Server-side security war games: Part 0 has a series of “war games” – challenges that help you learn by doing. Natas is the webserver security series. Although there are walkthroughs already available, I am going to do my own series of posts. Some of the existing walkthroughs are overly complex, and none actually finished all the levels. The war games unfortunately don’t have anything explaining why the example vulnerabilities can be important in real-world scenarios. I’ll try to fill that void.

I’m going to post one every few days, beginning with levels zero and one today.

Level 0

To start off, visit and use the username “natas0” and password “natas0” to get started. The objective is to find the password for the next level. Once you have it, you can go to You’ll use the password “natas1” (see the pattern?) and the password you discovered to log in.

The first level requires you to be exposed to the webpage’s innards. Try right-clicking the webpage, and selecting “View source”. You’ll become familiar with this HTML code in the next several levels, if you aren’t already.

Well, you can see the next level’s password is in an HTML comment, so copy-and-paste it into document in notepad, and save the document. You don’t want to lose your place and have to start all the levels over again.

This level was easy, but it’s important to understand that web applications often leak information that can be useful to attachers. Typically, the administrator’s password isn’t in an HTML comment, but there are often clues about what the application is, what version is running, how it is configured, and so on.

The walkthrough for level 1 will be up later today.