Fun Web Hacking Challenges
Recently I found some online web application challenges that have been a lot of fun. The first one is hosted by Portcullis Security and involves several great / general web application vulnerabilities. Hosted at challenge.pentesting.ninja it's open to the public and is a good set of web app vulns for those looking to play around and learn. In essence it includes input validation, sql injection, local file inclusion, hash length extension and php object injection challenges. Ironically, the site is also vulnerable to such issues as session fixation and cross site scripting in the name field. I'm not going to release any write ups or solutions as Portcullis is still using this platform for evaluating candidates. That all said I highly recommend it for those looking for web application practice.
Speaking of cross site scripting, the next challenge site was released by Google to help promote XSS education and their bug bounty program. xss-game.appspot.com is a great primer on XSS as far as difficulty goes, giving appropriate hints and really educating the player along the way. If you need help there are write ups online, as the game has been out for while.
Finally, while not necessarily security related, one of my favorite web application games is also hackable. Wayward Beta is a free online game that runs entirely on client side html5 and javascript. The game is also available as a native executable that was built down from a node.js application. Wayward has a rich wiki, tons of mods, and a large reddit community. It's essentially a survival game and can get pretty difficult at times. By far the easiest way to mess with the game is start by viewing the source, then searching for a few functions quickly reveals some nice hacks. Simply issue the following commands in the javascript console.
Fix hunger: player.hunger = 100;
Fix thirst: player.thirst = 100;
Up a specific skill to 100: player.skillGain("tactics", 100, false);
Spawn a monster: spawnMonster("fireelemental", player.x + 1, player.y);
Now that sure makes things interesting :) Enjoy the games all!
Finally, while not necessarily security related, one of my favorite web application games is also hackable. Wayward Beta is a free online game that runs entirely on client side html5 and javascript. The game is also available as a native executable that was built down from a node.js application. Wayward has a rich wiki, tons of mods, and a large reddit community. It's essentially a survival game and can get pretty difficult at times. By far the easiest way to mess with the game is start by viewing the source, then searching for a few functions quickly reveals some nice hacks. Simply issue the following commands in the javascript console.
Fix hunger: player.hunger = 100;
Fix thirst: player.thirst = 100;
Up a specific skill to 100: player.skillGain("tactics", 100, false);
Spawn a monster: spawnMonster("fireelemental", player.x + 1, player.y);
Now that sure makes things interesting :) Enjoy the games all!
