Posts: 4192 Location: Joined: 14.04.07 Rank: God Warn Level: 90
Posted on 13-12-07 08:31
How do you learn XSS you ask me? With a HTMLsandbox and the internet.
SQL? Study SQL, run MySQL and MSSQL, but whatever you do, DON'T TEACH PEOPLE PREFABRICATED STUFF! Actually learn WHY and HOW, not just WHAT they have to inject.
That is why I think your process of thinking is flawed, you still think in minor objectives, in small victories. I think in binary, either you know it (1), or you don't (0).
"The chowner of property." - Zeph
�Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.� - Carl Sagan
[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce
RE: My idea for a web hacking training ground
Posts: Location: Joined: 01.01.70 Rank: Guest
Posted on 13-12-07 10:57
Yes I believe that it was pretty resource intensive, BUT I have had a thought since then (was going to make another one, to help teach the people on my course SQL as our lecturers can't even perform INSERT queries, even with a piece of paper with the code on it).
but anyway because the number of database's would be well in excess of 50 for something like you're planning, you would be looking at easily double that, which would cause problems between you and your hosting company
But what I thought about is that it is possible to connect to MySQL database's which are on a different server to where the script is, so if you take my idea from above and then add a host field to the database then have the database connected to from your server while the database they're connecting to is on some free web space thing.
Personally I found that the there was a problem when I tried to implement this. The database's weren't allowing the connection, so I'm guessing the free host that I was trying to use had their database set up so you couldn't connect to it from anything but their server.
what about this: one database, which all users have access to. the only restriction is that users cannot access the basic user table which contains user/pass of everybody (so you don't have to re-register after somebody drops it).
Personally if you have the ability to have more than one database then I would have the user/pass for the users in a separate database which the user which is being used for the other database has no rights (better safe than sorry)
remove other people (king of the hill style?)
Personally I'm not keen on this idea, as it would be really annoying for noobs who're trying to learn to finally gain access and then have their access removed.
Also one of the problems with having only one database which everyone accesses is that we all know you will get one ponce who has to ruin it for everyone else and will sit there dropping all the tables, when each user has access only to their database then they can drop all the tables in their database all they want without ruining it for everyone else
to make things more fun, there should also be an admin table, news tables, and shit like that.
Yeah well it would be important to have the database able to support the front end that you will supply the end users to try and hack.
Also another benefit of having several database's is that when creating the database you dont have to worry about things like XSS as much as when the user views a database they're viewing their own rather than one someone else has had access.
This would alsom mean that you would be able to have different levels of security for XSS.
Basically you could probably create entire sites each one with different levels of security on all parts of it (although you would have to make sure that there are no PHP Injection as that could cause a couple problems)
Anyway Im gona shut up now as I have an exam in 30 minutes and im not even dressed yet.
If you decide that you would like to go down the route of having several databases, I can give you some source code which I had done for my version (the one for the people on my course, not L2H as that was lost nearly two years ago ) its not perfect but it would give you a chance to see how I did it
Wow that was a block of text, sorry if thats put you off reading that, although if you didn't bother reading that then im sure you're not reading this