Hello world and welcome to haxez, today we are going to be looking at the basic web challenge level 2 on Hack This Site. Hack This Site is a website that allows you to test out your web application security skill by taking on various challenges. If you haven’t already done so, go and check my post on Level 1.
After logging in to Hack This Site, navigate to the basic challenges and select level 2. You should see the following image. These challenges are fairly simple and should only require a basic knowledge of web application security testing. The first challenge only required you to view the page source of the application to solve it. This challenge is no different.
It says “Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…”
Solving HTS Basic 2
So what this means is that there is no password file to check the user submitted password against. One would hope that this would mean it was an automatic failure. Unfortunately not, if you are entering nothing, and comparing it to nothing then it’s going to be correct.
So, As there is no password file, there is no password to check so submitting the form with an empty password will be authenticated.
Congratulations, you have just completed level 2.
This challenge may seem a bit silly but you would be surprised at how often simple things are overlooked with authentication mechanics and access control restrictions. When testing a web application, always go through and test without usernames and passwords, default credentials and commonly used credentials. Anyway, thats all for this post. I hope it helped you solve it and move on to the next one.