Saying that its secured by people wiser than you, is not a good start. Remember that they have to think about every security flaw and you just have to find the one they missed.
Yeah, yeah, I heard that already, however I meant that generally those security flaws are pretty advanced and pretty valuable on the Internet once they are found.
But on topic: the site is http://18.104.22.168/
and the clue I found is dead link, that goes to http://22.214.171.124/crowdsourcing/tyg ... cz/report/
. Plenty of informations there I think. I also found the admin panel (standard http://126.96.36.199/admin/
) and version of server program (http://188.8.131.52/index.html
). I think abous using nmap to get some more info at the moment. I may also try to crack into server itselt (remote exploit?), because it's all on my Department's machines and I have their blessing on every test that's necessary. So which information I should consider most useful?
Edit: Ow, sorry, I forgot about the message in source code. I will write to a person responsible for giving me that task and i hope that the propoer line will appear in site's source about next week (today and tommorow are holydays in PL). But other thing is that I don't want you to break in for me - I want to do it by myself (at least I have to learn it if I really want to do some serious pentesting in future), I would be grateful for piece of advice about starting.
Edit: Ok, the entry in site's source (informing about approval to pentesting for Marcin Jekot - that's me) should appear tommorow or the day after. Will anybody help with getting into it? I also was informed that debugging was turned off - fortunetely, I downloaded the site with output before that, so informations from it are still avaliable.
-- Wed Nov 07, 2012 5:35 pm --
Okay, I want to announce that the comment in source appeared - line 9 on main page. Debugging was also turned off, but I downloaded the site with results before - if anybody want to help I may provide some details on configuration. Anyone will help me a bit to start?
I have also read about some flaws in django from those slides: http://www.levigross.com/post/877653676 ... -and-rails
but not sure how to exploit them...