4

I would like to try my hand at hacking -- that is, exploiting various website vulnerabilities. Not for any illegal purpose mind you, but so I can have a better understanding and appreciation of these exploits while writing my own web software.

I seem to recall that there was a community that hosted a bunch of demo websites, and you had to find and exploit certain vulnerabilities with each one. I can't remember what it is called but this is the sort of thing I am looking for -- I have read a tonne of little XSS and CSRF examples but have yet to find a real-life hands-on example of one.

Does anyone know of such a place, where I can be given an example page and look for security holes? I would really rather not try this with actual websites, I don't want to break any laws.

fixer1234
  • 27,064
  • 61
  • 75
  • 116
Carson Myers
  • 3,061
  • 5
  • 23
  • 23
  • I remember a similar site but can't seem to find it anymore. Regardless, **superuser is for computer hardware and software only. This is not within the scope defined by the faq (http://superuser.com/faq).** – Josh K Mar 23 '10 at 21:40
  • 3
    How is this not about software? It's a learning exercise to strengthen my understanding about software (particularly web applications) security holes. Really it's about programming but the answers to my question don't involve code, so it doesn't belong on SO. Next best is here – Carson Myers Mar 23 '10 at 21:43
  • No, next best is somewhere else. superuser **as defined by the FAQ** is about hardware and software. This is not about *coding* software, or helping that in any way. – Josh K Mar 23 '10 at 21:59
  • 1
    Serverfault would be a better place to ask this question. But phrase it as "I need to test for vulnerabilities on my server" – Mark Henderson Mar 23 '10 at 22:10
  • 1
    I considered it, but this isn't really about the server aspect of security as much as it is the software, and it's not "how do I program defensively against vulnerabilities," so it's not SO, it's more "how do I learn about software vulnerabilities hands on," which sort of screams SU to me, as far as the trilogy goes – Carson Myers Mar 23 '10 at 22:14
  • 5
    I support the Carson Myers first comment here, and I do believe it falls in perfect place here on SuperUser.com. Then again I'm analyzing the question and not being a fundamentalist when it comes to comparing it with the FAQ... – Urda Mar 23 '10 at 22:52
  • @Urda: I'm not being fundamentalist. See http://meta.stackexchange.com/questions/43639/off-topic-questions-on-super-user-some-give-and-take-closed – Josh K Mar 24 '10 at 00:13
  • Also, please don't sully the good name of hackers by conflating them with crackers. http://www.catb.org/~esr/faqs/hacker-howto.html – bignose Mar 24 '10 at 00:56
  • @bignose: hahaha, sadly, it's a bit late for that. :-/ – quack quixote Mar 24 '10 at 01:00
  • I think the distinction between hackers and crackers is fuzzy and inconsistent. Everybody just uses them interchangeably anyways. – Carson Myers Mar 24 '10 at 01:27
  • They're wrong, then :-) – bignose Mar 24 '10 at 04:58

3 Answers3

6

HackThisSite is a great place to practice the basics of web hacking.

Dentrasi
  • 11,155
  • 4
  • 27
  • 28
2

http://www.hak5.org/ there are a lot of useful hacking tutorials on that site. very good!

jburke
  • 212
  • 1
  • 5
1

I can recommend Semtex and I think it is a good match for what you want to do.

From the abstract:

This network is a legal environment where you can learn coding/hacking techniques without destroying anything. You have to solve Semtex 0 to get a username/password for login. Once logged in, you have to make your way from one level to the next, each one containing a small security hole/feature that has been installed for you. Your mission is to find out how to exploit the weakness and to cause interesting behaviour :)

Rules? Well you can do anything you want on this box, code, hack, learn, ... its all there for gaining knowledge.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90