About hacxkor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc


Play the online demo

The first two levels can be played online here. Since this is kindly being hosted by SourceForge, there are a couple of common sense rules: Start at wraithmail and login with algo:smurf
If you just want an SQLi challenge, see if you extract usernames&passwords from the second level

Download&install instructions

If you can't edit the hosts file for some reason, you could use the 'Override hostname resolution' option in Burp proxy
Troubleshooting the installation:

The scene

You play a professional blackhat hacker hired to track down another hacker by any means possible. Start by checking your email on wraithmail, and see how far down the rabbit hole you can get. The key websites in this game are http://wraithmail:8080 http://cloaknet:8080 http://gghb:8080 and http://hub71:8080 so if you don't feel like tracking down your target you may hack them in any order. Each website will be properly introduced through the plot.

Changes in 1.2 (2016 edition!)

Changes since 1.0

Changes since the beta


Try some other vulnerable webapps

Read some cryptic spoiler-free hints (Last updated 11th May)

Client Attack Simulation with HtmlUnit

This means you can exploit CSRF and XSS on hapless in-game users by sending them malicious messages. Since messages can contain javascript there is no need to social them into pressing a link. This is easily the best technical innovation of hackxor and it was pretty easy to code, so I've posted some details about how to implement it yourself at skeletonscribe


By albinowax
Thanks to:
jgor sla.ckers
everyone who codes vulnerable software