Web 101

Date: 2023-10-04

Difficulty: Beginner

Delivered By: Skyler Mansfield & Will Pearman

Overview

In this session, we will introduce basic website security concepts, allowing you to get to grips with how our sessions are run. In particular, we'll look at:

  • Learning how to explore and edit a rendered webpage with Inspect Element
  • Viewing and running code on the JavaScript console
  • Using a proxy to intercept and edit HTTP request/response headers
  • Encoding and decoding data
  • Bypassing authentication and session management mechanisms

Once we've explained a few of these concepts, you can attempt some web-based challenges which SUCSS has created. If you finish early, you are encouraged to take on either Bandit or Natas, either alone or in a group - all flags from those CTFs are accepted in our flag tracker! Compete against others to see who can come out on top; there's prizes on offer at the end of the year.

Basic Web Introduction

Webpages are written using the Hypertext Markup Language (HTML), Cascading Style Sheets (CSS) and JavaScript (JS). These are sent to your computer using the Hypertext Transfer Protocol (HTTP), and rendered by your browser using an engine such as WebKit, Gecko or Blink.

image

Prerequesites

To take part in Web 101, all you need is a browser with the ability to Inspect Element (i.e. any modern browser). You'll also want to install Burp Suite for use in later challenges. We have a brief guide on how to use Burp Suite with Firefox here.

Don't worry if you've never used either tool before! We'll give a brief demo if people need it.

You'll want an awareness of Base64 for later challenges.

Session Link

The link to the session is https://web101.sucss.org/

Brute forcing passwords using tools such as Hydra is not allowed.