Title: Skillz Oct 07 Winning Entry - Technical
Post by: don on December 04, 2007, 03:37:53 PM
"Worst. Ethical. Hacker. Challenge. Ever."
Hacker Challenge Submission
Response by: Dan Roberts
Stolen customer records
At 19:03:58, the host 188.8.131.52 began harvesting customer information by calling the userreport.pl program with Lynx for each customer record specified by the uid parameter in the HTTP GET parameters. 71 requests were issued, 53 returned information (return code 200) and the remainder failed due to an internal server error (return code 500).
The uid's are derived from pi (3.141592653589...), which I suppose one could call "less rational" since it is the best known irrational number. The first uid is 141592, next is 653589, and so on.. the attacker simply had to try these numbers in sequence until he ran out of valid uid's. The internal server errors were caused by the invalid uid's. The hacker may have guessed Comic Book Guy's numbering scheme, since he all but gave it away in his response to Troy McClure's comment about the broken random number generator.
(There was also another clue to this, CBG had a "one million digits of PI" Firefox tab open while viewing Lisa's winning score - Kevin)
Bill Gates a mutant
According to the log, the attacker came from 184.108.40.206.
How to fix it
1. Find a better way to produce uid's.. these should not be predictable, else this challenge demonstrates what can happen.
2. Implement game logic on the server side instead of placing it in the hands of the client.. and never ever trust user input.
3. Validate user input to avoid mischief such as the DOM-based XSS attack seen in the challenge.
Using the pass phrase "Frisky Dingo" with STOOLS (both clues left in the game comments), I was able to reveal the secret message inside gates2.gif:
Dear Comic Book Guy -
Your amateur coding skills, demonstrated by your buggy, non-secure web application, do not demonstrate the level of intellect we would expect from a member of the Springfield MENSA chapter. We met and voted to give you one last chance to remain in the club.
By finding this message, you have demonstrated some skills, and may remain a member. But remember, Our Kung Fu is the Best.
Principal Skinner, Dr. Hibbert, Lisa Simpson, Professor Frink, Lindsey Naegle.
Congrats from all of us at EH-Net,