My idea for a web hacking training ground
Okay, so I'm beginning to get ideas of a possibly much better method of teaching/practicing hacking techniques.
Basically, in my opinion, missions like those found on common hacking sites don't really do justice for properly teaching technique. They just accept a single attack string, the user is like 'alright, mission beaten!' then they move on without learning much. Too much simulation.
I was just thinking, maybe something like this would be a better idea (im just going to talk about xss/sql inject but this could be applied to anything):
XSS
So there is a guestbook (input field, submit button, and all previous entries)
Above this, there is a drop down <options> menu, with different filter types. Lets just take some common PHP functions for example strip_tags() and htmlentities().
You choose one of the filter types you are going to try to penetrate, and enter your injection.
The page then outputs the HTML input and output, so the user can see exactly how the filter changed the input and output. Personally i believe this would promote learning.
SQL inject Next, for teaching SQL injection technique, there would be a very similar setup (and a real, not simulated SQL engine). An input field, a dropdown menu of different sql injection filtering techniques, and fields showing the input, filtered input, and output.
This way the user could see the exact query that was being submitted, how the filter affected it, and what the resulting set of values was.
there would not be points involved, just goals with checkmarks and hints.
would anybody be interested in using this/ helping code it/ providing input? other opinions? (especially from Zephyr, flame_1221, lloh, skunkfoot)
Awesome. Once we get a few more people on board we could really get this thing into action.
Then we have to ask ourselves:
What would the site be called (or maybe a new section of hbh or something?)
How would we host it (freehostia.com is pretty awesome. thats what im thinkin with free php,sql,database space)
Should there be a login, or just cookies to track progress.
[offtopic] ahh see, i disagree. Ninjas are great at killing and being sneaky and stuff, but they do this because they are told. pirates travel the seas with the free spirit and belong to no nation. they do what they want. the pirates are free people. bein a pirate is all about the spirit of it all.[/offtopic]
Okay, that sounds good.
Well have to talk to Cheese, or maybe a section on DMZ and talk to R0me0.
Maybe it would work by,
well let me say something else first. wouldnt it be more logical to group missions by attack type? i think it would be a lot more constructive if there was an 'xss' category rather than 'basic' and 'realistic' categories.
anyways, i think it would be the best if there was an xss category, and you had to sequentially penetrate different filters. if you penetrated them all, you get an 'xss master' badge on your profile, but no points or something.
or possibly there are no points and no awards at all, it is just for your own personal benefit. under the 'training ground' section of the site. i dont know i just think learning is so inhibited by the simulated challenges. like people learn so much by guessing and checking and getting feedback.
yeah. Like a section for XSS with different levels of challenges. (Like the basic challenges, only with XSS for all the challenges with varying degrees of difficulty)
Also, I was just thinking, we can't just change everything about HBH. Maybe it would be better, but that's not our decision. :P
Oh, and DarkMindZ already has a web wars thing going on. They're not really focusing on challenges right now. (the web wars should prove more educational than challenges anyway)
Skunkfoot wrote: Also, I was just thinking, we can't just change everything about HBH. Maybe it would be better, but that's not our decision. :P this is true, but frustrating.
Skunkfoot wrote: Oh, and DarkMindZ already has a web wars thing going on. They're not really focusing on challenges right now. (the web wars should prove more educational than challenges anyway)
ah i see. not sure if i like the idea tho. on the one hand, the individuals involved will learn loads. but on the other hand, it makes it much more difficult for less devoted and less involved individuals to learn anything at all. maybe if teams wrote articles about how the attack was executed, and they left the servers up for others to try after the web war was over?
Yeah, an XSS section would be a really cool idea.
maybe something along the lines of.
level 1:
no filter. try to get <script>alert(1)</script> thru. just copy and paste.
level 2:
quote striping filter in place. try to get <script>alert('hello')</script> thru. solve by A) javascript CharCode ascii B)convert from hex C) convert from base 64
level 3:
maybe there is an example, where you enter a username, and it is presented in the title at <title>Welcome, $username</title>
you solve by breaking out of the <title> tag, to inject an alert('xss') tag.
etc, etc im sure we could come up with tons of ideas that would really have users learn what they are doing.
[edit] and heres a good example of an SQL engine http://www.w3schools.com/sql/trysql.asp that is something along the lines of what i was thinking [/edit]
A XSS testing area like this already exists.
An unfiltered SQL injection area like this would be damn fun but still dangerous, and if it had filters or restricted permissions etc it wouldn't be very useful :|
Skunkfoot wrote: EDIT: oh, and by the way, pirates < ninjas in almost every way. (short of sailing ability)
Well, pirates steal software. Ninjas just kinda, sit there.
;)
[ontopic] I suppose I could help, although, based on that previous link, it does seem to be a concept that's been previously visited.
Also, do you plan to actually bypass the php functions such as strip_tags() and htmlentities(), or just demonstrate how they filter? Because, you're going to have one hell of a time trying to get around them.
The SQL injection one sounds a lot more promising, but can you really simulate EVERY type of filtering?
There will always be some left by the wayside.
Ah thanks for the feedback.
@uber0n: ah thanks for the link i will enjoy that :D and although it has been done, most users are not going to find that link, and will not learn very much. i think hbh should link to that. Anyways, I see where you are coming from.
What if i set up a site with a basic registration/login system, but SQL injections running rampant. Then every 24 hours or so, the database would revert to a default to restore all the damage that has been done. Any opinions on this?
@spyware: thanks for the confidence and support :happy:
@lloh: i meant a strip quote function, not strip tags my bad. And both, demonstrate strip_tags() and htmlentities(), but also have addslashes() and magic quotes and things that will have more possible vulnerabilities.
@DigitalFire, thanks for the sarcastic comments without providing any information or serious reply to my post :happy:
Alright, fine. let me redo that.
@spyware: okay, so im not the book of all nor do i contain every attackā¦ :right: anyways, although it may have been done on every degree/level, it has not been done on every degree/level in our community. personally i have never encountered anything of the sort during my experience on hbh or hts. i was suggesting that it would be beneficial for our members. And please expand on "your process of thinking is flawed". Im not trying to fight, just get feedback.
@DigitalFire Its a good idea, I created something similar (but not the same) as this when I ran my own website (learn2hack.net). I had a couple XSS "challenges" and I was working on an SQL area (unfortunately I had to stop as my grades plummeted as I stopped doing any work on anything but this). Personally I had the XSS stored within text files (which was a major mistake to start off with) and had several different pages each one with a different level of security. But this idea of having a drop down menu with the possible levels of security is something I hadn't thought of nor have I seen anywhere that does this, so it would be interesting to see how well this would work. My SQL area (which never got released unfortunately), used a collection of I think it was 50 databases, each with its own user (which could only access that database) and stored the details within a separate database. Then the if a user wanted to access the SQL area it would look for a free database then assign that database to the user (until they logged out or was idle for 10 minutes) then the user could perform basically all the SQL commands they wanted on the database. Once the database was finished with a script was run which deleted all the data/tables from the database and then created a default set of tables and inserted a default amount of data. The idea with the SQL area was to have that as a basis and then use that system with a variety of different front ends, with varying levels of security on it.
I dont know whether that information would have been of any use, but either way I would be interested to see how this "training ground" works out
Satal :)
@satal: very cool, i wish the site was still up :happy:
interesting idea of multiple databases, where a user 'rents' one for a little while, then once they are done it is reset so the next user can access it. this would take more resources tho.
what about this: one database, which all users have access to. the only restriction is that users cannot access the basic user table which contains user/pass of everybody (so you dont have to re-register after somebody drops it).
to make things more fun, there should also be an admin table, news tables, and shit like that.
this way people can add their usernames to the admin table to gain access, remove other people (king of the hill style?), add/delete news, try to extract passwords from the admin table to login as the one and only super administrator. just lots of random things like that going on to practice SQL injection.
and users would have access to the source (of at least some pages, of the easier tasks) so that they can see the exact query and learn how to interpret/exploit code.
How do you learn XSS you ask me? With a HTMLsandbox and the internet.
SQL? Study SQL, run MySQL and MSSQL, but whatever you do, DON'T TEACH PEOPLE PREFABRICATED STUFF! Actually learn WHY and HOW, not just WHAT they have to inject.
That is why I think your process of thinking is flawed, you still think in minor objectives, in small victories. I think in binary, either you know it (1), or you don't (0).
Yes I believe that it was pretty resource intensive, BUT I have had a thought since then (was going to make another one, to help teach the people on my course SQL as our lecturers can't even perform INSERT queries, even with a piece of paper with the code on it). but anyway because the number of database's would be well in excess of 50 for something like you're planning, you would be looking at easily double that, which would cause problems between you and your hosting company :P
But what I thought about is that it is possible to connect to MySQL database's which are on a different server to where the script is, so if you take my idea from above and then add a host field to the database then have the database connected to from your server while the database they're connecting to is on some free web space thing. Personally I found that the there was a problem when I tried to implement this. The database's weren't allowing the connection, so I'm guessing the free host that I was trying to use had their database set up so you couldn't connect to it from anything but their server.
what about this: one database, which all users have access to. the only restriction is that users cannot access the basic user table which contains user/pass of everybody (so you don't have to re-register after somebody drops it). Personally if you have the ability to have more than one database then I would have the user/pass for the users in a separate database which the user which is being used for the other database has no rights (better safe than sorry)
remove other people (king of the hill style?) Personally I'm not keen on this idea, as it would be really annoying for noobs who're trying to learn to finally gain access and then have their access removed.
Also one of the problems with having only one database which everyone accesses is that we all know you will get one ponce who has to ruin it for everyone else and will sit there dropping all the tables, when each user has access only to their database then they can drop all the tables in their database all they want without ruining it for everyone else
to make things more fun, there should also be an admin table, news tables, and shit like that. Yeah well it would be important to have the database able to support the front end that you will supply the end users to try and hack.
Also another benefit of having several database's is that when creating the database you dont have to worry about things like XSS as much as when the user views a database they're viewing their own rather than one someone else has had access. This would alsom mean that you would be able to have different levels of security for XSS.
Basically you could probably create entire sites each one with different levels of security on all parts of it (although you would have to make sure that there are no PHP Injection as that could cause a couple problems)
Anyway Im gona shut up now as I have an exam in 30 minutes and im not even dressed yet.
If you decide that you would like to go down the route of having several databases, I can give you some source code which I had done for my version (the one for the people on my course, not L2H as that was lost nearly two years ago :P) its not perfect but it would give you a chance to see how I did it
[EDIT] Wow that was a block of text, sorry if thats put you off reading that, although if you didn't bother reading that then im sure you're not reading this :D [/EDIT]