Monday, May 10, 2010

Web Security Challenge 3

Another challenge on "Encoding attacks for Web applications".



Description:
Many web sites do not use SSL encryption for their web application (including login pages). You can easily extract or manipulate data during the communication between the client and the server.

Objective:
This challenge is a simple challenge. You are required to extract the "password" from the simulated user login and verify the capture password by logging in with it. For this challenge, You will learn and understand on how to capture web communication between the client and the server. This will be the fundamental for further challenges on code injection.

Environment:
The challenge was created with simple HTML and PHP.
The URL: Email me if you interested

Rules:
* Do not extract the password from the source code. You are suppose to extract it from the communication.
* It is a code challenge, extract the data not crack the server.

Technical resources:
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
- Some readup on HTTP and Request methods

http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
- WebScarab, a good tool by OWASP

http://www.parosproxy.org/
- Another good web security tools

- Previously did a video on extracting user's credential on unsecured website
http://werew01f.blogspot.com/2009/05/how-secure-is-your-forum-login.html

Feel free to provide comments on this challenge.

No comments: