Web hacking challenges


Find the flags on the websites! Here we present you many web hacking challenges that you can use to practice. On each site a flag is hidden somewhere. A flag is a special string in the following format: UiO-Hacking-Arena{Here's_the_flag}. All of our challenges are running in a separated sandboxed enviroment. You can try and practice web hacking with our examples.

Difficulty levels:

Information Disclosure


Information disclosure is a type of vulnerability that can be used to obtain unintended information from a website.

Information disclosure exercise 1.

http://palpatine.hackingarena.no:801
Solution
Information disclosure exercise 2.

http://palpatine.hackingarena.no:809
Solution
Information disclosure exercise 3.

http://palpatine.hackingarena.no:818
Solution
Information disclosure exercise 4.

http://palpatine.hackingarena.no:819
Solution
Information disclosure exercise 5.

http://palpatine.hackingarena.no:805
Solution
Information disclosure exercise 6.

http://palpatine.hackingarena.no:820
Solution

Default settings


If the website contains default settings then the attacker can use it to achieve the aim. The following exercises contain default settings.

Default settings exercise 1.

http://jabba.hackingarena.no:801
video solution
Default settings exercise 2.

http://jabba.hackingarena.no:802
video solution

Client side validation bypass


Client side 1.

http://palpatine.hackingarena.no:804
video solution
Client side 2.

http://palpatine.hackingarena.no:806
video solution
Client side 3.

http://palpatine.hackingarena.no:810
video solution
Client side 4.

http://jabba.hackingarena.no:812
video solution

Brute forcing


Brute force exercise 1.

http://palpatine.hackingarena.no:803
video solution
Brute force exercise 2.

http://palpatine.hackingarena.no:807
video solution
Brute force exercise 3.

http://palpatine.hackingarena.no:808
video solution

Parameter tampering


Parameter tampering 1.

http://palpatine.hackingarena.no:802
video solution
Parameter tampering 2.

http://palpatine.hackingarena.no:811
video solution
Parameter tampering 3.

http://palpatine.hackingarena.no:812
video solution

Session fixation


Session fixation 1.

http://jabba.hackingarena.no:803
video solution
Session fixation 2.

http://palpatine.hackingarena.no:813
video solution
Session fixation 3.

http://jabba.hackingarena.no:804
video solution
Session fixation 4.

http://jabba.hackingarena.no:810
video solution

Cross site scripting


XSS 1.

http://jabba.hackingarena.no:816
video solution
XSS 2.

http://jabba.hackingarena.no:817
video solution

Cross site request forgery


soon available

Clickjacking


soon available

Sql injection


Sql injection 1.

http://jabba.hackingarena.no:805
video solution
Sql injection 2.

http://jabba.hackingarena.no:806
video solution
Sql injection 3.

http://jabba.hackingarena.no:807
video solution
Sql injection 4.

http://jabba.hackingarena.no:808
video solution

Xpath injection


Xpath injection exercise 1.

http://palpatine.hackingarena.no:815
video solution
Xpath injection exercise 2.

http://jabba.hackingarena.no:809
video solution

Server side template injection


soon available

File inclusion


File inclusion exercise 1.

http://palpatine.hackingarena.no:816
video solution
File inclusion exercise 2.

http://sidious.hackingarena.no:803
video solution
File inclusion exercise 3.

http://jabba.hackingarena.no:811
video solution

Crypto with web


Crypto with web 1.

http://jabba.hackingarena.no:814
video solution
Crypto with web 2.

http://jabba.hackingarena.no:815
video solution

Unsecure file upload


soon available

Challenges without category


Challenge 1.

http://palpatine.hackingarena.no:805
Challenge 2.

http://palpatine.hackingarena.no:820