Shopping Cart

No products in the cart.

Antisyphon Cyber Range: Merry May Madness!

Part 1 of OAuth problem series These days you'll find "Login with Google," "Login with Facebook," or "Login with $provider" buttons on plenty of sites. In order to power this feature, client sites communicate with authorization/resource servers (ie Google, Facebook, etc) according to RFC 6749 which defines the OAuth 2.0 Standard. We've created two sites for you to poke at, a Client Site and our own Authorization & Resource Server. As it turns out, OAuth is somewhat hard to do right. Many major sites have messed this up... For this problem, all you need to do is send the admin a link to click via the Contact form on the Client Site. Your goal will be to steal the admin's authorization code (basically you trick them into clicking a link and when they click through the "Authorize" button, you get the code instead of the Client Site). For now, just steal the code. In a later problem, you'll have to utilize this stolen code to essentially take over the admin's account :)

Hey everybody!

Isn’t May a merry month? And for our first release of challenges for May, we have four webapp challenges that range in difficulty from fairly basic to OMG! Looks like a good time to make sure your copy of Burp Suite is up to date. 😉

For screenshots and descriptions of this week’s additions, see below.

Good luck and have fun!
The Cyber Range Team

P.S. If you’re not already signed up for the BHIS Antisyphon Cyber Range, the following page has screenshots, info, and, of course, a link where you can sign up and join in the fun:

https://www.antisyphontraining.com/cyber-range/