Domain: hackthissite.org
Stories and comments across the archive that link to hackthissite.org.
Comments · 13
-
An oldie but goodie
HackThisSite has been around since 2003. Its missions are old, but it's one of many good starting points. They're updating their challenges, too
.. eventually. -
Re:64-bit computers DO NOT solve this problem
-
Meet my friends Greasemonkey, TamperData, and SQLI
In order to understand security, you must first understand how to hack or abuse a website. I recommend spending at least a week as a hacker. Here are some things to get your started:
1. Install Firefox or Chrome, I like Firefox for webdev.
2. Install GreaseMonkey https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/
3. Install TamperData https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
4. Learn about backend resource management and data validation, specifically SQL Injection. http://hackthissite.org/ is a great place to start
5. On your backend database ENCRYPT all sensitive data, names, account #s, social security, birth-dates. I like to encrypt all the fields then use an off-by-one Fibonacci encoding for numeric fields, so even if you are hacked/decrypted, this is still one more layer of encoding. So many fools do not encrypt their database field data and get owned by SQL-injection attacks or sever compromise. The list is long and distinguished.
6. Lastly, if you are running standard open-source packages test your site for cross-scripting vulnerabilities.
7. Web server lockdown depends on your server and platform Apache, IIS, Windows, Linux... but LOCK IT DOWN!
Also, don't do obvious things like put sql connect userid/passwords in your backend scripts especially if you are running a VM on a shared hosting server. Close down all unused ports/services on your server. Never trust the frontend firewall especially if it says CISCO on the front. Run tripwire. Run MRTG with Big Brother and monitor your traffic/activity and always keep an eye out for anomalies. Keep an eye on your logs and do daily backups.
There are hordes of hackers around the world looking to build backdoors into your site, especially if you have bandwidth and storage. Too many folks (including the new cloud guys like Amazon) have no baseline for activity on their system, get hacked, and are clueless.. maybe that is too harsh, I will say mostly clueless but getting better at responding.
If you need further help, I am available as an extremely expensive consultant, but I am slammed with work at the moment. Good Luck and remember the Internet is an extremely dangerous place. -
Learn to break them
Software engineering is fairly similar to structural engineering. Just as an architect does not truly understand how to create an indestructible building without first learning how buildings are destroyed, you can't possibly hope to create a secure software system without understanding how software is broken.
If you are serious about securing your software (without having a security expert on hand), you need to spend some time *breaking* software. http://www.hackthissite.org/ has some fairly good tutorials, but you're also going to need to learn about buffer overruns, binary magic (such as never-ending zip files and over-sized jpegs), sql injection, malformed packets, firewalling, fail2ban, encryption (certificates at the very least), intranet isolation, air-gapping, client-securing, hardware securing (disabling USB ports), etc.
Basically, there is a reason security experts spend so much time in school and charge so much per hour. If this project is already in the blue-print stage and has a deadline, you should be looking to hire a security expert at the planning stage and at least a few audit stages along the lines. If this is more of a pet-project, it could be a very good way to get yourself motivated to learn these subjects.
-
This isn't the 'first elite hacker ranking system'
because first off, you wouldn't call it "elite." Also, ever heard of Hack This Site?
-
HackThisSite
I had fun messing around on the site. If you're interested in this sort of thing, HackThisSite.org has about a dozen similar "Realistic Missions" as well as forums and many other types of security-related challenges.
-
Re:Well, for starters...
-
Re:All you need is a science MMORPG
I actually am hoping for such a game to eventually exist. And if nobody makes it I might do it but I don't have the skills...
Look at websites like http://www.hackthissite.org/ where you basically learn many things. When you find the solution to a problem, you are awarded points. This pushes you to learn more and achieve more.
Instead of having HTML, javascript, programming, etc challenges, why not make something like that for general science?
Make learning FUN!
Also, I'd LOVE games to learn languages like http://www.tbns.net/knuckles/.
Again: MAKE. LEARNING. FUN!
-
"Hacking" exercises...
I am a systems administrator at www.hackthissite.org (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.
Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.
I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion. -
There are sites that permit hack attempts
http://www.hackthissite.org/
or google for "hack my server"
p.s. didn't RTFA. -
HackThisSite.org?
So, I guess HTS will have to update some of their hacking challenges.
-
Re:Yes and NoAn acquaintance of mine discovered some PHP vulnerabilities in my school's CS website. It was your usual $include from a GET variable crap. Horrible coding. So he published his results, not to the webmaster, whose email address is available on the website, not to the faculty, but to the CS Undergrad mailing list. He also mentioned his website, HackThisSite.org, which had recently been made an ACM project. As a result, he was kicked out of the ACM chapter and of the College of Engineering. He remains a student of the university, but he ruined his choice of major...
I have to support the decision made by the administrative folks. Pointing out vulnerabilities and how to fix them is one thing. Pointing them out and showing how to exploit them to a large, relatively untrusted population is quite another. I mean, I ran his POC code that showed a directory listing... I imagine others did the same. I also imagine others probably wrote their own code and ran that. He had www access to the server.
I'm all for finding vulnerabilities. I think if he had handled it better, he would have been touted as almost a hero and not some malicious kid. But he didn't.
-
Re:Yes and NoAn acquaintance of mine discovered some PHP vulnerabilities in my school's CS website. It was your usual $include from a GET variable crap. Horrible coding. So he published his results, not to the webmaster, whose email address is available on the website, not to the faculty, but to the CS Undergrad mailing list. He also mentioned his website, HackThisSite.org, which had recently been made an ACM project. As a result, he was kicked out of the ACM chapter and of the College of Engineering. He remains a student of the university, but he ruined his choice of major...
I have to support the decision made by the administrative folks. Pointing out vulnerabilities and how to fix them is one thing. Pointing them out and showing how to exploit them to a large, relatively untrusted population is quite another. I mean, I ran his POC code that showed a directory listing... I imagine others did the same. I also imagine others probably wrote their own code and ran that. He had www access to the server.
I'm all for finding vulnerabilities. I think if he had handled it better, he would have been touted as almost a hero and not some malicious kid. But he didn't.