Wow, I'm excited. Last time I got to the last level (well, next to last level) and hit a wall with my skill-sets and my available time to complete the challenge.<p>I like the idea of being on a team. So, Let's get this started; I'm looking for a team! I'm an experienced C developer (work on and manage a transactional processing platform day-to-day) who works with MySQL+Memcache heavily. SQL injections, memory, buffer overflows and algorithms will be my strong points while javascript/xss attacks may be my shortcomings. Email is in my profile.
<i>, it's often difficult to find a hands-on environment to interact with and fully exploit these vulnerabilities</i><p>Well, Google had a good introduction on web exploits, with a sandboxed environment for you to try it: <a href="http://google-gruyere.appspot.com/" rel="nofollow">http://google-gruyere.appspot.com/</a><p>A bit older, but good nonetheless: Hack this site[1]<p>[1] <a href="http://www.hackthissite.org/" rel="nofollow">http://www.hackthissite.org/</a>
I've been trying to start a posse on Stack Overflow to stamp out the use of PHP's `mysql_query`, something that floods the MySQL tagged questions constantly. Use of this dangerous, deprecated feature is completely rampant in both questions and answers. It often shows up with zero SQL escaping, people just <i>presume</i> that an email address couldn't possibly have anything irregular in it.<p>Contests like this are a great idea to help promote safe coding practices.
last time i finished everything short of writing the program to capture the flag after i realized how to do it. i guess i was tired after basically staying up all weekend glued to the keyboard with the other nuts on irc/campfire. never actually took the last step, never sent stripe my proof and never got my t-shirt. I have regretted my apathy ever since!!!
Can't wait for this one!
It's awesome that they're doing this. Also, I doubt I'll participate, but my brain just registered "Stripe is a fun place that's smart about security", making me more likely to use them in the future or even want to work for them.<p>Companies, take note: providing fun and education to the community can boost your reputation.
Sounds like fun.<p>I would love to see one that used different DB back-ends at some point. I'm sure it would be interesting to see the other attacks we are not considering with the much more diversified stacks now in existence.
So what are the chances of someone who's never really dealt with web security capturing the flag? Last year's results don't make it seem too promising, 12k unique IP's -> 250 captures.