Web hacking challenges

Find the flags on the websites! Here we present you many web hacking challenges that you can use to practice. On each site a flag is hidden somewhere. A flag is a special string in the following format: UiO-Hacking-Arena{Here's_the_flag}. All of our challenges are running in a separated sandboxed enviroment. You can try and practice web hacking with our examples.

Difficulty levels:

Information Disclosure

Information disclosure is a type of vulnerability that can be used to obtain unintended information from a website.

Information disclosure exercise 1. http://palpatine.hackingarena.com:801 Solution	Information disclosure exercise 2. http://palpatine.hackingarena.com:809 Solution
Information disclosure exercise 3. http://palpatine.hackingarena.com:818 Solution	Information disclosure exercise 4. http://palpatine.hackingarena.com:819 Solution
Information disclosure exercise 5. http://palpatine.hackingarena.com:805 Solution	Information disclosure exercise 6. http://palpatine.hackingarena.com:820 Solution

Default settings

If the website contains default settings then the attacker can use it to achieve the aim. The following exercises contain default settings.

Default settings exercise 1. http://jabba.hackingarena.com:801 video solution

Default settings exercise 2. http://jabba.hackingarena.com:802 video solution

Client side validation bypass

Client side 1. http://palpatine.hackingarena.com:804 video solution	Client side 2. http://palpatine.hackingarena.com:806 video solution
Client side 3. http://palpatine.hackingarena.com:810 video solution	Client side 4. http://jabba.hackingarena.com:812 video solution

Brute forcing

Brute force exercise 1. http://palpatine.hackingarena.com:803 video solution	Brute force exercise 2. http://palpatine.hackingarena.com:807 video solution
Brute force exercise 3. http://palpatine.hackingarena.com:808 video solution

Parameter tampering

Parameter tampering 1. http://palpatine.hackingarena.com:802 video solution	Parameter tampering 2. http://palpatine.hackingarena.com:811 video solution
Parameter tampering 3. http://palpatine.hackingarena.com:812 video solution

Session fixation

Session fixation 1. http://jabba.hackingarena.com:803 video solution	Session fixation 2. http://palpatine.hackingarena.com:813 video solution
Session fixation 3. http://jabba.hackingarena.com:804 video solution	Session fixation 4. http://jabba.hackingarena.com:810 video solution

Cross site scripting

XSS 1. http://jabba.hackingarena.com:816 video solution

XSS 2. http://jabba.hackingarena.com:817 video solution

Cross site request forgery

soon available

Clickjacking

soon available

Sql injection

Sql injection 1. http://jabba.hackingarena.com:805 video solution	Sql injection 2. http://jabba.hackingarena.com:806 video solution
Sql injection 3. http://jabba.hackingarena.com:807 video solution	Sql injection 4. http://jabba.hackingarena.com:808 video solution
Beatles fanpage 1. http://yoda.hackingarena.com:805	Beatles fanpage 2. http://yoda.hackingarena.com:802
Super safe site http://yoda.hackingarena.com:806 Challenge created by Beckyntosh

Xpath injection

Xpath injection exercise 1. http://palpatine.hackingarena.com:815 video solution

Xpath injection exercise 2. http://jabba.hackingarena.com:809 video solution

Server side template injection

soon available

File inclusion

File inclusion exercise 1. http://palpatine.hackingarena.com:816 video solution	File inclusion exercise 2. http://sidious.hackingarena.com:803 video solution
File inclusion exercise 3. http://jabba.hackingarena.com:811 video solution

Crypto with web

Crypto with web 1. http://jabba.hackingarena.com:814 video solution

Crypto with web 2. http://jabba.hackingarena.com:815 video solution

Unsecure file upload

soon available

Challenges without category

Challenge 1. http://palpatine.hackingarena.com:805	Challenge 2. http://palpatine.hackingarena.com:820