“Victory For Raging Inferno”
Where To Start ?
If you are a newbie to HackThisSite challenges, I highly recommend you to go to this link and read the introductory article to this article. In that article, I have provided an introduction to both hacking and HackThisSite web site. It would be better if you have a high-level understanding of the things that we are about to discuss.
The following article will provide a walk through guide that will make you understand the learning outcomes of that challenge. This article will contain the walk through to the realistic challenge number 1. I have provided a link to this challenge at the bottom of this article.
Introduction
The problem is reading a website which will rank competing bands according to the votes provided by the fans. So according to the requester I have to manipulate the web page to change the the voting system. After the manipulation website must show the requesters’ band in the top of the ranking list. So the need in the question is to find a way to manipulate the website voting system in favor to the requester
Step By Step Guide.
The following section is to provide a way to solve the challenge. The required knowledge and the learning outcomes will be given later. It is better if you tried this challenge before going through the article and forums provided by the website.
1 ) Click the given link in the question window
2) Check the website that needs to be hacked.
After we go into the site we can see that the band of the requester is at the bottom. But we have to list it in the top. So to do that we have to identify how the voting system works. So to understand that we have to check the source code of the page.
3) Go to the source page of the above web page.
In the source code we can see that the form data in the page is passed using a “GET” request. So this means that we can see the parameters that are being sent. So this will give a chance for us to edit the request and change it to a vote which will make the “Raging Inferno” band to the top.
4) Manipulating the source code.
We can see that the votes will use the value used in the option tag in the source code. So let’s change one of the votes into 100000.
Then click the vote button in the page after giving the changed value as the option in the drop down.
Victory For Raging Inferno…!
Prevention Of The Security Threat.
We have changed the input into a different value. But this was not identified by the server. So to prevent these kinds of security threats the server must always check for the inputs that are being sent by the forms. This must be mandatory for GET request as the parameters that are being sent can be seen in the URL and an attacker can edit them.
Learning Outcome.
- If the inputs from a web page aren’t validated, attackers may have an opportunity to manipulate the inputs to change the behavior of the web page.
- If the form data are sent via a GET request an attacker can manipulate the parameters to change the data that are being sent.
- Data that receives from a form must be validated in the backend.
Now What ?
This is the conclusion of this challenge. I recommend you to go to the challenge and do it again with the knowledge gain from this article. If you encounter things that you do not know it would be wise to learn them to an extent and use them. If you develop that kinf of a discipline, you will increase your knowledge about “everything” at an alarming speed. Good Luck ..!
Link to the challenge
