Friday, February 09, 2007

Web Hacking contest at RSA (2007)

Security Innovations hosted their Interactive Testing Challenge, which essentially was a Web Hacking competition. The whole format and presentation style was very well done, impressive even, especially the finals with live commentary. SI set up a banking website which a bunch of vulnerabilities. Contestants had 30 minutes to find 5 flaws to qualify for the next round. RSnake and I happened to stumble across it while wandering the show flow, but unfortunately he had to bail for a flight 10 minutes in, so we only got through 3 vulnerabilities. There’s always next year.

Big props go out to Jordan Wiens, contributing editor of Network Computing magazine, who won the whole thing! During an interview just before the final face-off I found out Jordan is no ordinary reporter. No no! He has a B.A. in Mathematics, well-versed Unix Admin, and has some solid web application security chops to boot. Watch out when being interviewed by this guy, he knows this tech.

Jordan wins his shiny new GPS!

The big-multi-screen display so the audience could follow the action.

The contestants getting their instructions from the ref just before the final face-off

The announcer asking the contestants about how the feel about the upcoming challenge.


Anonymous said...

SI always rocks at RSA. I love the ITC!

Anonymous said...

Is their any info on what they must do? Was it only webapplication? or also portscanning? I clicked the link but cannot find info on the contest or what people where suppoesed to do, would be interesting to see.


Jeremiah Grossman said...

It was a lot like the other web hacking ladders you see online. Find the SQL Injection, XSS, or transfer money to you offshore account. No portscanning required, just a browser and a proxy.

Jordan said...

Thanks Jeremiah, I had a lot of fun. It was great to have a chance to meet you and chat about what you're up to. As I mentioned, I'm always excited when I can actually engage folks in interesting technical discussions instead of just marketing speak.

Especially thanks for not heckling me too much during the last round. ;-)

Jungsonn -- only webapp, and none of it was very hard. If the final round had come down to the third challenge (it was best 2 of 3) we would have been in for a much more interesting one--reversing some home-grown javascript "encryption"--but really, for the semis and finals all that was needed was knowledge of basic web vulns. Nothing super tricky, though there were some minor gotchas (the final challenge had a secured POST you couldn't tweak but it redirected to a GET that you could then change). Mostly it was about speed and being the first to find and exploit the vuln. Just about each match came down to the wire, so I was pretty lucky.

Anonymous said...

Sounds nice, yes reversing some javascript encryption takes time, don't know how much time you got? It's a pity I live on the other side of the globe, I surely would have come. So thanks for showing me an impression guys.


Anonymous said...

Man, I sure wish I had an invite to the WASC event at RSA this past week. I'll give Arian the benefit of the doubt, though:

curl -I

HTTP/1.1 200 OK
Server: Rapidsite/Apa/1.3.31 (Unix) FrontPage/ mod_ssl/2.8.17 OpenSSL/0.9.7c
Cache-Control: cache
Pragma: no-cache
X-Powered-By: PHP/4.4.4

Mat C.,

Jeremiah Grossman said...

> Especially thanks for not heckling me too much during the last round. ;-)

AHAHAH, I was, you were just that "in the zone". :)

Jeremiah Grossman said...

Mat C. >

We did our best to advertise the event. Sorry you missed it. We'll be having another one at Black Hat USA though.

Anonymous said...

> Mat C.,
> I'll give Arian the benefit of the doubt, though

I don't need the benefit of anyone's doubt. Woohoo. Headers from a shared host.

So for the thinkin' man: there are actually four layers of vulns in my personal website software. They are try-catched and logged, and quite useful for learning from them. I've only gotten hosed from a real hack once. It is a really hard to find and exploit SQLi, and all you have is perms to write to comments tables, or drop a content table that nukes the site, but is non-volatile (the way I use it). So, whatever.

My site has been taken down a few times, but the reason is sorta funny: I've been benchmarking automation tools and had detailed session dumps enabled in addition to my custom logging, and the weakness was a DoS that filled my disk slice.

Using php/dirty code was a temporary experiment turned permanent because (1) most scanners can't find anything worth finding, (2) most human testers are lamer than I thought, and (3) availability isn't a requirment, and I'm one db restore away from happiness in the event of anything meaningful.

So, eh, have at it, that's one of the main reasons it's there for,


Mark said...

Sup AE, stumbled on this, had to stop and give a shout.

Sounds like you guys are having fun out there!

I would love to have attended this, sounds very interesting.