Popular bug bounty platform HackerOne is know to help the community in learning new skills and helping beginners get started. They already have Hacker101 where one can learn about security for free. Recently HackerOne tied up with cyber security training company HackEDU and offered five sandbox environment modeled after popular security bugs reported through their platform.
Its a very good step by them as most of the time when we are learning we don’t get something like this and always trying things in live websites is a risk.
All the five hackboxes that they developed is very interactive and they guide you throughout.
Here are the five hackboxes
1. Worm Clickjacking in Twitter
This hackbox replicate a wormable clickjacking attack via playcards which was reported in May 2018 to twitter. You can access it here.
2. XXE flaw in Semrush
This attack challenges users to reproduce XML external Entity that could be exploited to at read arbitrary files from a server. This flaw was reported to SEMrush in March 2018. You can access it here.
3. Command Injection attack in Imgur
The third hackbox is for trying to get control of a server by using command injection attack. The real vulnerability was discovered in Imgur and reported in April 2017.
4. SQL Injection Grabtaxi
This flaw is about about a SQL injection that was discovered in Grabtaxi back in November 2017.
5. XSS in HackerOne
The final hackbox is about a Cross site scripting issue in a third party component used by hackerone to manage contact forms which was disclosed in August 2017.
The main purpose of these demos is to provide a safe and legal way to practice real case hacking techniques and best part is that it comes with explanations on how each bugs works and also they guide the uses in exploiting it.
