HTS Basic Web 3: Hidden Fields are Not That Hidden
Ok, so in the third basic web mission, our old friend Network Security Sam remembered to upload the password file. As usually, though, he forgot something essential. Let’s look at the source:
Ooh, he’s got a hidden field in there. Those are always exciting, mainly because of a common misconception. Many uneducated (or learning) webmasters seem to believe that hidden fields are impossible to find. This is certainly not the case. They are just that — hidden. Anyone could find them (and possibly change them), if they just took some time. A form’s hidden fields are revealed in the source code. Here is a field that Naive Network Security Sam hoped to remain hidden:
Anyone can figure out what this field is for. Yep, that’’s right: the password file. Now we’ll just check the content of the password file, and after that, we’ll have the password. Thus, you must only go to www.hackthissite.org/missions/basic/3/password.txt and copy the content. Just enter that password, and you shall be granted access to the fourth mission.
Now you might ask, how could Sam prevent this? There are three simple ways:
- Hide the content of password.php. Password.php could assign the password to a variable, and then be
require()ed from the main password-checking script. - Hard-code the filename. This way, the user cannot intervene.
- Hard-code the password. This is, though less managable, perhaps even better, since there otherwise could be problems if the password file could not be read for some reason.
2007 auto loan rateofficer loan adonwloand ad aware freehome 401k loanloan abcchance loan 2ndloan hr 1 paydayonline loan 1000 payday Mapporn pale chubbyporn chubbygallery free porn chubbyvideos porn chubbychubby porno free sitesporn chubby pussyporn chubby womanxxx porn chubby sites Map
Använder FireStats
[...] In the fourth basic web mission, Network Security Sam apparently hasn�t learnt anything from his prior mistake. In the third basic web mission, we extracted information from hidden form fields and thereby found out the name of a password file. The procedure is essentially the same in this mission. As usually, check the source code first. These snipets have been formated for easier reading: [...]
Pingback by Timblog � HTS Basic Web 4: Alter the Hidden Fields — July 19, 2006 @ 12:26 pm
i do not get anything on this i really need to get a picture walkthrough!! P.S. sorry im a noob hacker
Comment by mintik — August 1, 2006 @ 3:17 am
mintik: I’d love to help. Can you specify which part you do not understand? This is a summary:
Comment by Tim Johansson — August 1, 2006 @ 10:57 am
explain why its Note that the URL is http://www.hackthissite.org/missions/basic/4/password.php.
instead of 3
Comment by littleone — October 6, 2006 @ 12:10 am
Littleone: Good question. It is because we are entering mission 4, and the Hack This Site team decided to put the form in the mission 4-directory instead of the mission 3 one. It could just as well have been in the third directory.
Comment by Tim — October 6, 2006 @ 5:28 am
were can i get the password how do i open the file
Comment by jhon jhonsen — November 3, 2006 @ 8:28 pm
“Jhon Jhonsen”: You can simply access the password file through your web browser.
Comment by Tim — November 3, 2006 @ 9:15 pm
AAAAAA
Comment by Anonymous — November 17, 2006 @ 3:24 am
thats bullshit it dnt work it says Error: u need to be authed
Comment by BOO — December 10, 2006 @ 5:53 pm
BOO: Then I am afraid that you are stupid.
Comment by Tim — December 10, 2006 @ 6:56 pm
the pasword file in the scource is a .txt not a .php
could that be why i am experiencing difficulties?
Comment by Sam — December 15, 2006 @ 1:52 pm
nevermind
Comment by Sam — December 15, 2006 @ 1:59 pm
Why isn’t the address:
http://www.hackthissite.org/missions/basic/4/index.php
Because the source says that the url is = /missions/basic/4/index.php
Not: /missions/basic/4/password.php
Comment by Crusader — January 3, 2007 @ 6:07 am
hi how do i open the password.txt file?
Comment by Sewell — February 1, 2007 @ 6:59 pm
ya nd people also say dat u haw 2 change da domain but how and y do i have to change it?????
Comment by lammer — February 9, 2007 @ 3:22 pm
Crusader: It’s the filename in the hidden form-field, not the filename of the current page.
lammer: You don’t have to change any domain. Just follow the instructions in the post.
Comment by Tim — February 9, 2007 @ 4:52 pm
thank you omg! i’ve been trying to do this mission for an hour and its that easy wow…. im mental thx alot =[)
Comment by Trying -.- — February 21, 2007 @ 8:52 pm
ya i this help i totaly understand but im afraid that when i check the page soure this was not there
i even did a search forthe word hidden and the only thing in the source was the paypal stuff so im figuring that there was somthing wroung with mine and my source was fricked
Comment by Anonymous — February 24, 2007 @ 8:25 pm
….atlast!! i did it! ne how still m nt sure how i did .. ya anks;) 4 da hint it nearly turned spoon feeding….. but actully whats really da basic??
Comment by Wig_hack — March 4, 2007 @ 10:02 pm
Wig_hack, glad yo udid it. The thing with these missions isn’t really that they’re easy to solve—it’s that you should only use a single technique in all of them. That’s why they could be seen as basic or tutorials.
Comment by Tim — March 5, 2007 @ 6:35 am
Simply whats the password
Comment by james — March 14, 2007 @ 12:02 am
James, the password is different for different users. Also, what would be the point of me giving it away without you learning anything? Like someone said: Don’t learn to hack; hack to learn.
Comment by Tim — March 14, 2007 @ 5:20 am
I Solved mission three but would like further explanation on your answer.
form action=”/missions/basic/4/index.php” method=”post”>
Comment by New Guy — March 22, 2007 @ 12:54 am
New Guy: Please state what you want clarified, since I think it already is well explained.
Comment by Tim — March 22, 2007 @ 5:12 am
Umm its not working for me, i really dont know what to do…
So far i have saved the webpage and looked at it on notepad.
I am looking at
problems than that.
password:
I dont know if im looking in the wrong area or not, but please help me.
A walk through would be fantastic!
Thankyou, and sorry for my noobish-ness.
Comment by Noob Hacker — April 8, 2007 @ 8:04 am
Noob Hacker: You should look for the line where there is a hidden input field:
<input type="hidden"Comment by Tim — April 9, 2007 @ 6:26 pm
what do i do with the
Comment by Streams — April 11, 2007 @ 3:41 am
srr… what do i do with the do i do with the
Comment by Streams — April 11, 2007 @ 3:44 am
Streams, please be a little more descriptive.
Comment by Tim — April 11, 2007 @ 3:38 pm
oh man, I’m sorry i forgot that that doesn’t work, my bad. Okay, so the input type “hidden”(i didn’t put it in the code form cause thats what i did the last 2 times) where do i put that so i can see the file thats hidden? thanks, sorry for the other 2 post. If you can, you can delete them if you want.
Comment by streams — April 11, 2007 @ 8:55 pm
nevermind, i found it out. Thanks for the help from the answers you gave to all the others. sorry, or the other post
Comment by streams — April 11, 2007 @ 9:03 pm
Streams: No problem :) You’re welcome.
Comment by Tim — April 11, 2007 @ 9:46 pm
ya uh hi…i did numbers 1, 2, and 4…i understand them now..1 and 2 were easy..and im thinkin that i have to save the source page and change something like i did in basic 4.
do i save the source page and change “hidden” to..wat?
Comment by jon hanna — April 12, 2007 @ 2:14 am
wait i find the password file- password.php
then i go to it- http://www.hackthissite.org/missions/basic/4/password.php.
then it should give me it?
cuz when i do that
it just says that the site is not on the server
sorry if im causing confusion
Comment by jon hanna — April 12, 2007 @ 2:23 am
Jon Hanna: Change it to, for example, “text”. This way, you will be able to edit it.
Comment by Tim — April 12, 2007 @ 5:39 am
oh i get it. you have to type in password.txt then it gives you the password by itself then you go back and type it in.
Comment by new at hacking — April 21, 2007 @ 11:24 pm
help
Comment by Anonymous — April 22, 2007 @ 7:52 am
guys i’m sorry,but i’m also new, could you guys please explain in detail how to view the file?..i’ve sourced it and changed it from password.txt to password.php, then from there wut do i do?
Comment by xxRYaNxx — April 24, 2007 @ 6:28 pm
xxRYaNxx, just read the password.php file. It contains the password.
Comment by Tim — April 24, 2007 @ 8:27 pm
i am stuck i copy the source and i change txt into php but what do i do next. How to i read the password???
Comment by jean — May 7, 2007 @ 2:53 am
Jean. You do not have to save the file; just read it. The password-file.
Comment by Tim — May 7, 2007 @ 7:43 am
men maybe it s easy and a very stupid question but how to u read it all i see is
Comment by jean — May 8, 2007 @ 11:46 pm
Jean, if you are using Firefox, you can press Ctrl+U to bring up the source code.
Comment by Tim — May 9, 2007 @ 6:31 am
dude i know how to get acces to the source. i saw the hidden file what i don t unerstand is that part. Now we’ll just check the content of the password file. how do you check it?
Comment by jean — May 9, 2007 @ 10:14 pm
Jean: The password file is on the server. If the filename is
password.php, then the URL ishttp://www.hackthissite.org/missions/basic/4/password.php.Comment by Tim — May 9, 2007 @ 10:59 pm
fially u help me :) lool thx i did it easly
Comment by jean — May 10, 2007 @ 2:23 am
That’s good, Jean..
Comment by Tim — May 10, 2007 @ 4:49 am
okay first off… wow people be understandable.. i’m suprised this guy hasn’t yelled at all of you to stfu and leave comments he can understand… and now to the point.. thanks for the help, i still had to look at some comments to fully get it, but still. you made it possible!
Comment by Musica — May 22, 2007 @ 9:50 pm
Musica: You’re welcome :)
Comment by Tim — May 22, 2007 @ 11:20 pm
when i go to “www.hackthissite.org/missions/basic/4/password.php”
it says url not found
Comment by swordfight — May 23, 2007 @ 1:23 am
swordfight: You are right, they seem to have changed the mission a little. The password file is now in
/missions/basic/3/password.txt. I changed the original post to reflect that. Good luck.Comment by Tim — May 23, 2007 @ 2:57 am
Man…bless u..i’ve been trying for 2 weeks…atlast i got it thnx to u…i felt so stupid wheni realized my mistake..:P..
thnx once again…
Comment by Rishi — July 26, 2007 @ 9:21 am
Wow now i got it!! HAHAH THX!
Comment by Aaron — August 5, 2007 @ 6:11 am
Programming Tutorials…
I couldn’t understand some parts of this article, but it sounds interesting…
Trackback by Programming Tutorials — October 11, 2007 @ 5:11 pm
im still haveing trouble every time i put in the url it says server not found
Comment by shorty707 — October 19, 2007 @ 1:59 am
i really need help, i got to the missions page and do view source, then what do i do to find the password, i am sorry but i really don’t understand
Comment by samantha — October 29, 2007 @ 12:34 am
im really confused. can some1 help me plz
Comment by mike — November 8, 2007 @ 8:41 pm
im confused
:s
Comment by mike — November 8, 2007 @ 8:50 pm
DONE IT :)
Comment by mike — November 8, 2007 @ 9:01 pm
note: the file was stored as a php file for me, thus I needed to enter /password.php instead of /password.txt
hmm
Comment by asdfa — November 11, 2007 @ 4:46 am
I have bein doing this mission forever now and i still can’t get it.I now what to do its that i can’t seem to find the address where the pass is found. I have allready tried a few but they keep coming up error. IT would be nice if thier were pictured walk thruoghs. That what i am tring to find so plz piont me in the right direcion.
Comment by nooby — November 23, 2007 @ 1:03 pm
SOooo, on all of the links you gave me, my browser cannot find the link provided. In my source code, its also saved as password.php, not txt. any help?
Comment by raoul — November 27, 2007 @ 1:30 am
actually, just solved it… but..
why was the like it gave me
/missions/basic/3/index.php
and not
/missions/basic/3/
Comment by raoul — November 27, 2007 @ 1:37 am
ok i get to the this page http://www.hackthissite.org/missions/basic/3/password.txt
and see the info but i don’t get what im supposed to copy
Comment by bently1020 — January 2, 2008 @ 12:27 am
alright, i have entered the URL code and went to the page it led to. but all that the page says is a random quote (it always changes) that insults my very poor hacking ability, and underneith “The requested URL /missions/basic/4/password.text was not found on this server. ” Please, can you tell me what to do next?
I know i am to young to be trying out this hacking thing, but i am so fastinated by it all! Thank you for your help.
Comment by Jess — March 6, 2008 @ 12:36 am
NM!!!!! i got it. all i had to do was put a different ending onto the URL
Comment by Jess — March 6, 2008 @ 12:50 am
The URL is http://www.hackthissite.org/missions/basic/lvl/3password.php
for the password.
Comment by Ryan — April 3, 2008 @ 7:35 pm
its php now they are cganging there site to pluginplaay 1.1 and then eventualy pluginplay2.0 sorry for the enconveinince
Comment by nick — April 8, 2008 @ 4:50 am
ive looked at all these comments and i still can’t do the 3rd basic mission!!! can someone help me!!!! i have no idea what to do
I have the source opened in notepad and have done ctrl-f and tyed in ‘password’ and this is all i can find!!!
<
what do i do?!!?
Comment by leigham — July 13, 2008 @ 12:50 am
form action=”/missions/basic/3/index.php” method=”post”>
Comment by leigham — July 13, 2008 @ 1:03 am