HackThisSite — Basic Mission 1: The Idiot Test

Target

https://www.hackthissite.org/missions/basic/1/

Difficulty

⭐ — Beginner

---

Reconnaissance

The page presents a password input field and a submit button. The hint on the page reads:

"If you have no idea what to do, you must learn HTML."

This is a direct hint: the password is embedded in the page's HTML source.

---

Exploitation

Step 1 — View Page Source

Right-click anywhere on the page and select View Page Source, or use the keyboard shortcut:

• Chrome/Firefox (Linux/Windows): Ctrl + U
• Mac: Cmd + Option + U

Step 2 — Search for the Password

In the source, look for the <form> element or any <input> fields. You'll find something like:

or an unprotected value attribute inside a hidden <input> tag:

The password is stored in plaintext directly in the HTML — no obfuscation, no hashing.

Step 3 — Submit

Copy the value and paste it into the password field, then hit Submit.

---

Root Cause

The developer stored the password as a hardcoded value in the client-side HTML. The client receives the full source — including the password — before any interaction. There is no server-side validation of who should know the password; anyone who reads the source has it.

---

Key Takeaway

Never trust the client. Anything sent to the browser is readable by the user. Secrets — passwords, API keys, tokens — must never appear in client-side code or HTML.

---

Tools Used

• Browser (View Source / DevTools)
• No special tools required