A Vulnerable Website

This website is a purposefully vulnerable web application aimed to introduce core concepts of ethical hacking. Disclaimer!

Here by mistake? Head back to my main site! Otherwise, keep scrolling.

Check out who all has pwned this web app: /pwned.

Landon's Intro to Ethical Hacking

Throughout this demo, you will be introduced to some core concepts of ethical hacking.

Web exploitation, cryptography, reverse engineering.

There will be 5 flags hidden throughout. Find them all and submit to /submit.

Inspired by zeyu2001.

Web Exploitation

The Basics

Websites use the hypertext transfer protocol (HTTP) to transfer data. This data consist of hypertext markup language (HTML), cascading style sheets (CSS), and javascript ( JS). A web browser, such as Firefox or Chrome, will first send a request to a web server. If the request is valid and the content exists, the server will respond by sending the browser the HTML, CSS, and JS, which your browser will then render.

Cookies, Response Codes, and Headers

There is more to HTTP than just sending HTML, CSS, and JS. Cookies are small pieces of data that are stored on your computer. They are used to store information about you, such as your session and other preferences. Cookies are sent to the server with every request, and the server can use this information to customize your experience. Response codes are numbers that are sent back to the browser to indicate the status of the request. The most common response codes are 200, which means the request was successful, and 404, which means the content was not found. Headers are pieces of information that are sent with every request. They contain information about the request, such as the browser and OS (also known as a " user agent"), the IP address of the client, and other information used to identify the request.

Client-Side vs Server-Side

The content your browser renders is known as client-side code. This code is visible to you, and can be modified by you. Server-side code is the underlying code of the web application, and is not visible by your browser. This code is used to process requests and to determine what content to send back to the client. Server-side code is usually written in a server-side scripting language, such as PHP, Python, or Javascript. Web Exploitation relies on exploiting the server-side code to gain access to sensitive information, such as user data, or to gain access to the server itself.
Responsive image


Remember, client-side code is visible to you. Most browsers support viewing the page source. It's known as "Inspect", "Inspect Element", or "View Page Source". Try to take a look around at the source of this page and see if you can find any flags. Make sure to analyze all three: HTML, CSS, and JS.