Replicate Real world Security Vulnerabilities with HackerOne Sandboxes for free - Hackatrick - Technology With Security

8 December 2018

Replicate Real world Security Vulnerabilities with HackerOne Sandboxes for free

Popular bug bounty platform HackerOne is know to help the community in learning new skills and helping beginners get started. They already have Hacker101 where one can learn about security for free. Recently HackerOne tied up with cyber security training company HackEDU and offered five sandbox environment modeled after popular security bugs reported through their platform.

Its a very good step by them as most of the time when we are learning we don't get something like this and always trying things in live websites is a risk.

All the five hackboxes that they developed is very interactive and they guide you throughout.

Here are the five hackboxes

1. Worm Clickjacking in Twitter

This hackbox replicate a wormable clickjacking attack via playcards which was reported in May 2018 to twitter. You can access it here.

2. XXE flaw in Semrush

This attack challenges users to reproduce XML external Entity that could be exploited to at read arbitrary files from a server. This flaw was reported to SEMrush in March 2018. You can access it here.

3. Command Injection attack in Imgur

The third hackbox is for trying to get control of a server by using command injection attack. The real vulnerability was discovered in Imgur and reported in April 2017.

4. SQL Injection Grabtaxi

This flaw is about about a SQL injection that was discovered in Grabtaxi back in November 2017.

5. XSS in HackerOne

The final hackbox is about a Cross site scripting issue in a third party component used by hackerone to manage contact forms which was disclosed in August 2017.

The main purpose of these demos is to provide a safe and legal way to practice real case hacking techniques and best part is that it comes with explanations on how each bugs works and also they guide the uses in exploiting it.