Your last commit broke all the .md links in the general README file. Can you please revert that change, for simplicity? 👍

Links are giving a 404 because of the missing .md extension.
Example:
https://github.com/Hacker0x01/hacker101/blob/master/sessions/clickjacking
It should be:
https://github.com/Hacker0x01/hacker101/blob/master/sessions/clickjacking.md

xss was easy, but i cant solve the others.
where can i see solution/hints?

When i try this coursework : https://levels-a.hacker101.com/levels/0/

i know there is have csrf bug because i didn't see any prevention for csrf like token or something but i donno if i already solve it in correct way

and, i got the reflected xss in the amount parameter that can be send using get/post request : https://levels-a.hacker101.com/levels/0/?to=1&amount=%22%3E%3Cimg%20src=x%20/%3E
but there is no clue or something that indicate i solve the problem

also for the idor i think we could manipulate the id on parameter to but i confuse what the goal is from the idor, there must be something that indicate we got the vulnerability it will help new comers to learn the idea.

https://levels-a.hacker101.com/static/report0.txt is pointing to Affected Assets: http://h101levels.appspot.com/levels/0.

The description and contents list the order of topics as "SQL injection (, blind SQLi) , directory traversal, and command injection" but the order covered in the video is "directory traversal, command injection, SQL injection, blind SQLi". Changing the order of the description and contents to be inline with the video order will help users understand the concepts and search within the video for specific sections.

First who wants to join takes the permission of other like the admin and me to admit in hackerone as a new member.

I'd appreciate if you could upload the slides somewhere, so I can read at my own pace.

Thanks!

Video player must have options like full screens and action buttons etc will be really help full

I can't access https://www.hackerone.com/hacker101

Need to decide on a license for the videos, course materials, etc.

It would be great if you would open source the coursework, so you can review the code, add suggestions and host it locally. The site where the coursework is hosted, is every slow - throttled?

1. Add SSRF
   How to Detect And its Exploitation With A DEMO Lab.

2. Add rce, subdomain takeover

Thanks for looking at these suggestions.

I was watching the introduction video and when I finished, I wanted to go to the next video but I couldn't because there wasn't "next video" button. So a next video button would be appropriate.
Great website though

The SQL injection video suggests that ORM's completely mitigate sql injection. This statement should probably be modified as in it's current form the information is misleading.

Error while running 'bundle install' in directory.

Originally posted by @hackgod512 in #76 (comment)

I have made a lot effort to try to visit youtube but failed.

I wonder that will you please provide urls for these videos that i can download and learn them.

Best wishes.

The video is not playing properly

Yeah

There is no solutions to course work.

I have some suggestions and requests that have come through to the Support team:

1. For people that do not have access to the internet, all the time make some of the content available offline or downloadable.

2. Upload the following videos:
   Vulnerabilities Directory Traversal
   https://github.com/Hacker0x01/hacker101/blob/master/vulnerabilities/directory_traversal.md

Vulnerabilities Padding Oracle
https://github.com/Hacker0x01/hacker101/blob/master/vulnerabilities/padding_oracle.md

Vulnerabilities Reflected Cross-Site Scripting (XSS)
https://github.com/Hacker0x01/hacker101/blob/master/vulnerabilities/reflected_xss.md

Vulnerabilities Stored Cross-Site Scripting (XSS)
https://github.com/Hacker0x01/hacker101/blob/master/vulnerabilities/stored_xss.md

Vulnerabilities Stream Cipher Key Reuse
https://github.com/Hacker0x01/hacker101/blob/master/vulnerabilities/stream_reuse.md

3. Add a section about recon and basic methodology for recon.

4. Add a section for resource material for reading.

Bb

Hi and thank you for all you share here!! thats a lot of work and you make it well!!!

We can read the coursework will be deprecated on the 1st October in favor of the CTF but can you release the source code in this github for those who want to make them locally, or just want to review the code for trainning our skill in code analysis??
Thanks

Web hacking has an invalid URL at line caaf944#diff-e91595e36e5cb525639dc041dd5fff53c2b0efc7ecff4c8431f4909af61d83b9R25 made by commit caaf944 which right now says:

https://github.com/Hacker0x01/hacker101/blob/master/'playlists/web_hacking

Instead of:

https://github.com/Hacker0x01/hacker101/blob/master/playlists/web_hacking

The current repository description is identical to the name of the repository, this is not very informative when parsing the json reply from a repository search using the github api. I would recommend adding a short meaningful description, for example: "a free class for web security" .

what‘s the problem

All the videos under sessions are displaying the code for an embedded youtube video, could just have a link to clean up?
Or something like this: https://stackoverflow.com/questions/11804820/embed-a-youtube-video

Is this the same request as #32 ?

Last login: Tue Jan 21 03:35:09 UTC 2020 on pts/2
Linux kali 3.18.31-fly-g22c0ebd-27271-geae3ddb #2 SMP PREEMPT Tue Jul 3 15:03:38 CST 2018 aarch64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[root@kali][]
#cd hacker101
[root@kali][/hacker101]
#ls
404.html README.md assets resourceGen.py update_bootstrap.sh
CNAME _config.yml discord.html resources videos.md
Gemfile _includes favicon.ico resources.md
Gemfile.lock _layouts index.md resources.res
LICENSE _sass playlists sessions
[root@kali][~/hacker101]
#bundle exec jekyll serve
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
Gem::Specification#rubyforge_project= called from /usr/share/rubygems-integration/all/specifications/erubis-2.7.0.gemspec:16.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
Gem::Specification#rubyforge_project= called from /usr/share/rubygems-integration/2.5.0/specifications/thin-1.7.2.gemspec:22.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
Gem::Specification#rubyforge_project= called from /usr/share/rubygems-integration/2.5.0/specifications/msgpack-1.1.0.gemspec:19.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
Gem::Specification#rubyforge_project= called from /usr/share/rubygems-integration/2.5.0/specifications/eventmachine-1.0.7.gemspec:21.
Configuration file: /root/hacker101/_config.yml
Source: /root/hacker101
Destination: /root/hacker101/_site
Incremental build: disabled. Enable with --incremental
Generating...
WARNING: The text-hide() mixin has been deprecated as of v4.1.0. It will be removed entirely in v5.
on line 10 of /root/hacker101/_sass/bootstrap/mixins/_text-hide.scss, in `text-hide'
from line 57 of /root/hacker101/_sass/bootstrap/utilities/_text.scss
from line 14 of /root/hacker101/_sass/bootstrap/_utilities.scss
from line 41 of /root/hacker101/_sass/bootstrap/bootstrap.scss
from line 2 of an unknown file

Conversion error: Jekyll::Converters::Scss encountered an error while converting 'assets/css/style.scss':
Invalid US-ASCII character "\xE2" on line 5
jekyll 3.7.4 | Error: Invalid US-ASCII character "\xE2" on line 5
[][root@kali][~/hacker101]

In this application, there are a lot problems:

1. The sender can send unlimited amount of funds to bank account.
2. The bank account number is not verified.
3. No proper authentication mechanisms.

These issues can be solved by:

1. Running a balance checking script to verify the availability of funds.
2. Verifying the bank account number to which the amount is to be sent.
3. A fund transfer is a sensitive part of any bank operation. It must be approved by the sender. Appropriate measures such as authentication via OTP, security Q&A can be taken.

https://github.com/Hacker0x01/hacker101/blob/master/sessions/introduction.md im not sure if this is deliberate

On the video "File Upload Bugs" the slide titled "Separate Domains" on minute 2:30 says: "...files uploaded by users should be hosted on a separate domain." However, the narrator specifies "...should NOT be hosted..."

Thought you should know :)

.

I'd like to suggest changing the Coursework style to be on CTF formats which allows players to achieve something by making real world exploitation for the discovered vulnerabilities.

Hi again xD
I start looking the videos and for practicing i look in to coursework but i dont really understand the logic or the link between videos and exercises. It will be better for noobs like me to know something like before level0 it is better to look Videos x,y and z. And give how many vuln we can exploit, i saw a hint in level0 but i dont remember if there is this info.
I dont know if you understand what i want to say lol
However thanks

Add this under vulnerabilities.

At about 03:10-ish, the final bullet point states:

EVER USE ECB

That should be:

NEVER USE ECB

Add this topic in injection criteria.

need more example thanks

The mother explains her sons name is ... Robert'); DROP TABLE Students;--
The 3 slides later, the Example PHP's sql statement reads students with a lower case.
The very next slide indicates that Bobby's name inside the query would result "SELECT age, grade, teacher from students WHERE (name='Robert'); DROP TABLE Students;--') "

I believe this sql would not do anything unless there exists both a Students and students table

Hi! Thanks for this content!

I just noticed that the "sign up now" link in the "get started" section of this page: https://ctf.hacker101.com/howtoplay points to stay on that page (/howtoplay), instead of pointing to the "sign up now" page.

Hope this helps!

???????

you are swallowing the words,,it not clear thought
thankyou