Howdy folks, I was pondering on my on my abilities to “hack” (as they say) and so I gave this website a shot. Took some time to work on the missions, discovered it to be reletively easy until I came up to the Captcha 1 mission (still haven’t completed). I was wondering how I could figure it out, so I wrote a python script to handle it for me. As I was doing my typical recon and whipping up something that could be used to my benefit, I discovered my code was useless unless I was requesting the web page as an authenticated user. So, from there sparked my curiosity - I knew then that I faced a much bigger challenge than originally anticipated.
I was doing some intercepting on Burp suite and discovered that the data being sent to/from the DTW website was pretty simple - a few cookies to save your session, and a few params to send with each request. From there, I built a few functions around logging into accounts, submitting missions, etc. I got a bit side tracked and expanded it into something much bigger now. I like to call this little project the “DefendTheWeb API (and beyond) Controller”, with the API part being inspired from DTW’s very own API system that allows you to see some basic information on the site (and requires an API token). I wrote some code (don’t think I finished it 100%) that can do essentially the same as the built-in API system can do, such as extract profile information.
The whole point behind where it stemmed off into is the fact that the developers (I assume @flabbyrabbit) missed a crutial fundamental aspect behind webapp security such as things like rate limiting, data tokenization, forcing HSTS, etc. I think this is a great website and it does have lots of useful information available - I just like playing around to see what’s possible and make the unexpected happen. I’ve made the project open-source on GitHub for anybody that would like to review the code and see how everything works so maybe you too can make your own version for another website, such as Telegram.
I hope you all enjoyed this and can appreciate my work behind it, please don’t abuse the tool as it was released for educational purposes only. Have a great day everybody and don’t forget to h4ckth3pl4n3t :)