I just finished the security vulnerability contest Stripe CTF. Now this was a really fun exercise. (Note: if its before Wednesday, Aug 26 2012, you still have time to do the Stripe CTF.)

Basically, Stripe set up 9 levels, each is a standalone web server. Each level tested your ability to exploit a security vulnerability in the webserver. It started out easy, with solutions taking a small amount of effort, but by level 5 and 6, the time per solution had raised significantly. Eventually, it came down to a complicated multi-step strategy in level 8 (level numbers were 0-based, naturally). You can read more about it in their blog post.

I’m a learning-by-doing sort-of person. I’ve heard of cross site request forgeries and cross-site scripting before. I’ve known what SQL injection is. But getting hands-on experience at trying to identify vulnerabilities in source code and figuring out how you (the attacker) actually executes the attack, in addition to all the nuances associated, teach me a lot more about those vulnerabilities than anything else.

The vulnerabilities that I exploited during the competition were:

I’m now a much more security-aware coder, and I’ll develop more secure web code in the future. Thank you Stripe! And, I get a T-shirt! :D.

I’ll write up my solutions after next Wednesday, when the competition ends.