HackerOne has announced that it makes available to hackers that want to test and hone their skills a set of five sandbox environments modeled after popular security bugs reported through its platform.
The sandboxes are the result of a partnership with the cybersecurity training company HackEDU (https://hackedu.io) and expand the Hacker101 online hacker training program offered for free by the vulnerability coordination and bug bounty platform.
The five hackboxes have been developed by HackEDU and are part of the platform's interactive coursework.
All of them include a mockup of the vulnerable application and a proxy tool for intercepting and manipulating web requests.
One of the test environments from HackerOne and HackEDU replicate a wormable clickjacking attack via player cards, reported to Twitter in May 2018. You can access it here.
Another one, available here, challenges hackers to reproduce XML External Entity (XXE) glitch that could be exploited to at least read arbitrary files from a server. The bug was reported to SEMrush in March 2018.
The third hackbox is for trying to get control of a server by using a command injection attack. The real vulnerability was discovered in Imgur and reported in April 2017.
A flaw in a website operated by Grabtaxi was used to create a testing ground for an SQL injection attack. The company received a report in November 2017.
Last on the list is a sandbox that replicates a cross-site scripting (XSS) issue in a third-party component used by HackerOne to manage contact forms. The bug was disclosed in August 2017.
The obvious purpose of these demos is educational, and to provide a safe and legal way to practice real-world hacking techniques. They come with explanations on how each bug works and they guide the user through finding and exploiting the vulnerability.
"Hacking is a highly sought-after skill, but it is not always clear how to get started or advance to the next level. This is why we started Hacker101,” said Cody Brocious, HackerOne security researcher and Head of Hacker Education.