocks!" in the post ?

    Keep using Appsec2011 Rocks! as the challenge is a bit silly.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    Just did it, It's not an XSS,
    It's an excat string, that will only work


  • Closed Accounts Posts: 3 hacknoob


    Any hints for challenge # 1 ?
    I'm stuck :( I tried different methods like injection, view source, etc but no luck
    Any hints?

    Cheers!


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    I started on and gave up after challenge 3 when I realised the task wasn't giving true server responses.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    hacknoob wrote: »
    Any hints for challenge # 1 ?
    I'm stuck :( I tried different methods like injection, view source, etc but no luck
    Any hints?

    Cheers!

    No injection involved. I might suggest that you view the source again, very carefully :)


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    I'm stuck too, I found the file with the list of emails but What do I do with it?
    the instructions are sloppy at best :(


  • Closed Accounts Posts: 3 hacknoob


    ..but how did you get past the login form? Is it related to those hidden input texts in the source?:cool:


  • Closed Accounts Posts: 3 hacknoob


    nevermind. Got it figured out! :rolleyes:


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Redshift wrote: »
    I'm stuck too, I found the file with the list of emails but What do I do with it?
    the instructions are sloppy at best :(

    They didn't explain it properly. I had the same problem.

    Basically, you need to e-mail one of the people on that list. Send an e-mail with anything in the message body to the address of the person in question. If you read the challenge description, you should be able to figure out to who to e-mail.


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    dlofnep wrote: »
    They didn't explain it properly. I had the same problem.

    Basically, you need to e-mail one of the people on that list. Send an e-mail with anything in the message body to the address of the person in question. If you read the challenge description, you should be able to figure out to who to e-mail.

    Got it. Thanks;)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Second round of challenges are now up :)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Btw, a follow on from the XSS challenge. Once again, it's not real world XSS :(


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Got it :) Took about 40 attempts from my XSS sheet. :\

    Have all of the challenges done except 7, which I see what I have to do.. Shouldn't take long.


  • Advertisement
  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    Cool, got three of them done, challenge 7 has me scratching the head :/
    will have another look tomorrow. Pity about the XSS:( is it just string matching as opposed to an actual XSS? I dont really see the point if thats the case.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    I'm pretty sure it's just string matching. I still haven't passed 7, but I'm pretty sure I'm doing the right thing. Just unsure as to why it's not working. Anyone who passes 7, let me know - as I want to ask a question to make sure I've the right solution.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    How's everybody doing?


  • Closed Accounts Posts: 1 wylix


    im starting to give it a try, but it stuck me at level 1
    any hint for me?

    thx


Advertisement