report/chapters/introduction.tex

\phantomsection
\addcontentsline{toc}{section}{Introduction}
\section*{Introduction}
\label{sec:introduction}

This document is the result of the \gls{http} Response Splitting challenge \citep{website:challenge} resolution, proposed by the \textit{Root-Me} online platform\footnote{\url{https://www.root-me.org/}}.

It contains all content that concerns the resolution of the challenge, including the reflections we had, the  problems we encountered and the attack definition with its exploitation. 

We will start with the discovery of the initial conditions of the challenge, then we will do a technology check in order to find initial leads. After that, we will take a decision for the attack direction, and finally execute it. We will close this report by some mitigation techniques that could be useful to avoid such attacks for a sysadmin.

Having organized a \gls{ctf} this year at the High-school of Engineering of Fribourg, I did not try a smaller challenge before the real one.

\phantomsection
\addcontentsline{toc}{subsection}{Context}
\subsection*{Context}
\label{subsec:Context}

This report is the result of a practical work requested for the \textit{Ethical Hacking} course. It is given at the HES-SO MSE curriculum. The purpose or a \gls{ctf} challenge is to exploit or defend a vulnerability in a machine. A \textit{flag}, which is often a chain of characters, must be found in order to achieve the challenge. 

Such exercise is useful for the Ethical Hacking course because it allows students to apply the theoretical topics studied.

\phantomsection
\addcontentsline{toc}{subsection}{Goal of the challenge}
\subsection*{Goal of the challenge}
\label{subsec:goal}

There is just one goal for this challenge: we have to obtain an administrator access to the exposed website. This would prove to the developers that their website is not as secure as they think!
init 2020-11-13 09:42:04 +01:00			`\phantomsection`
			`\addcontentsline{toc}{section}{Introduction}`
			`\section*{Introduction}`
			`\label{sec:introduction}`

			`This document is the result of the \gls{http} Response Splitting challenge \citep{website:challenge} resolution, proposed by the \textit{Root-Me} online platform\footnote{\url{https://www.root-me.org/}}.`

			`It contains all content that concerns the resolution of the challenge, including the reflections we had, the problems we encountered and the attack definition with its exploitation.`

			`We will start with the discovery of the initial conditions of the challenge, then we will do a technology check in order to find initial leads. After that, we will take a decision for the attack direction, and finally execute it. We will close this report by some mitigation techniques that could be useful to avoid such attacks for a sysadmin.`

			`Having organized a \gls{ctf} this year at the High-school of Engineering of Fribourg, I did not try a smaller challenge before the real one.`

			`\phantomsection`
			`\addcontentsline{toc}{subsection}{Context}`
			`\subsection*{Context}`
			`\label{subsec:Context}`

			`This report is the result of a practical work requested for the \textit{Ethical Hacking} course. It is given at the HES-SO MSE curriculum. The purpose or a \gls{ctf} challenge is to exploit or defend a vulnerability in a machine. A \textit{flag}, which is often a chain of characters, must be found in order to achieve the challenge.`

			`Such exercise is useful for the Ethical Hacking course because it allows students to apply the theoretical topics studied.`

			`\phantomsection`
			`\addcontentsline{toc}{subsection}{Goal of the challenge}`
			`\subsection*{Goal of the challenge}`
			`\label{subsec:goal}`

			`There is just one goal for this challenge: we have to obtain an administrator access to the exposed website. This would prove to the developers that their website is not as secure as they think!`