Web hacking challenges


Find the flags on the websites! Here we present you many web hacking challenges that you can use to practice. On each site a flag is hidden somewhere. A flag is a special string in the following format: UiO-Hacking-Arena{Here's_the_flag}. All of our challenges are running in a separated sandboxed enviroment. You can try and practice web hacking with our examples.

Information Disclosure


Information disclosure is a type of vulnerability that can be used to obtain unintended information from a website.

Information disclosure exercise 1.

http://palpatine.hackingarena.no:801
video solution
Information disclosure exercise 2.

http://palpatine.hackingarena.no:809
video solution
Information disclosure exercise 3.

http://palpatine.hackingarena.no:818
video solution
Information disclosure exercise 4.

http://palpatine.hackingarena.no:819
video solution
Information disclosure exercise 5.

http://palpatine.hackingarena.no:805
video solution
Information disclosure exercise 6.

http://palpatine.hackingarena.no:820
video solution

Default settings


If the website contains default settings then the attacker can use it to achieve the aim. The following exercises contain default settings.

Default settings exercise 1.

http://jabba.hackingarena.no:801
video solution
Default settings exercise 2.

http://jabba.hackingarena.no:802
video solution

Client side validation bypass


Client side 1.

http://palpatine.hackingarena.no:804
video solution
Client side 2.

http://palpatine.hackingarena.no:806
video solution
Client side 3.

http://palpatine.hackingarena.no:810
video solution
Client side 4.

http://jabba.hackingarena.no:812
video solution

Brute forcing


Brute force exercise 1.

http://palpatine.hackingarena.no:803
video solution
Brute force exercise 2.

http://palpatine.hackingarena.no:807
video solution
Brute force exercise 3.

http://palpatine.hackingarena.no:808
video solution

Parameter tampering


Parameter tampering 1.

http://palpatine.hackingarena.no:802
video solution
Parameter tampering 2.

http://palpatine.hackingarena.no:811
video solution
Parameter tampering 3.

http://palpatine.hackingarena.no:812
video solution

Session fixation


Session fixation 1.

http://jabba.hackingarena.no:803
video solution
Session fixation 2.

http://palpatine.hackingarena.no:813
video solution
Session fixation 3.

http://jabba.hackingarena.no:804
video solution
Session fixation 4.

http://jabba.hackingarena.no:810
video solution

Cross site scripting


XSS 1.

http://jabba.hackingarena.no:816
video solution
XSS 2.

http://jabba.hackingarena.no:816
video solution

Cross site request forgery


soon available

Clickjacking


soon available

Sql injection


Sql injection 1.

http://jabba.hackingarena.no:805
video solution
Sql injection 2.

http://jabba.hackingarena.no:806
video solution
Sql injection 3.

http://jabba.hackingarena.no:807
video solution
Sql injection 4.

http://jabba.hackingarena.no:808
video solution

Xpath injection


Xpath injection exercise 1.

http://palpatine.hackingarena.no:815
video solution
Xpath injection exercise 2.

http://jabba.hackingarena.no:809
video solution

Server side template injection


soon available

File inclusion


File inclusion exercise 1.

http://palpatine.hackingarena.no:816
video solution
File inclusion exercise 2.

http://sidious.hackingarena.no:803
video solution
File inclusion exercise 3.

http://jabba.hackingarena.no:811
video solution

Crypto with web


Crypto with web 1.

http://jabba.hackingarena.no:814
video solution
Crypto with web 2.

http://jabba.hackingarena.no:815
video solution

Unsecure file upload


soon available

Miscellenious


put method
Name Category Level of difficulty Task description Link Hints Solution steps Detailed solution Solution video
Darth Vader's costume Web Easy description Darth Vader's costume hints steps detailed video
Handball private Web Easy description Handball private hints steps detailed video
Death Star dashboard Web Easy description Death Star dashboard hints steps detailed video