We ran two bouts last week. The first was a financial application, which was a little bit different, because it had a social networking aspect. We weren’t provided any usernames or passwords, couldn’t self-register without a special code; and, as a result, the attack surface was limited. This meant we could still probably find the first XSS fast, but the high-severity issue probably wasn’t going to be there. The domain was called out, fingers hit the keyboard, and we were off. Bill P. and I went immediately after XSS in the search fields, but struck out because of proper HTML encoding. Arian, who only sees filters as a challenge, busied himself with some crazy encoding attacks. The rest of the Operations Team were eagerly trying to take down the giants.
One, two minutes flew by with every avenue of attack closed off. Input sanity checked, output encoded, use of custom error messages, and directory indexing disabled. Not one to be easily frustrated, I was getting nervous because only 3 minutes in, application real estate was running out. Then just like that, at ~3 minutes 30 seconds, Daniel Herrera (security engineer) scored an XSS victory with a simple form-based injection in the user registration form. Something I had totally overlooked. Not wanting to be shut out completely, BillP and I found our own form-based XSS issues after 4 and 6 minutes time respectively. Too little, too late. No high severity issue was found after exhausting our options without valid accounts.
~15 minutes, Sarah Groark (Sr. Security Engineer), scored a very clever filter-bypass win using hex HTML entities:
I had tried decimal HTML entities earlier to beat the filter, but gave up on it because the filter was immediately wise to it. Adding insult to injury, Sarah took a few minutes break to get some water and a yogurt. Shortly afterwards, I was overheard saying, “I got beat by a girl!?”. To which Sarah replied, “That’s because girls rule!”, and under the circumstances I was in no position to debate the point.
I did manage to complete my hack without using any encoding at all 3 minutes later:
Decoded: <* input type="image" src="http://aaaa/" onerror="x="'aler';x+="'t(\'Arian_i5_0wN3d!!1\')';eval(x);">
Clever? Sure. But, not fast enough.
You win some, you lose some I guess. Maybe all this press and presentation stuff is ruining my skills! ;) Hopefully, InfoWorld won’t take away my CTO award!