Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.
def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end
...
if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"
This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on that dump. Accordingly I uploaded an authenticated file to
https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint
URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating
to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint
URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.
I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable text based on the input would make it much harder for a server to accidentally authenticate.
Free Universal Construction Kit is a set of 3D models you can print on a 3D printer that allow you to connect Lego to Duplo to Lincoln Logs, etc.
‘to avoid getting taxed as “dolls,” rather than lower for “toys”’
On Monday in Germany we went to Marienplatz and wandered around the Christmas Market, some of the stores, had drinks in a little pub, visited the Toy Museum, and checked out an impressive looking church. We accidentally drew in some other tourists as we stood gaping at the Glockenspiel tower waiting for the little show to begin at the wrong hour. That night Megan and Oliver came by our hotel and took us out to a traditional Bavarian restaurant and brewery that had been brewing beer there for hundreds of years. It was fun although we may have kept Megan and Oliver out too late on a weeknight.
The next day we went to the Deutsches Museum the largest science and technology museum in the world. And indeed it is very large, six floors on a large grounds. I needed to better pace myself: I spent too much energy being interested in the engineering sections with steam engines, mining, aerospace etc. I was completely worn out by the time we got to physics, chemistry, etc. etc. and we didn't even look in the natural sciences section. Anyway, its very large. That night we ate with Jon at an Italian restaurant. During the meal two period dressed children came in and began singing then tried to shake down their captive audience in the restaurant asking for money. The man at the table next to us asked one of the children what charity the money was going towards, the child said they kept the money, and the man said never mind then and sent the child away.
Netflix has recommended three party movies over my time with Netflix and if you're OK with movies featuring sex, drugs, rock&roll (or techno) as almost the main character then I can recommend at least The Boys and Girls Guide to Getting Down.
24 Hour Party People is based on the true story of Tony Wilson, journalist, band manager, and club owner (not all at once) around the rise of punk and new wave in England. Like many true-story based movies it starts off strong and very interesting but gets very slow at the end like the writers got bored and just started copying the actual events. Unless you have some interest in the history of music in the 80s in Manchester I don't recommend this movie.
Human Traffic is fun and funny following a group of friends going out for a night of clubbing and partying. I had to get over seeing John Simm as not The Master from Doctor Who but rather as a partying youth. It felt like it was geared towards viewers who were on something like the totally odd techno musical interludes with the characters dancing for no apparent reason. Otherwise the movie was good.
The Boys and Girls Guide to Getting Down is done in the style of an old educational movie on the topic of clubbing and partying. It sounds like a premise that would get old but they do a good job. While demonstrating drinking and driving they have scientists push a mouse around in a toy convertible. Enough said. It was funny and I recommend it.
Cadbury jumps out of her toy box hitting the fireplace shovel, and does a few other cute things.
|
From: David Risney
Views: 76
1 ratings
|
|
Time: 00:44 | More in Pets & Animals |