My First WISP Hacking Event

September 21, 2021

I recently attended an event hosted by Women in Security and Privacy (WISP) . WISP is an organization that aims to support women in the privacy and security fields.

I should start this out with saying the hosts were explicitly clear not to try any of these tricks on any site except the Shadow Bank test site created for this purpose.

WISP was hosting a free event called "Remote Cyber Ranges: Hacking Shadow Bank" aimed at beginners learning about hacking and the different vulnerabilities a website can have. Starting with introductions via Zoom, we were required to register on CMD+CTRL to spin up an instance of a fake site (Shadow Bank) to practice hacking it. The instance of the site was for each participant to find all the vulnerabilities the site held. Whenever we found a vulnerability, a dropdown showed with a booming voice indicating we earned points for our discovery (the voice made me jump the first time).

In the start of this event, we were given a short slideshow of some things to keep in mind to be a successful hacker:

  • Complete knowledge (What is the purpose of the site?)
  • Good imagination (With the knowledge, what can I use the site to do to my advantage?)
  • Observant (Analyze all the pages available. Developer tools were also used to analyze the page's code.)
  • Good memory
  • An evil streak (With this being a site to practice hacking on, we had permission to really do whatever we could to break it.)

Along with these points, the cmd+ctrl site had an extensive cheat sheet for anyone new to hacking (like me). You could also use points to get more detailed hints on the site as well.

During the 4 hour event there were small walk throughs by hosts to give tips if there were some vulnerabilities most of us were having trouble detecting. The first tip was to look in the code comments in devtools to look for test credentials that shouldn't have been there. This helped many of us get started (including me).

Once I got in, things started to get moving. I learned about Insecure Direct Object References (IDOR) which is when a user can access unauthorized pages by using what is currently accessible to them. For example, changing urls to manipulate queries to view other peoples's bank account pages. Just because the person wasn't given the url, doesn't mean they cannot get to it through trial and error. There needs to be authorization checks to keep this from happening. Finding this, I was able to transfer money from one account to another when I knew another bank account number.

I used Cross-Site Scripting (XSS) attacks to inject HTML or JavaScript into the page though search bars or input boxes. This can be done when the site doesn't correctly encode the data.

A common example is just displaying an alert() between script tags.

<script> alert(1); </script>

This worked in one area, but I tried this on another page and it didn't work.

So I tried another trick to circumvent this if the page filtered out script tags.

<img src="javascript:alert('xss')" />

Another way to break the site was using SQL queries (known as SQL injection) which would attack the data stores. Whenever I caused an error message to display on the page, it would say a query could not process what I entered into an input, textbox, or url parameters. The mistake here was that the error message displayed the exact query used. This isn't something that should be given out to the user. I haven't used SQL since college but some of the syntax came back to me.

SELECT [column] FROM [table] where [condition] OR 1=1

This was a common pattern used because since 1=1 will always be true, the query will return all the data.

A big vulnerability was to inspect the website's framework to find any information about its vulnerabilities online. Since the framework itself was for the test site, there was a blog post meant for us to search out to complete this one.

A few smaller bugs to find were searching for elements that had display: none; on them and removing this. With the element visible, I was able to use a hidden form when I didn't have the authorization to.

I really enjoyed this event. I wanted to attend because the security and privacy field was hard to learn more about for a complete beginner. There's really no other opportunity to think like a hacker and see if I could exploit a site myself. It seems there's only a small percentage of people in this field that are women and I only hope that more women try events like this one to see if a career in security and privacy is for them.