| Author |
Even MORE challanges!! |
Mr_Cheese
HBH Owner
Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank: God |
|
Yep, thats right, i been thinking of including a whole new section of challenges to HBH!
Patching Challenges
The idea is simple, you are shown a snippit of website / application code, and then your job is to specify:
- Type of possible attack
- the line the exploitable code is on
- a example of how to patch it.
There will be many challenges in this area with a diverse amount of languages and exploits.
Here is a example:
CODE:
<?php
if(isset($_GET['username'])){
echo "USERNAME: ". $_GET['username'] . "<br>";
if($_GET['username'] == "admin"){
echo "<hr><b>this user is an admin!!</b><br>";
}
} else {
echo "<h1>No username is defined</h1>";
}
?>
ANSWER:
Type of Exploit: Cross Site scblockedripting
Line thats exploitable: 3
Patched line:
echo "USERNAME: ". strip_tags($_GET['username']) . "<br>";
These answers will be automated just like the basic challenges, so ofcourse we'll include various answers etc. i.e type of attack: XSS / CSS / cross site scblockedripting - they will all be allowed etc
I figure this is a good idea seeing as we have a increasin amount of webmasters on this site, its wise to know how to patch and what exploitable code looks like.
What are your thoughts?
Edited by Mr_Cheese on 01-04-06 12:44 |
|
| Author |
RE: Even MORE challanges!! |
the_flash
Banned
Posts: 1
Location: Bed - no joke
Joined: 25.05.06
Rank: Uber Elite
Warn Level: 100
|
|
I think this would be cool - it would be more realistic than the realistic challenges themselves. Also this is an area where people struggle if their skills haven't left hellbound.
Previously the_flash. Ranked 11 - 17. Had account problems. |
 
|
| Author |
RE: Even MORE challanges!! |
god
Member
Posts: 349
Location: I bet you're too scared to look behind you..
Joined: 23.01.05
Rank: God |
|
nice nice i like it  is it gonna be all php or different languages??
|
 
|
| Author |
RE: Even MORE challanges!! |
Mr_Cheese
HBH Owner
Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank: God |
|
|
Mr_Cheese wrote:
There will be many challenges in this area with a diverse amount of languages and exploits.
|
|
|
| Author |
RE: Even MORE challanges!! |
The_Cell
Member
Posts: 306
Location: Belgium
Joined: 07.04.05
Rank: God |
|
I really like this idea. Can't wait to try or even contribute (if I get a good idea or so  )
( I think it also adds up to the legal part of the site. You can't call patching and securing code illigal, don't you?  )
Made by Monster
Hacking is creativity. - The_Cell
|
|
|
| Author |
RE: Even MORE challanges!! |
BluMoose
Member
Posts: 415
Location: Never Never Land.
Joined: 16.09.05
Rank: HBH Guru
Warn Level: 30
|
|
I like it Should be worth a fair amount of points though, pretty tough seeing as the only way you can solve em is through good knowlege of the code. You can't google for it or anything, lol. And asking for help in the forums would be harder for these aswell XD
... |
|
|
| Author |
RE: Even MORE challanges!! |
Setrop
Member
Posts: 142
Location: Are you a hot chick? no? than why would I tell you
Joined: 06.09.05
Rank: Hacker Level 2 |
|
i like the idea very much, but i'll need some tutorials/articles on it...
with my knowledge i won't get far i suppose :s
anyway, keep up the good work!
Noobs do not exist, unpatient pro's do...
Try not to get what you want, instead try to want what you get
  |
|
|
| Author |
RE: Even MORE challanges!! |
danbradster
Member
Posts: 24
Location: Australia
Joined: 31.01.06
Rank: Elite |
|
Uhhh, if you patched it with this:
echo "USERNAME: ". strip_tags($_GET['username']) . "<br>";
You could still inject a username in to the address bar, to patch that hole, you would use post instead of get. :)
Am I correct? |
|
|
| Author |
RE: Even MORE challanges!! |
Mr_Cheese
HBH Owner
Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank: God |
|
yes you could still inject into the url bar. but whats the point of injecting code into the url bar if it doesnt do anything because the tags are stripped.
|
|
|
Main:
