The Hacker's Arsenal

Lesson 1: Your First Hack

January 19, 2025 10 min read Beginner

No Lectures. Let's Hack.

Welcome to The Hacker's Arsenal. Most courses start with weeks of theory before you touch anything real. Not this one.

In the next 10 minutes, you're going to:

  1. Set up a vulnerable website on your computer
  2. Find a security flaw
  3. Exploit it
  4. Watch your attack execute

No prior experience needed. Let's go.

What You'll Need

  • Python (we'll check if you have it)
  • A web browser (Chrome, Firefox, whatever)
  • 10 minutes

That's it.

Step 1: Check If You Have Python

Open a terminal (or command prompt on Windows):

Mac/Linux: Open Terminal

Windows: Press Win + R, type cmd, press Enter

Type this and press Enter:

python3 --version

If you see something like Python 3.x.x, you're good. Skip to Step 2.

Don't have Python?

  • Mac: brew install python3
  • Windows: Download from python.org
  • Linux: sudo apt install python3

Step 2: Download the Vulnerable Website

We're going to run a simple website with a security flaw. Download the lab file:

HackMe Lab

A simple XSS-vulnerable search page

Download hackme.py View Code
Run with: python3 hackme.py

Step 3: Run the Vulnerable Website

In your terminal, navigate to where you saved the file and run:

python3 hackme.py

You should see:

==================================================
  HACKME SERVER RUNNING
  Open http://localhost:8888 in your browser
==================================================

Open your browser and go to: http://localhost:8888

You should see a search page with a green "HackMe Search" title.

Step 4: Use the Site Normally

Type something in the search box. Try: hello

Click Search.

You should see: "You searched for: hello"

The website takes what you type and displays it back. Simple enough.

Step 5: Your First Attack

Now here's where it gets interesting.

Instead of searching for normal text, try searching for this:

<h1>HACKED!</h1>

What happens?

The page should now show a big "HACKED!" heading in the results area.

Wait... you just changed the website. How?

What Just Happened?

You discovered a vulnerability called Cross-Site Scripting (XSS).

Here's the breakdown:

  1. You typed <h1>HACKED!</h1> into the search box
  2. The website took your input and put it directly into the page
  3. Your browser saw <h1>HACKED!</h1> and rendered it as HTML
  4. The website displayed your heading, not just text

The website trusts your input and treats it as code instead of plain text. That's the vulnerability.

Step 6: Make It More Interesting

Let's do something cooler. Try searching for this:

<img src=x onerror="alert('You have been hacked!')">

What happens?

A popup box appears saying "You have been hacked!"

You just made the website execute JavaScript code that you wrote.

Step 7: The "Oh No" Moment

Still not impressed? Try this one:

<img src=x onerror="alert(document.cookie)">

This would show any cookies the site has. In a real attack, cookies often contain login sessions — meaning an attacker could steal your identity.

Now try this:

<style>body{background:red !important;}</style>

You just changed the entire page's appearance.

Why This Matters

"It's just a popup. Who cares?"

Here's what attackers actually do with XSS:

  1. Steal login sessions — Take over user accounts
  2. Capture keystrokes — Record everything typed, including passwords
  3. Redirect users — Send them to phishing pages
  4. Spread malware — Download malicious files
  5. Mine cryptocurrency — Use visitor's computers for profit

A simple "popup" vulnerability has led to breaches affecting millions of users.

The Fix (For Developers)

The vulnerable code does this:

# BAD: Directly inserting user input
results = f'You searched for: {query}'

The secure version does this:

import html

# GOOD: Escape special characters
results = f'You searched for: {html.escape(query)}'

The html.escape() function converts dangerous characters:

  • < becomes &lt;
  • > becomes &gt;
  • " becomes &quot;

So <script> becomes &lt;script&gt; — which displays as text, not code.

What You Just Learned

Congratulations! You just:

  • Found your first vulnerability (Cross-Site Scripting)
  • Exploited it multiple ways
  • Understood why it's dangerous
  • Learned how developers should fix it

This is real hacking. The same fundamental technique — finding where user input isn't properly handled — leads to critical vulnerabilities in real applications every day.

Cleanup

Press Ctrl+C in your terminal to stop the server.

Delete hackme.py if you want.

What's Next?

In Lesson 2: How the Web Actually Works, we'll look under the hood at HTTP — the language browsers and servers speak. Understanding this is essential for finding vulnerabilities that aren't as obvious as this one.

But first, take a moment. You just hacked your first website.

Not bad for 10 minutes.