Security Innovations hosted their Interactive Testing Challenge, which essentially was a Web Hacking competition. The whole format and presentation style was very well done, impressive even, especially the finals with live commentary. SI set up a banking website which a bunch of vulnerabilities. Contestants had 30 minutes to find 5 flaws to qualify for the next round. RSnake and I happened to stumble across it while wandering the show flow, but unfortunately he had to bail for a flight 10 minutes in, so we only got through 3 vulnerabilities. There’s always next year.
Big props go out to Jordan Wiens, contributing editor of Network Computing magazine, who won the whole thing! During an interview just before the final face-off I found out Jordan is no ordinary reporter. No no! He has a B.A. in Mathematics, well-versed Unix Admin, and has some solid web application security chops to boot. Watch out when being interviewed by this guy, he knows this tech.
Jordan wins his shiny new GPS!
The big-multi-screen display so the audience could follow the action.
The contestants getting their instructions from the ref just before the final face-off
The announcer asking the contestants about how the feel about the upcoming challenge.
SI always rocks at RSA. I love the ITC!
Is their any info on what they must do? Was it only webapplication? or also portscanning? I clicked the link but cannot find info on the contest or what people where suppoesed to do, would be interesting to see.
It was a lot like the other web hacking ladders you see online. Find the SQL Injection, XSS, or transfer money to you offshore account. No portscanning required, just a browser and a proxy.
Thanks Jeremiah, I had a lot of fun. It was great to have a chance to meet you and chat about what you're up to. As I mentioned, I'm always excited when I can actually engage folks in interesting technical discussions instead of just marketing speak.
Especially thanks for not heckling me too much during the last round. ;-)
Man, I sure wish I had an invite to the WASC event at RSA this past week. I'll give Arian the benefit of the doubt, though:
curl -I www.anachronic.com
HTTP/1.1 200 OK
Server: Rapidsite/Apa/1.3.31 (Unix) FrontPage/18.104.22.1680 mod_ssl/2.8.17 OpenSSL/0.9.7c
Mat C., cracks.n.hax.com
> Especially thanks for not heckling me too much during the last round. ;-)
AHAHAH, I was, you were just that "in the zone". :)
Mat C. >
We did our best to advertise the event. Sorry you missed it. We'll be having another one at Black Hat USA though.
> Mat C., cracks.n.hax.com
> I'll give Arian the benefit of the doubt, though
I don't need the benefit of anyone's doubt. Woohoo. Headers from a shared host.
So for the thinkin' man: there are actually four layers of vulns in my personal website software. They are try-catched and logged, and quite useful for learning from them. I've only gotten hosed from a real hack once. It is a really hard to find and exploit SQLi, and all you have is perms to write to comments tables, or drop a content table that nukes the site, but is non-volatile (the way I use it). So, whatever.
My site has been taken down a few times, but the reason is sorta funny: I've been benchmarking automation tools and had detailed session dumps enabled in addition to my custom logging, and the weakness was a DoS that filled my disk slice.
Using php/dirty code was a temporary experiment turned permanent because (1) most scanners can't find anything worth finding, (2) most human testers are lamer than I thought, and (3) availability isn't a requirment, and I'm one db restore away from happiness in the event of anything meaningful.
So, eh, have at it, that's one of the main reasons it's there for,
Sup AE, stumbled on this, had to stop and give a shout.
Sounds like you guys are having fun out there!
I would love to have attended this, sounds very interesting.
Post a Comment