Friday, February 09, 2007

Web Hacking contest at RSA (2007)

Security Innovations hosted their Interactive Testing Challenge, which essentially was a Web Hacking competition. The whole format and presentation style was very well done, impressive even, especially the finals with live commentary. SI set up a banking website which a bunch of vulnerabilities. Contestants had 30 minutes to find 5 flaws to qualify for the next round. RSnake and I happened to stumble across it while wandering the show flow, but unfortunately he had to bail for a flight 10 minutes in, so we only got through 3 vulnerabilities. There’s always next year.

Big props go out to Jordan Wiens, contributing editor of Network Computing magazine, who won the whole thing! During an interview just before the final face-off I found out Jordan is no ordinary reporter. No no! He has a B.A. in Mathematics, well-versed Unix Admin, and has some solid web application security chops to boot. Watch out when being interviewed by this guy, he knows this tech.

Jordan wins his shiny new GPS!

The big-multi-screen display so the audience could follow the action.

The contestants getting their instructions from the ref just before the final face-off

The announcer asking the contestants about how the feel about the upcoming challenge.


Anonymous said...

SI always rocks at RSA. I love the ITC!

Anonymous said...

Is their any info on what they must do? Was it only webapplication? or also portscanning? I clicked the link but cannot find info on the contest or what people where suppoesed to do, would be interesting to see.


Jeremiah Grossman said...

It was a lot like the other web hacking ladders you see online. Find the SQL Injection, XSS, or transfer money to you offshore account. No portscanning required, just a browser and a proxy.

Jordan said...

Thanks Jeremiah, I had a lot of fun. It was great to have a chance to meet you and chat about what you're up to. As I mentioned, I'm always excited when I can actually engage folks in interesting technical discussions instead of just marketing speak.

Especially thanks for not heckling me too much during the last round. ;-)

Jungsonn -- only webapp, and none of it was very hard. If the final round had come down to the third challenge (it was best 2 of 3) we would have been in for a much more interesting one--reversing some home-grown javascript "encryption"--but really, for the semis and finals all that was needed was knowledge of basic web vulns. Nothing super tricky, though there were some minor gotchas (the final challenge had a secured POST you couldn't tweak but it redirected to a GET that you could then change). Mostly it was about speed and being the first to find and exploit the vuln. Just about each match came down to the wire, so I was pretty lucky.

Anonymous said...

Sounds nice, yes reversing some javascript encryption takes time, don't know how much time you got? It's a pity I live on the other side of the globe, I surely would have come. So thanks for showing me an impression guys.


Jeremiah Grossman said...

> Especially thanks for not heckling me too much during the last round. ;-)

AHAHAH, I was, you were just that "in the zone". :)

Jeremiah Grossman said...

Mat C. >

We did our best to advertise the event. Sorry you missed it. We'll be having another one at Black Hat USA though.

Mark said...

Sup AE, stumbled on this, had to stop and give a shout.

Sounds like you guys are having fun out there!

I would love to have attended this, sounds very interesting.