They state that:
“The hardest part of writing secure code is learning to think like an attacker. For example, every programmer is told to watch out for SQL injections, but it’s hard to appreciate just how exploitable they are until you’ve written a SQL injection of your own.” – Stripe
It was a fascinating challenge and allowed us geeks to flex our brain muscles a bit but I only managed to gain access to level 05 due to a combination of work commitments, being a new dad.. and well, uh, not being good enough.
It featured a mixed bag of exploits and required a good working knowledge of the Linux shell, in depth C programming and a bit of web programming.
After the competition drew to a close the winners were congratulated and given T-Shirts and a fantastic talking point for their next job interview and soon full walkthroughs were available online.
If you want to take the challenge yourself, Stripe have made these old challenges available via direct download or torrent which they are now using as a way to recruit potential employees – a fantastic idea no?
Introducing Capture The Flag 2.0
Recently, the Stripe team announced the release of Capture the Flag 2.0 which has a focus on web security.
Not being one to shy away from a challenge, I’ve decided to give it a go and, as of writing, I’ve managed to gain access to level 7 of 8 and it’s been a fantastic challenge so far and exposes the many ways that sites are vulnerable via a number of mock web applications. So far I’ve gone up against XSS, SQL injection, PHP session exploits amongst others.
I don’t want to post any spoilers so far for the individual levels so if you want to give it a go then get involved at the official site https://stripe-ctf.com/
Interestingly we here at Feabhas hope to introduce some new courses looking at both Hardening Linux and Security Essentials so keep your eyes peeled for our new offerings and we’ll be following up this article with a post-mortem of the levels we’ve managed to crack and how to best remove these attack vectors.
- Side effects and sequence points; why volatile matters - April 16, 2020
- Running the eclipse-mosquitto MQTT Broker in a docker container - February 20, 2020
- Using a Raspberry Pi as a remote headless J-Link Server - July 4, 2019