Web - Server

Discover the mechanisms, protocols and technologies used on the Internet and learn to abuse it!

These challenges are designed to train users on HTML, HTTP and other server side mechanisms. The following series of challenges will cultivate a better understanding of techniques such as : Basic workings of multiple authentication mechanisms, handling form data, inner workings of web applications, etc. ...

Prerequisites:
- Understand HTML.
- Understand the HTTP protocol.
- Ability to manipulate a web browser.

 65 Challenges

Results Name Validations Number of points  Explanation for the scores Difficulty  Difficulty Author Note  Notation Solution
pas_valide Backup file 17% 33798 15 g0uZ 7
pas_valide CRLF 10% 18790 20 g0uZ 7
pas_valide Command injection - Filter bypass 3% 4144 30 sambecks 6
pas_valide Directory traversal 11% 21606 25 g0uZ 3
pas_valide File upload - Double extensions 11% 21149 20 g0uZ 9
pas_valide File upload - MIME type 9% 16558 20 g0uZ 10
pas_valide File upload - Null byte 8% 14982 25 g0uZ 4
pas_valide File upload - ZIP 3% 5445 30 ghozt 3
pas_valide GraphQL 1% 107 40 CanardMandarin 1
pas_valide HTML - Source code 49% 97581 5 g0uZ 3
pas_valide HTTP - Cookies 14% 26582 20 g0uZ 7
pas_valide HTTP - Directory indexing 24% 46756 15 g0uZ 7
pas_valide HTTP - Headers 16% 31931 15 Arod 9
pas_valide HTTP - Improper redirect 13% 24905 15 Arod 10
pas_valide HTTP - Open redirect 19% 36977 10 Swissky 10
pas_valide HTTP - POST 13% 25009 15 Th1b4ud 10
pas_valide HTTP - User-agent 25% 48795 10 g0uZ 10
pas_valide HTTP - Verb tampering 15% 28120 15 g0uZ 10
pas_valide Insecure Code Management 3% 5129 20 Swissky 6
pas_valide Install files 14% 27914 15 g0uZ 3
pas_valide JSON Web Token (JWT) - Introduction 3% 5702 20 Kn0wledge 5
pas_valide JSON Web Token (JWT) - Public key 1% 1587 30 Jrmbt 4
pas_valide JSON Web Token (JWT) - Weak secret 3% 4011 25 Jrmbt 6
pas_valide JWT - Revoked token 1% 1122 25 ArnC 6
pas_valide Java - Server-side Template Injection 4% 6261 30 righettod 4
pas_valide Java - Spring Boot 1% 1435 40 dvor4x 2
pas_valide LDAP injection - Authentication 4% 6464 35 g0uZ 8
pas_valide LDAP injection - Blind 1% 1984 55 g0uZ 2
pas_valide Local File Inclusion 9% 16515 30 g0uZ 4
pas_valide Local File Inclusion - Double encoding 5% 8062 30 zM_ 3
pas_valide Local File Inclusion - Wrappers 2% 2006 40 sambecks 4
pas_valide NoSQL injection - Authentication 3% 4927 35 mastho 8
pas_valide NoSQL injection - Blind 1% 1838 45 ghozt 5
pas_valide PHP - Command injection 18% 35172 10 sambecks 10
pas_valide PHP - Eval 1% 1820 40 chmod 9
pas_valide PHP - Filters 7% 12974 25 g0uZ 3
pas_valide PHP - Loose Comparison 3% 4288 30 ghozt 4
pas_valide PHP - Path Truncation 2% 3670 35 Geluchat 4
pas_valide PHP - Remote Xdebug 1% 419 25 mayfly 2
pas_valide PHP - Serialization 3% 4499 35 Arod 2
pas_valide PHP - Unserialize overflow 1% 273 40 mayfly 2
pas_valide PHP - assert() 5% 8953 25 Birdy42 9
pas_valide PHP - preg_replace() 4% 6091 30 sambecks 4
pas_valide PHP - register globals 6% 10714 25 g0uZ 1
pas_valide PHP - type juggling 3% 5923 30 vic 4
pas_valide Remote File Inclusion 4% 7194 30 g0uZ 8
pas_valide SQL Injection - Routed 2% 2690 35 soka 5
pas_valide SQL Truncation 3% 4025 35 Geluchat 2
pas_valide SQL injection - Authentication 13% 24929 30 g0uZ 11
pas_valide SQL injection - Authentication - GBK 3% 5469 30 dvor4x 3
pas_valide SQL injection - Blind 3% 4521 50 g0uZ 5
pas_valide SQL injection - Error 3% 4279 40 sambecks 4
pas_valide SQL injection - File reading 2% 3279 40 Arod 3
pas_valide SQL injection - Filter bypass 1% 1390 80 sambecks 5
pas_valide SQL injection - Insert 1% 1775 40 sambecks 3
pas_valide SQL injection - Numeric 5% 8396 35 g0uZ 6
pas_valide SQL injection - String 6% 11517 30 g0uZ 8
pas_valide SQL injection - Time based 2% 3104 45 ycam 4
pas_valide Server Side Request Forgery 1% 773 50 sambecks 7
pas_valide Weak password 34% 66841 10 g0uZ 7
pas_valide XML External Entity 2% 3094 35 sambecks 2
pas_valide XPath injection - Authentication 3% 4643 35 g0uZ 6
pas_valide XPath injection - Blind 1% 1385 75 g0uZ 4
pas_valide XPath injection - String 2% 2638 40 g0uZ 5
pas_valide XSLT - Code execution 2% 2163 30 ghozt 5

Challenge Results Challenge Results

Pseudo Challenge Lang date
Nesta0   HTTP - Verb tampering 30 November 2020 at 13:54
Bastos   PHP - assert() 30 November 2020 at 13:53
sonbinrob   File upload - Null byte 30 November 2020 at 13:53
Quadratrate   HTML - Source code 30 November 2020 at 13:51
Nesta0   HTTP - Headers 30 November 2020 at 13:50
Gustavo   HTTP - Open redirect 30 November 2020 at 13:49
SonSeKai   HTML - Source code 30 November 2020 at 13:48
62Nono56   Mot de passe faible 30 November 2020 at 13:36
Nesta0   HTTP - Directory indexing 30 November 2020 at 13:35
chrsow   Java - Spring Boot 30 November 2020 at 13:34