Stripe CTF 2.0 – Web Security
I did Stripe’s Capture the Flag 2.0 this year, “a security contest where you can try your hand at discovering and exploiting vulnerabilities in mock web applications”.
It was a lot of fun. Some of the levels were quite challenging and I had to figure out how to actually implement an exploit vulnerability that I’d only read about in passing before. Each level makes you both a) figure out what the vulnerability is, and b) actually exploit it. One thing that the Stripe guys did a nice job at was spreading out the challenges between PHP, browser JavaScript, node.js, Python, and Ruby, so that developers from any one language wouldn’t have an advantage.
I did it during the week and spent a couple hours per night on it. There was SQL injection, unrestricted uploads, XSS attacks, and more. For one level I actually (found out later) solved it in a different way than was intended. I noticed that their client-side sessions/cookies weren’t actually secure because an error debug page leaked their secret token. So I got to dig into some source code and learn a little Ruby.
The last level was definitely the trickiest. My source code solution is below. I got it running locally and it ran fairly quickly — I knew I had the correct solution. But that was only half the battle since, on production, there was a lot more “jitter”. My first solution ran all night and never finished. So I made some tweaks, and eventually turned on HTTP Keep-Alives, which made a huge difference and my solution ran in a much shorter time.
Finally, I captured the flag! I was the 202nd person to complete it. By the end only 978 of about 16,000 participants completed it at all, so I will gladly be wearing my free t-shirt!