The challenge had both an internal HP and a public online component, with the purpose of teaching people about security by putting them through a series of challenges. Those challenges were based on real-world login examples, with participants trying to figure out how to break in by taking advantage of Web application security vulnerabilities.
My former co-workers at HP held the hacking challenge I mentioned last month Wood said 446 individuals participated in the hacking challenge, of whom 52 percent were able to solve the first challenge, which was a JavaScript log-in that could be determined and bypassed by a researcher if they simply viewed the underlying HTML source code. "They viewed the source code and were able to understand the JavaScript," Wood said. "It gives you a good baseline of how many people understand what is on the Internet and how willing they are to explore a Web page beyond just looking at a page inside of a browser."
Well that's disappointing. If I remember correctly stage one was plain text authentication done on the client-side using JavaScript!!! In fact you didn't even need to read out the username/password because it simply did a window.location style redirect! The URL for stage two was right there! While more than half the participants could solve the JavaScript challenge, by the fifth level only 9 percent of the 446 participants made the cut. The fifth challenge involved a SQL injection vulnerability that participants needed to exploit. SQL Injection attacks are among the most commonly found type of vulnerabilities. The Heartland Payment Systems security breach, which nabbed over 130 million credit cards, stemmed from a SQL Injection. The challenges were not just theoretical scenarios. "Basically, the challenges were very distilled versions of examples we saw online," Wood said. The most difficult level of the HP hacking challenge was the hidden sixth level, which only two people were able to solve. Wood declined to detail the vulnerability, though he did hint at what it involved.
I seem to remember this version of the challenge having 13 levels. Matt must have trimmed it. Other stages were Java Applets, Flash with unsalted SHA-1s, and other cool stuff. Cool stuff! I hope Matt hauls his butt up to Phreaknic or uses this at some other regional hacker con. These results show there is an obvious need for some schooling! |