We covered practical HTML Forms Injection using Burp Suite to solve Challenge 10 in OWASP Hackademic free lab.
Objective: My goal was to access the administrative panel of a website to obtain a serial number. This serial number, along with a username and password, was apparently needed to join a hacker group.
Initial Attempt: The website initially presented a straightforward password input field.
Source Code Inspection: By carefully viewing the page’s source code, I discovered a hidden field. This field was named “let me in” and had a value of “false.”
Hypothesis: I hypothesized that “let me in” was indeed the correct password, but it wasn’t working because its associated value was set to “false.”
Manipulation Strategy: My plan was to change the value of this hidden field from “false” to “true” and then attempt to log in using “let me in” as the password.
Execution with Burp Suite (Implied): I didn’t see any terminal commands being typed, but the video showed actions characteristic of using a web proxy tool like Burp Suite. I observed the “intercepts here to be on” setting, which means requests were being intercepted. I entered the password “let me in.” Then, I modified the intercepted request, changing the value from “false” to “true” (it was referred to as “fill” in the video, likely a typo or specific term within the tool). Finally, I forwarded the modified request.
Success and Serial Number Retrieval: This manipulation resulted in a URL string. I copied this URL string and decoded it using a URL decoder (which could be an online tool or an offline one). Decoding the string successfully revealed the required serial number.
Completing the Challenge: The serial number was then used in an email message to join the hacker group. Sending the email resulted in a “congratulations” message, indicating that the challenge was passed.
Core Concept: The success of this challenge hinged entirely on manipulating JavaScript fields to make the web server accept “let me in” as a valid password.
