In the first half of this year, the online payment company Stripe held a Capture the Flag competition as a way to draw attention to online security.
They state that:
“The hardest part of writing secure code is learning to think like an attacker. For example, every programmer is told to watch out for SQL injections, but it’s hard to appreciate just how exploitable they are until you’ve written a SQL injection of your own.” – Stripe
It was a fascinating challenge and allowed us geeks to flex our brain muscles a bit but I only managed to gain access to level 05 due to a combination of work commitments, being a new dad.. and well, uh, not being good enough.
It featured a mixed bag of exploits and required a good working knowledge of the Linux shell, in depth C programming and a bit of web programming.
After the competition drew to a close the winners were congratulated and given T-Shirts and a fantastic talking point for their next job interview and soon full walkthroughs were available online.
If you want to take the challenge yourself, Stripe have made these old challenges available via direct download or torrent which they are now using as a way to recruit potential employees – a fantastic idea no?
Introducing Capture The Flag 2.0
Recently, the Stripe team announced the release of Capture the Flag 2.0 which has a focus on web security.
Not being one to shy away from a challenge, I’ve decided to give it a go and, as of writing, I’ve managed to gain access to level 7 of 8 and it’s been a fantastic challenge so far and exposes the many ways that sites are vulnerable via a number of mock web applications. So far I’ve gone up against XSS, SQL injection, PHP session exploits amongst others.
I don’t want to post any spoilers so far for the individual levels so if you want to give it a go then get involved at the official site https://stripe-ctf.com/
Interestingly we here at Feabhas hope to introduce some new courses looking at both Hardening Linux and Security Essentials so keep your eyes peeled for our new offerings and we’ll be following up this article with a post-mortem of the levels we’ve managed to crack and how to best remove these attack vectors.
- Disassembling a Cortex-M raw binary file with Ghidra - December 20, 2022
- Using final in C++ to improve performance - November 14, 2022
- Understanding Arm Cortex-M Intel-Hex (ihex) files - October 12, 2022
Co-Founder and Director of Feabhas since 1995.
Niall has been designing and programming embedded systems for over 30 years. He has worked in different sectors, including aerospace, telecomms, government and banking.
His current interest lie in IoT Security and Agile for Embedded Systems.
Pingback: Sticky Bits » Blog Archive » Capture the Flag 2.0 – The After Party