Hack This Site: Basic Web Challenges – Level 2

Hack This Site Basic Web 2

Hello and welcome to my series of posts on Web Application security. As part of that journey we are exploring Hack This Site. Hack This Site is a website that allows you to test out your web application security skill by taking on various challenges. If you haven’t already done so, go and check my post on Level 1.

So after logging in to Hack This Site and navigating to the basic challenges and selecting level 2, you should see the following image.

Hack This Site Basic Web Challenge Level 2
Hack This Site Basic Level 2

It says “Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…”

So what this means is that there is no password file to check the user submitted password against. One would hope that this would mean it was an automatic failure. Unfortunately not, if you are entering nothing, and comparing it to nothing then it’s going to be correct.

Hack This Site Basic Web Challenge Level 2
Hack This Site Web Challenge Level 2 Password Submission System

So, As there is no password file, there is no password to check so submitting the form with an empty password will be authenticated.

Hack This Site Basic Web Challenge Level 2 Congratulations, you have just completed level 2.
Congratulations, you have just completed level 2.

This challenge may seem a bit silly but you would be surprised at how often simple things are overlooked with authentication mechanics and access control restrictions. When testing a web application, always go through and test without usernames and passwords, default credentials and commonly used credentials.