In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 1)
[InDepth#18] Let's take a walk through the first half of my "Th1nk Lik3 a H4cker" talk from Laracon EU & US. We'll explore the vulnerabilities behind each challenge and what I was trying to teach.
![In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 1)](/content/images/size/w1200/image/fetch/w_2000,h_2000,c_fill,f_jpg,q_auto:good,fl_progressive:steep,g_auto/https-3a-2f-2fsubstack-post-media.s3.amazonaws.com-2fpublic-2fimages-2fc6ac25d9-83a4-4a29-b144-c4e5e09aad74_1277x704.jpg)
If you’ve seen one of my conference talks before, you’ll know that I love to do demos and practical talks, rather than talk off a bunch of slides. I find this the best medium for presenting security concepts, as it gives the audience a feel for the mentality of the hacker and how they approach exploiting each vulnerability.
When I started planning my Laracon EU talk, it was going to be my first in-person Laracon talk and I wanted to do something big and memorable, plus take advantage of having everyone in the same room as me. So I decided to go all-in and make the entire talk interactive!
I had one simple rule I had to follow: Everything must be hackable via a phone browser. I wanted the audience to be able to fully participate with their phones, rather than relying on laptops. This requirement somewhat limited and shaped the challenges - but not in a bad way - it just meant I needed to consider Javascript errors for the XSS challenge, and how to manipulate user input sent to the sever.
Thus, Th1nk Lik3 a H4cker1 was created:
Let’s dive into the fist challenge…
Challenge #1: Identify the correct password!
![](https://securinglaravel.com/content/images/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https-3a-2f-2fsubstack-post-media.s3.amazonaws.com-2fpublic-2fimages-2f2b630b63-f64c-4dcc-a8e9-05f7debf9d10_622x765.png)
The apparent purpose of this challenge is a simple guessing game to identify the “correct password”, while in reality it’s actually here for multiple purposes (and getting the correct password has nothing to do with guesswork):