A quick lesson in serverside web-security

Natas wargames teach the basics of serverside web-security. The game consists of 34 levels, the objective of each one is to find the password required to open up the next level.

I came across them via a comment from a great post on the Wordfence blog on hacking a WordPress Botnet and I found each level to be a good, practical lesson in why you shouldn’t do some of the stupid things people tell you not to do. However, they’re not always straightforward and involve a bit of a digging around. A knowledge of common server directory names and structures can help too!

I’ve started listing the skills/tools required for each level below, which also function as a clue as to how to find the password for the next one. I’ll add more as I get round to completing them.

Level 0 and 1 – understand HTML source code

Level 2 – understand HTML source code and server file structure

Level 3 – how to instruct search engine robots.

Level 4 – how to modify http response/requests. A tool like Tamper Data for Firefox is useful.

Level 5 – how to modify cookies, Tamper Data is again useful

Level 6 – understand PHP code and file structure

Level 7 – understand file structure and how pages can be loaded through paramaters via index.php

Level 8 – understand PHP code and read the documentation

Level 9 – understand importance of validating input and how to execute UNIX commands

Level 10 – how to use the “grep” command to output an entire file

Level 11 –

Level 12 –

Level 13 –

Level 14 –

Level 15 –

Level 16 –

Level 17 –

Level 18 –

Level 19 –

Level 20 –

Level 22 –

Level 23 –

Level 24 –

Level 25 –

Level 26 –

Level 27 –

Level 28 –

Level 29 –

Level 30 –

Level 31 –

Level 32 –

Level 33 –

Posted in PHP