We usually see computer security as actions to protect our infrastructures and applications from attacks by others. But in a lot of cases, security is as much about protecting yourself as about protecting your user’s privacy.
Today we’ll talk about client-side security, i.e. the security of a web page.
Disclaimer: Yesterday’s rules about subitting root-me flags to the CTF platform still stands.
0 - Primer about client-side authentication
The three following exercices are pretty much identical to this first challenge, but the author of the application tries to hide the behavior of the code.
1 - Protect your users
Let’s start with a few challenges about XSS:
Disclaimer: For every one of these challenges, since there are no flags to get, the flag will be handed to you by your helpers when you provide a screenshot of the exercice solved, along with a short explanation of what was needed to solve the challenge.
The last XSS exercice we will do is a practical case where you will effectively have to steal someone elses data.
2 - And now for something pretty similar
To end the first part of the day, let’s talk about CSRF, cross-site request forgery.
This time you want to abuse the victim’s browser to act on the websitew itself, not steal credentials.