Dave's Blog

Search
My timeline on Mastodon

Stripe Web Security CTF Summary

2012 Aug 30, 5:00

I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:

Level Issue Code Review Red Flags
0 Simple SQL injection No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
1 extract($_GET); No input validation.
2 Arbitrary PHP execution No input validation. Allow file uploads. File permissions modification.
3 Advanced SQL injection Constructing SQL command strings instead of SQL API.
4 HTML injection, XSS and CSRF No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
5 Pingback server doesn't need to opt-in n/a - By design protocol issue.
6 Script injection and XSS No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
7 Length extension attack Custom crypto code. Constructing SQL command string instead of SQL API.
8 Side channel attack Password handling code. Timing attack mitigation too clever.

More about each level in the future.

PermalinkCommentscode-review coding csrf html internet programming script security sql stripe technical web xss

When they went to the Moon, they received the same per diem...

2012 Aug 28, 4:38


When they went to the Moon, they received the same per diem compensation as they would have for being away from base in Bakersfield: eight dollars a day, before various deductions (like for accommodation, because the government was providing the bed in the spaceship).

theatlantic:

Apollo 11’s Astronauts Received an $8 Per Diem for the Mission to the Moon

The astronauts of Apollo 11: Intrepid explorers. Inspirational heroes. Government employees.

Read more. [Image: Reuters]

PermalinkCommentshumor space nasa moon government

SkullSecurity » Blog Archive » Stuffing Javascript into DNS names

2012 Aug 27, 4:25

dnsxss tool helps you inject via DNS

…what it does is, essentially, respond to DNS requests for CNAME, MX, TXT, and NS records with Javascript code. … how about SQL injection?

PermalinkCommentssecurity technical javascript dns sql

Web Security Contest - Stripe CTF

2012 Aug 27, 4:18

Stripe is running a web security capture the flag - a series of increasingly difficult web security exploit challenges. I've finished it and had a lot of fun. Working on a web browser I knew the theory of these various web based attacks, but this was my first chance to put theory into practice with:

  • No adverse consequences
  • Knowledge that there is a fun security exploit to find
  • Access to the server side source code

Here's a blog post on the CTF behind the scenes setup which has many impressive features including phantom users that can be XSS/CSRF'ed.

I'll have another post on my difficulties and answers for the CTF levels after the contest is over on Wed, but if you're looking for hints, try out the CTF chatroom or the level specific CTF chatroom.

PermalinkCommentscontest security technical

Say goodbye to these!

2012 Aug 24, 1:52




Say goodbye to these!

PermalinkCommentshumor politics arrested-development

Gangnam Style looks like he’s riding a horse but actually...

2012 Aug 24, 1:29


Gangnam Style looks like he’s riding a horse but actually its satire.

Also, the making of video: http://youtu.be/9HPiBJBCOq8

PermalinkCommentshumor music music-video video psy south-korea

IKEA's New Catalogs: Less Pine, More Pixels - WSJ.com

2012 Aug 24, 3:15

CGI for the IKEA catalog:

That couch catching your eye in the 2013 edition of IKEA’s new catalog may not be a couch at all. It is likely the entire living room was created by a graphic artist. In fact, much of the furniture and settings in the 324-page catalog are simply a collection of pixels and polygons arranged on a computer.

PermalinkComments3d photo graphics ikea

Alexandria 2.0: One Millionaire's Quest to Build the Biggest Library on Earth | Threat Level | Wired.com

2012 Aug 21, 7:00

Brief history and scope of the Internet Archive.

PermalinkCommentsinternet-archive history

Seized shirt! For the feds, it’s not enough to simply seize...

2012 Aug 17, 8:40


Seized shirt!

For the feds, it’s not enough to simply seize domain names without warning or due process—they want to make sure everyone knows the website operators were breaking the law, even if that has yet to be proven in court. That’s why every domain that gets seized ends up redirecting to one of these dramatic warning pages, replete with the eagle-emblazoned badges of the federal agencies involved.

PermalinkCommentshumor law ip fbi legal shirt tshirt

Alex takes a few steps

2012 Aug 16, 4:06
From: David Risney
Views: 75
0 ratings
Time: 00:43 More in People & Blogs
PermalinkCommentsvideo

MALK

2012 Aug 15, 1:41PermalinkCommentshumor simpsons malk vitamin-r submission

A New Species Discovered ... On Flickr (npr.org)

2012 Aug 11, 9:17

Winterton, a senior entomologist at the California Department of Food and Agriculture, has seen a lot of bugs. But he hadn’t seen this species before.

There’s no off switch when you’re the senior entomologist. If you’re browsing the web you find your way to Flickr photos of insects or start correcting Wikipedia articles on insects.

PermalinkCommentsflickr insect science photos

Zineth Release Trailer (by Russell Honor) This is a student...

2012 Aug 10, 2:24


Zineth Release Trailer (by Russell Honor)

This is a student game. Amazing design and music. A more abstract, massive and fast Jet Set Radio.

PermalinkCommentsgame video-game jet-set-radio free

Brainfuck beware: JavaScript is after you! | Patricio Palladino

2012 Aug 10, 10:18

“tl;dr I just made a tool to transform any javascript code into an equivalent sequence of ()[]{}!+ characters. You can try it here, or grab it from github or npm. Keep on reading if you want to know how it works.”

JavaScript has some crazy implicit casts.

PermalinkCommentstechnical humor programming javascript obfuscation

idrawnintendo: Game Jinn.

2012 Aug 8, 1:08


idrawnintendo:

Game Jinn.

PermalinkCommentshumor history illustration gif nes game-genie

Decrypt.py: Act like a decrypting hacker on tv (github.com)

2012 Aug 8, 3:34

A python script that d3crypt5 the input pipe’s ASCII content from ASCII garbage slowly into the correct output.

PermalinkCommentstechnical humor hack decrypt

(via HTTPSTER T-Shirt) Maybe for Eric?

2012 Aug 8, 3:14


(via HTTPSTER T-Shirt)

Maybe for Eric?

PermalinkCommentshumor tshirt shirt gift http technical

wired: jtotheizzoe: Meet Sarcastic Mars Rover, now on Twitter,...

2012 Aug 7, 5:57










wired:

jtotheizzoe:

Meet Sarcastic Mars Rover, now on Twitter, doing a science all over your everything.

Meet your new twitter friend.

PermalinkCommentshumor mars rover science

Alex walking via walker

2012 Aug 6, 4:44
From: David Risney
Views: 69
0 ratings
Time: 00:53 More in People & Blogs
PermalinkCommentsvideo

Nanex ~ 03-Aug-2012 ~ The Knightmare Explained

2012 Aug 6, 4:29

We believe Knight accidentally released the test software they used to verify that their market making software functioned properly, into NYSE’s live system.

I get chills breaking the build at work.  I can’t imagine how much worse it would feel to deploy your test suite and destroy the company you work for.

PermalinkCommentsmoney stock knight software trading technical
Older Entries Creative Commons License Some rights reserved.