Hello and welcome to my series of posts on Web Application security. As part of that journey we are exploring Hack This Site. Hack This Site is a website that allows you to test out your web application security skill by taking on various challenges. If you haven’t already done so, go and check my post on Level 1.
So after logging in to Hack This Site and navigating to the basic challenges and selecting level 2, you should see the following image.
It says “Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…”
So what this means is that there is no password file to check the user submitted password against. One would hope that this would mean it was an automatic failure. Unfortunately not, if you are entering nothing, and comparing it to nothing then it’s going to be correct.
So, As there is no password file, there is no password to check so submitting the form with an empty password will be authenticated.
This challenge may seem a bit silly but you would be surprised at how often simple things are overlooked with authentication mechanics and access control restrictions. When testing a web application, always go through and test without usernames and passwords, default credentials and commonly used credentials.