Basic URL Manipulation and Encoding
In this step, you will learn how to use Hackbar for URL manipulation and encoding/decoding operations, which are fundamental skills for security testing.
Launching a Test Website
For practice purposes, we will set up a simple test website. Open a new terminal and run:
mkdir -p ~/project/test-website
cd ~/project/test-website
Now create a basic HTML file with a simple form:
cat > index.html << EOF
<!DOCTYPE html>
<html>
<head>
<title>Test Website</title>
</head>
<body>
<h1>Login Form</h1>
<form action="login.php" method="GET">
<label for="username">Username:</label>
<input type="text" id="username" name="username"><br><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password"><br><br>
<input type="submit" value="Login">
</form>
</body>
</html>
EOF
Let's start a simple HTTP server to host this page:
python3 -m http.server 8080
You should see output indicating the server is running on port 8080:
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
Accessing the Test Website
Open a new Firefox window (leave the server running in the terminal) and navigate to:
http://localhost:8080
You should see a simple login form with username and password fields.
Using Hackbar to Manipulate URLs
Now let's use Hackbar to manipulate the URL:
-
Click on the Hackbar icon to open the Hackbar panel.
-
Click on the "Load URL" button to load the current URL into Hackbar.
-
You should see http://localhost:8080
in the URL field of Hackbar.
-
Try modifying the URL by adding a path, for example:
- Change it to
http://localhost:8080/index.html
- Click "Execute" to send the request
-
Fill in the login form with test credentials (e.g., username: "admin", password: "password") and click the Login button.
-
Observe the URL in the address bar. It should look something like:
http://localhost:8080/login.php?username=admin&password=password
-
The page will likely show a "Not Found" error because login.php doesn't exist, but we're interested in the URL structure.
-
Open Hackbar again and click "Load URL" to load this new URL.
URL Parameter Manipulation
Security testing often involves manipulating URL parameters:
-
In Hackbar, locate the URL field containing the login URL.
-
Try changing the username parameter:
- Change
username=admin
to username=admin'
- Click "Execute" to send the request
This simple change adds a single quote character, which is a common technique for testing SQL injection vulnerabilities.
Encoding and Decoding with Hackbar
Hackbar offers various encoding/decoding options:
-
In Hackbar, click on the "Encoding" menu to see available options.
-
Try URL encoding:
- Type some text with special characters in the URL field, such as
test space & special
- Select the text you want to encode
- From the "Encoding" menu, select "URL encode"
- The selected text will be converted to URL-encoded format
-
Try Base64 encoding:
- Type some text in the URL field, such as
hackbar test
- Select the text you want to encode
- From the "Encoding" menu, select "Base64 encode"
- The selected text will be converted to Base64 format
-
Try decoding:
- Select the encoded text
- From the "Encoding" menu, select the appropriate decoding option (URL decode or Base64 decode)
- The text will be converted back to its original format
These encoding/decoding functions are essential when testing web applications for security vulnerabilities, as they allow you to manipulate data in various formats.
Stopping the Test Server
When you have completed this step, return to the terminal where the Python HTTP server is running and press Ctrl+C
to stop it.