About

This website contains people's public confessions as well as a place to privately share our inner secrets

Login

Please login to see people's confessions.

Guidance

This exercise is about testing the URL to find potential defects.

To start with, try logging into the application using the pre-populated "TestUser" account.

From there, explore a little and take note of the URLs in your address bar. Consider what you can change.

Here's some handy information about the test site and the implementation:

• All pages will end in '.php'.
• If you get a page wrong, the 404 error behaviour is a really ugly standard error page.
• Should the application try and access a user that doesn't exist then it will redirect you this page.
• There's no DB so don't waste your time with SQL injection!
• Everything gets reset when you click Log Out.

Challenges

Here are some challenges that you might want to try:

1. Can you view the secret for another user?
2. Can you find the magic button for deleting all data?
3. What is Rich's deep dark testing secret?
4. What is the password for TestUser?
5. Can you identify which version of FakeServer is powering this site?
6. Can you perform a XSS attack? (note: it won't persist)