New OWASP Challenge

dlofnep · 21-04-2011 4:39pm #1

Challenge running over the course of a few weeks.

Details here: http://www.appseceu.org/?p=542

Challenge website here: http://www.hackademic.eu

Best of luck!

h57xiucj2z946q · 21-04-2011 7:08pm

Looks good.

dlofnep · 22-04-2011 3:37pm

Got them all. How's everybody doing?

Redshift · 22-04-2011 3:57pm

dlofnep wrote: »

Got them all. How's everybody doing?

Should number three load another page when you hit XSS me?
I've tried the usual ways of making and alert box appear submitted as plain text and encoded in various ways but the page just sits there

like nothing at all happens when you push the button

Number 2 was easy, I had a quick look at 1 but haven't got it yet

h57xiucj2z946q · 22-04-2011 5:04pm

Redshift wrote: »

Should number three load another page when you hit XSS me?
I've tried the usual ways of making and alert box appear submitted as plain text and encoded in various ways but the page just sits there like nothing at all happens when you push the button

Number 2 was easy, I had a quick look at 1 but haven't got it yet

Its a bit of a silly challenge to be honest. I was stuck on that one. Challenge one is a bit badly described also.

dlofnep · 22-04-2011 5:53pm

Redshift wrote: »

Should number three load another page when you hit XSS me?

Yes, it will confirm the challenge is compete after the alert box opens. It's actually straight forward. Try not to think too hard.

23-04-2011 11:23pm

dlofnep wrote: »

Yes, it will confirm the challenge is compete after the alert box opens. It's actually straight forward. Try not to think too hard.

Can I keep testing this with alert(1) and then change it, or does every attempt have to include "Appsec2011 Rocks!".

In other words can I get an alert without "Appsec2011 Rocks!" in the post ?

*edit

The site still has http://www.appseceu.org/?s=900913 %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%41%70%70%73%65%63%32%30%31%31%20%52%6F%63%6B%73%21%22%29%3B%3C%2F%73%63%72%69%70%74%3E

dlofnep · 24-04-2011 12:04am

It has to contain that exact string for you to pass the challenge.

h57xiucj2z946q · 24-04-2011 12:09am

900913 wrote: »

Can I keep testing this with alert(1) and then change it, or does every attempt have to include "Appsec2011 Rocks!".

In other words can I get an alert without "Appsec2011 Rocks!" in the post ?

Keep using Appsec2011 Rocks! as the challenge is a bit silly.

24-04-2011 12:18am

Just did it, It's not an XSS,

It's an excat string, that will only work

hacknoob · 26-04-2011 9:24pm

Any hints for challenge # 1 ?
I'm stuck

I tried different methods like injection, view source, etc but no luck
Any hints?

Cheers!

26-04-2011 10:39pm

I started on and gave up after challenge 3 when I realised the task wasn't giving true server responses.

dlofnep · 26-04-2011 11:11pm

hacknoob wrote: »

Any hints for challenge # 1 ?
I'm stuck I tried different methods like injection, view source, etc but no luck
Any hints?

Cheers!

No injection involved. I might suggest that you view the source again, very carefully

Redshift · 26-04-2011 11:24pm

I'm stuck too, I found the file with the list of emails but What do I do with it?
the instructions are sloppy at best

hacknoob · 26-04-2011 11:55pm

..but how did you get past the login form? Is it related to those hidden input texts in the source?:cool:

hacknoob · 27-04-2011 12:06am

nevermind. Got it figured out! :rolleyes:

dlofnep · 27-04-2011 12:44pm

Redshift wrote: »

I'm stuck too, I found the file with the list of emails but What do I do with it?
the instructions are sloppy at best

They didn't explain it properly. I had the same problem.

Basically, you need to e-mail one of the people on that list. Send an e-mail with anything in the message body to the address of the person in question. If you read the challenge description, you should be able to figure out to who to e-mail.

Redshift · 27-04-2011 7:08pm

dlofnep wrote: »

They didn't explain it properly. I had the same problem.

Basically, you need to e-mail one of the people on that list. Send an e-mail with anything in the message body to the address of the person in question. If you read the challenge description, you should be able to figure out to who to e-mail.

Got it. Thanks;)

dlofnep · 28-04-2011 7:48pm

Second round of challenges are now up

dlofnep · 28-04-2011 8:03pm

Btw, a follow on from the XSS challenge. Once again, it's not real world XSS

dlofnep · 28-04-2011 8:36pm

Got it

Took about 40 attempts from my XSS sheet. $:\$

Have all of the challenges done except 7, which I see what I have to do.. Shouldn't take long.

Redshift · 29-04-2011 12:03am

Cool, got three of them done, challenge 7 has me scratching the head

will have another look tomorrow. Pity about the XSS:( is it just string matching as opposed to an actual XSS? I dont really see the point if thats the case.

dlofnep · 29-04-2011 10:34am

I'm pretty sure it's just string matching. I still haven't passed 7, but I'm pretty sure I'm doing the right thing. Just unsure as to why it's not working. Anyone who passes 7, let me know - as I want to ask a question to make sure I've the right solution.

dlofnep · 30-04-2011 4:15pm

How's everybody doing?

wylix · 09-05-2011 1:33pm

im starting to give it a try, but it stuck me at level 1
any hint for me?

thx

New OWASP Challenge

Comments