Wow, I'm excited. Last time I got to the last level (well, next to last level) and hit a wall with my skill-sets and my available time to complete the challenge.
I like the idea of being on a team. So, Let's get this started; I'm looking for a team! I'm an experienced C developer (work on and manage a transactional processing platform day-to-day) who works with MySQL+Memcache heavily. SQL injections, memory, buffer overflows and algorithms will be my strong points while javascript/xss attacks may be my shortcomings. Email is in my profile.
The interesting fact about Hack This Site being that it was created and originally run by Jeremy Hammond who was arrested in March for the Stratfor hacking after the FBI had turned 'sabu' to help track others down.
I've been trying to start a posse on Stack Overflow to stamp out the use of PHP's `mysql_query`, something that floods the MySQL tagged questions constantly. Use of this dangerous, deprecated feature is completely rampant in both questions and answers. It often shows up with zero SQL escaping, people just presume that an email address couldn't possibly have anything irregular in it.
Contests like this are a great idea to help promote safe coding practices.
Good news is, the old MySQL extension for PHP is being depreciated. Developers will have to move to MySQLi or PDO (which offer prepared statements as standard) to continue using MySQL.
last time i finished everything short of writing the program to capture the flag after i realized how to do it. i guess i was tired after basically staying up all weekend glued to the keyboard with the other nuts on irc/campfire. never actually took the last step, never sent stripe my proof and never got my t-shirt. I have regretted my apathy ever since!!!
Can't wait for this one!
It's awesome that they're doing this. Also, I doubt I'll participate, but my brain just registered "Stripe is a fun place that's smart about security", making me more likely to use them in the future or even want to work for them.
Companies, take note: providing fun and education to the community can boost your reputation.
I would love to see one that used different DB back-ends at some point. I'm sure it would be interesting to see the other attacks we are not considering with the much more diversified stacks now in existence.
So what are the chances of someone who's never really dealt with web security capturing the flag? Last year's results don't make it seem too promising, 12k unique IP's -> 250 captures.
It's definitely not intended that beginners can easily finish, but we hope that everyone can get something out of it. We were actually fairly happy with the conversion rate from start to finish last time. If everybody finishes, it presumably means the later levels weren't hard or interesting enough.
We hope that people new to web security can solve the first few levels with some work and inspection, and the later levels with hints from others or a significant amount of research into the topics.
At the end of the day, the point of the exercise is to expose realistic vulnerabilities for fun and education. We try to make them similar to how they'd be in the wild.
I just want to say: Thank you for doing this. While I'm looking forward to doing this myself (always fun), I really appreciate you guys taking the time to do this for the impact it'll have on non-security folks. Anything that makes learning this stuff fun and interesting will be a very good thing for the development community.
Last time it was all low-level vulnerabilities, which require some work to exploit (I even struggled with a couple of them, and I've been working on that sort of thing for many many years). This time around it's websec, which is considerably easier in most respects, and the main knowledge you need is pretty standard for any web developer. You just need to turn things around and look at it from the perspective of "what happens from input to output?"
Yes, the last one had some extremely hard problems. Can't wait for this one - I work on an ecommerce framework and this sorta stuff is way more applicable to what I do day to day
some of the websec exploits are quite tricky/involved like blind sql injection (https://www.owasp.org/index.php/Blind_SQL_Injection). without tools like sql map you would need to write code in order to recover non-trivial amounts of data using blind sql injection.
Capturing the flag isn't everyone who participates' goal.
In the first Stripe CTF, I played for the first 3 levels, learned some things, then stopped. But I considered it a success for myself. I'm sure others did similar things.
Capturing the flag wasn't something most people could do in a short time, so having 250/12k even accomplish it I'd think was a rather high conversion rate.
The things under Web Security are the relevant bits. You can read up on a lot of them at https://www.owasp.org/index.php/Main_Page and I'd recommend just googling them as well. More importantly, grab Burp proxy, install old (vulnerable) versions of web apps, and start playing around. You'll find XSS, SQLi, and plenty of other fun things in no time.
Also, my contact info is in my profile if you have other questions.
I like the idea of being on a team. So, Let's get this started; I'm looking for a team! I'm an experienced C developer (work on and manage a transactional processing platform day-to-day) who works with MySQL+Memcache heavily. SQL injections, memory, buffer overflows and algorithms will be my strong points while javascript/xss attacks may be my shortcomings. Email is in my profile.