⚡ Module 03 · Intermediate

Web Vulnerabilities

✨ PAN'S RULE: If it's not chaotic, it's not magic! ✨

Let's peek behind the curtain of the web and find the secret spells and hidden doors that hackers use. It's time to become a digital magician!

🛡️ WHITE HAT OATH: A true hacker protects the realm. Never test, scan, or attack networks you do not own. Never search for, track, or post personal information about real people. We build shields, not weapons!

💉

Injection Attacks (Dark Arts Spellcasting 101)

Imagine a website is a magic castle. The comment box is a scroll where you can write messages for everyone to see. But what if instead of a message like "Cool castle!", you wrote a *mischievous spell*? 📜✨

If the castle's magic shield isn't strong enough, it might read your spell and accidentally cast it for every visitor! That's an "Injection Attack"—you're injecting your own magic where it doesn't belong. The most common type of this is called Cross-Site Scripting (XSS).

📺 PwnFunction — "Cross-Site Scripting (XSS) Explained" — An animated look at how XSS works under the hood.

⚡ Security Check: Input Sanitization

How do web developers prevent Injection Attacks (Dark Arts Spellcasting 101) like XSS?

By installing stronger firewalls on their servers.

By strictly defining ("sanitizing") user inputs before using them.

🧪 The Sanitization Sandbox

Let's see sanitization in action! Try typing a "spell" like <p>Hello World!</p> into the box below. A good website will show you the text, not a formatted paragraph. Now try a trickier one: <script>alert('Hacked!')</script>. See how it just displays the text? That's the shield at work!

🧪 Try writing a "spell"!

Website's Output:

🕵️‍♂️ Secret Decoder Mission

Hackers often look for secrets hidden in a website's code. Let's practice finding them! Use your browser's developer tools to find the hidden flags.

LEVEL 1: The Hidden Comment

A secret message is hidden in the code for the box below. Can you find it?

Hover your mouse over the black terminal box below.
Right-click and choose "Inspect". A window with lots of code will pop up!
Look for the line highlighted in blue. Can you find the secret flag hidden inside a comment ? It's your prize!

                > decoding... please wait...
                
            

LEVEL 2: The Secret Attribute

Nice work! Now for a trickier one. This time, the flag isn't in a comment. Use the Inspector to examine the element below and look closely at its "attributes" (like style="...") to find the one holding the secret data.

                > terminal simulator online...
            

LEVEL 3: The Final Boss - Live XSS!

🛡️ Safety Check: This is a safe simulation! We've built this box so you can see how an XSS attack works without any real danger. Never, ever try this on a website you don't own.

The blog below has a vulnerability! If you post a normal comment, it just appears. But if you can figure out the right HTML "spell", you can make an alert box pop up. Try to get an alert that says "You found the vulnerability!".
Hint: The tag is <img> and the event is onerror.

Comments Section:

📚 Learn More

You've just scratched the surface of web security. Ready to go deeper? These are the real tools and resources professionals use.

OWASP Top 10: Read the official guide on Injection attacks used by pro security researchers.
TryHackMe: Ready for a real challenge? The XSS room on TryHackMe is a great next step. (Requires an account and parent permission).
PwnFunction on YouTube: The channel featured in this lesson has tons of deep dives into other web vulnerabilities.

👨‍👩‍👧 Parent Corner

The resources above, like OWASP and TryHackMe, are used by professionals in the cybersecurity industry. They are fantastic for learning, but we recommend exploring them alongside your child. It's a great way to learn together and discuss the importance of ethical hacking—using these skills for good!