Description
Purpose
The purpose of this assignment is to test your understanding of common web vulnerabilities and
guide you to exploit common web vulnerabilities in a controlled environment. You will learn how to
perform block-box security audits of small websites without having access to its source code, as well
as develop exploits to exploit the vulnerabilities that you find during security audits.
Objectives
Learners will be able to:
● Read HTML and JavaScript code that is necessary to perform black-box security audit of web
applications.
● Perform black-box security audit of small web applications.
● Develop exploits for common web vulnerabilities.
● Test and improve exploits so that they will work against the vulnerable target.
Technology Requirements
Each vulnerable website is hosted in the pwn.college virtual environment. You will need a browser
(Chrome, FireFox, or Microsoft Edge), an HTTP request sender (e.g., curl), and Burp Suite.
Throughout this assignment, we will only need the “Proxy” feature in Burp Suite. The course team will
demonstrate how to setup and use the “proxy” feature in Burp Suite.
Assignment Description and Directions
Technology Setup Reminder
If you have not already joined the course’s pwn.college, please review the setup directions in Module
0: Welcome and Start Here of your course to properly gain access and start your work.
CSE 543
Pwn Them All Assignment 1
Accessing the Environment
1. Navigate to https://pwn.college.
2. Click “Login” in the upper right corner of the screen and enter your account credentials.
a. Click “Forgot your password?” if you have trouble logging in.
3. Navigate to “Dojos”, second option from the left at the top of the screen.
4. Under “Courses”, select “CSE 543 – Session X Year”.
5. Under “Modules”, select “Pwn Them All Assignment”.
6. Under “Challenges”, click on a level, read the details, and then click “Start” when you are
ready to work.
a. Optional: use “Practice” to help you work through the level with assistance.
Assignment Directions
For this assignment, you will “hack” into a series of web applications: Find vulnerabilities in each
website, develop exploits for the vulnerabilities that you find, launch your exploits, and get flags!.
All web challenges are in each pwn.college challenge environment. Your goal is to exploit each level,
find the secret message (which can be a password, a message, a note, a post, or the bank account
login credentials of an important user), and submit the flag to the pwn.college website. While we
suggest that you work on these levels one after another, you can work on these levels in an arbitrary
order.
To make your life easier, the instructor will disclose the intended vulnerability of each level. However,
remember that there can definitely be unintended vulnerabilities. It is acceptable if you exploit a level
by exploiting unintended vulnerabilities!
Submission Directions for Assignment Deliverables
You are given an unlimited number of attempts to submit your best work. The number of attempts is
given to anticipate any submission errors you may have in regards to properly submitting your best
work within the deadline (e.g., accidentally submitting the wrong paper). It is not meant for you to
receive multiple rounds of feedback and then one (1) final submission. Only your most recent
submission will be assessed.
CSE 543
Pwn Them All Assignment 2
You must complete your Pwn Them All Assignment deliverables in pwn.college and then submit the
deliverables in its submission space in the course. Carefully review submission directions
outlined in the overview document in order to correctly earn credit for your work. Learners may not
email or use other means to submit any assignment or project for review, including feedback, and
grading.
The Pwn Them All Assignment includes one (1) deliverable:
● Report: A report.txt file which must be in plaintext.
○ Your report.txt file must contain your name, ID number, and a short description of how
you broke each level.
○ Your description does not need to be long, but it must be understandable by the
instructor.
○ If you fail to include this information, or if your report.txt is not in the correct format, then
you will not receive credit for breaking that level.
Making File Submissions in Canvas
Before submitting, confirm that your deliverables follow the requirements for the project, and then
submit your work in the designated submission space in the course. Your submission will be reviewed
by the course team before finalizing your assignment grade.
1. In your course, go to Submission: Pwn Them All Assignment.
2. Click Start Assignment.
3. Click Choose File.
4. Locate and select one (1) deliverable file from your device.
5. If needed, click +Add Another File and repeat Steps 3 and 4 until all deliverables are added.
6. Select the agreement and then click Submit Assignment.
7. (If needed and allowed) To resubmit files:
a. Return to the Canvas submission space, click New Attempt, and repeat the process
from Step 3.
CSE 543
Pwn Them All Assignment 3
Evaluation
Your submission will be automatically graded in the challenge environment. As you complete each
challenge, you will receive a score in pwn.college. Scores will automatically populate to the course
after completion or after the due date passes. You will earn the maximum number of points for the
corresponding assignment in Canvas if you earn 100% on the challenge in pwn.college. Please refer
to the Grade Breakdown in the syllabus PDF and the assignment submission space in Canvas so you
know how many points each assignment is worth.
Your deliverabless will be reviewed by the course team before finalizing your assignment grade. No
credit will be given for missing or incorrect submissions.
Review the course syllabus for details regarding late penalties.
● Each passing level will earn 12.5%.
● There are 8 levels in all to complete.
● Partial credit will not be granted for this assignment.