Web 101
Date: 2021-10-06
Difficulty: Beginner
Delivered By: All
Overview
In this session, we will introduce basic website security concepts, allowing you to get to grips with how our sessions are run. In particular, we'll look at:
- Learning how to explore and edit a rendered webpage with Inspect Element
- Viewing and running code on the JavaScript console
- Using a proxy to intercept and edit HTTP request/response headers
- Encoding and decoding data
- Bypassing authentication and session management mechanisms
Once we've explained a few of these concepts, you can attempt some web-based challenges which SUCSS has created. If you finish early, you are encouraged to take on either Bandit or Natas, either alone or in a group - all flags from those CTFs are accepted in our flag tracker! Compete against others to see who can come out on top; there's prizes on offer at the end of the year.
We'll look at more advanced web security later in the semester in our Web 102 session.
Basic Web Introduction
Webpages are written using the Hypertext Markup Language (HTML), Cascading Style Sheets (CSS) and JavaScript (JS). These are sent to your computer using the Hypertext Transfer Protocol (HTTP), and rendered by your browser using an engine such as WebKit, Gecko or Blink.
Prerequesites
To take part in Web 101, all you need is a browser with the ability to Inspect Element (i.e. any modern browser). You'll also want to install Burp Suite for use in later challenges. We have a brief guide on how to use Burp Suite with Firefox here.
Don't worry if you've never used either tool before! We'll give a brief demo if people need it.
You'll want an awareness of Base64 for later challenges.
Session Link
You can attempt Web 101 by navigating to http://intro.sucss.org!
Please note this is not a HTTPS link, so if you recieve an SSL/TLS or 403 error, make sure to check that your browser of choice did not change the URL by accident.
Uninformed brute forcing using tools such as Hydra is not allowed.