Vulnerabilities in challenge sites

Many challenge sites are about internet security, and probably that's the most interesting part of them. Beginners refer to them as hacker games, and think that by joining them you'll become a very 1337 h4x0r. And of course the sites should be very secure, and the admins must be experts in computer security. Well, that is not always true.

Security is a complicated subject. Although the theory is relatively easy to grab, in practice, it is almost impossible to achieve absolute security. Many techniques, frameworks and tools have been created to make security easier to achieve, but as challenge sites have been around since the 90s, most of them are still developed on old systems and do not employ the latest (and heavyweight) technology needed to build a secure system. And no matter how much you try, it is still very easy to make human mistakes that will lead to disasters.

Today I will give a brief review of vulnerabilities in challenge sites I have played, some of which are minor, some of which are serious which lead to total pwnage of the whole site.

The oldest vulnerability I know of was at Ma's Reversing. Being developed on an old technology, it used url rewriting for session tracking. The session id was included in the url as a GET variable. Normally this is only a serious problem in case of shared computers, as the session id is exposed in the browser history. But the site was also using an external visitor tracker, ExtremeTracking, which logged the http referer header of the visitor. The session id was exposed to public, and Harlequin successfully used this to get access to another user's account.

Another challenge site that suffered from insecurity was HackQuest. In 2004, a hacker pwnzored skyflash's account by exploiting a bug in phpbb. And last year multiple XSS vulnerabilities were found and exploited in the wild (I myself was able to collect some cookies too :P). Not to mention the soft-hyphen bug found by rhican.

TheBlackSheep, one of the most popular sites, was not that secure either. In 2004 when the forum search feature was introduced, Erik got many PMs reporting about SQL injection bugs (one of which was mine :P). And recently, rhican found a way to read PMs between Inferno and alt3rn4tiv3 (how he did it is still a mystery :P). And there's an XSS bug in one of the challenges that put everyone in danger too.

But things could have gone worse than that. Electrica, a challenge site by Caesum, was vulnerable to SQL injection, although the owner had tried his best to filter everything. rhican has totally infiltrated the site, hijacked some famous accounts, and even published the injection that gives away the solutions to all the challenges. The worst thing a site owner could have experienced in his whole life.

Want more? I myself have found some XSS bugs at spy-games, DareYourMind, and even project Euler. Another XSS bug at rankk was found and reported by rhican. And just a few days after I joined HellBoundHackers my account got deleted by a hacker who even pwnzored the whole database.

So what's the lesson? Do not reuse the same password for multiple accounts - every security researcher would want to say that, but it's easier said than done. Anyway, just choose a software that you find the most suitable with, and if none suits your needs, invent a solution for yourself :P

And before I forget to mention, you should have a look at this cool challenge site for a quick laugh: pardio.net. Probably that's the worst challenge site ever. There you can find every noob vulnerability, which could even give you the FTP password. I and cryptodoggy infiltrated this site a few years ago, but the site owner hasn't discovered until now, and hasn't even changed the password either :D