
Henceforth, All Job Applicants Must Hack Into Our Backend (Dev Challenge) - kessler
http://seatgeek.com/blog/hiring/henceforth-all-job-applicants-must-hack-into-our-backend
======
zg
Would be funny if somebody went overboard and actually rooted the box, deleted
the other entries and changed the site so the problem couldn't be solved (or
closed the competition).

Then I guess you'd have to give him the job by default :-)

~~~
notr00t
Always has to be a "him" right? Myopic macho nonsense, just like this company
that wants "hyper-motivated" applicants. Ridiculous, geek-macho, over-
caffeinated boys who speak first and (maybe) think later.

~~~
konad
which pronoun should one use ?

------
kapilkale
This is phenomenal. Makes the application process way more interesting. Hope
your quality of applicants goes through the roof.

------
johnswamps
I just completed it, it shouldn't take more than 15 minutes or so. There's no
real hacking involved, it's mostly just using a tool like firebug.

~~~
josegonzalez
I'm interested in seeing applications that submit themselves :)

------
jack7890
Regarding whether or not it's too easy...that's something we wondered about.
We decided we wanted a relatively straightforward initial screen rather than
an complex brainteaser.

So I would by no means liken this to the Greplin Challenge, but we're trying
to accomplish something different. We're hoping to eliminate the crappy
applicants so we can spend more time on the good ones.

~~~
temphn
Not a web developer, but a scientist who plays around with it a little bit.
Here is what I tried:

1) Viewed source. Didn't see any obvious comments.

2) Looked at .css files. Nothing obvious there, though there are styles for
form/etc classes and elements that aren't used in the page.

3) Tried creating some forms with input and label elements in the markup in
Firebug to see if CSS labeling on buttons showed anything. Just showed "Submit
Query".

4) Looked at session headers in Firebug/Safari and saw something along the
lines of

    
    
      < HTTP/1.1 403 Forbidden
      < Server: nginx
      < Date: Tue, 26 Oct 2010 09:10:58 GMT
      < Content-Type: text/html; charset=utf-8
      < Connection: keep-alive
      < Status: 403 Forbidden
      < X-Runtime: 0.001014
      < Content-Length: 1552
      < Set-Cookie:   sg.session=%7B%22csrf.token%22%3A%228KSf5VQhEB6DRoS0Z9PWW6ugXnH4e132LzBH8E76dE4%3D%22%7D; path=/
    

5) Noticed 'csrf.token' and googled to figure out it was a cross site request
forgery prevention token, which seems sort of related.

Tried to mess around with this in Python and sort of got somewhere with this

    
    
      >>>urllib.unquote("%7B%22csrf.token%22%3A%22R5wuQON8nVfha%2F7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D%22%7D")
      '{"csrf.token":"R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw="}'
    

Then tried re-encoding:

    
    
      >>> urllib.quote(eval(urllib.unquote("%7B%22csrf.token%22%3A%22R5wuQON8nVfha%2F7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D%22%7D")).values()[0])
      'R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D'
    

and then doing an HTTP POST with curl

    
    
      curl -v -d "csrf.token=R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D" apply.seatgeek.com
    

But no dice. Is this totally the wrong direction? Is this puzzle really that
obvious to any real web developer worthy of the name, and if so where did you
earn your spurs/what books/sites did you read?

~~~
Ixiaus
No worries, I'm certainly not "getting" the riddle myself. I tried md5sum'ing
the response body and base64 encoding it and replacing the cookie's csrf.token
value with that, which didn't work (I did notice, however, that the server is
accepting whatever you put in the cookie without re/over writing it).

I tried POSTing and PUTing with data values like "csrf=valuefromcookie" and
(this may seem stupid) "browser=seatgeek".

I hand crafted a request using cURL.

I also discovered their VHOST settings aren't quite right either because when
you POST to <https://apply.seatgeek.com> it takes you straight to the homepage
(instead of redirecting you to the <http://apply.seatgeek.com> page).

Either way, kudos to those that got it in 15 minutes - I wasted far too much
time chasing my tail on this one.

~~~
mcknz
Not so stupid. The error message is important.

~~~
Ixiaus
_face palm_

What's more annoying is I _did_ do it correctly the first time - I just
misspelled it! :-/

------
jayphelps
Waaay too easy...honestly, I'm not tooting my own horn.

But I guess it would keep the lazy applicant from applying.

EDIT: on second thought, maybe it is the right level. They aren't likely
looking for $100k+ hacker geniuses, just guys who can think outside the box
and know how to do basic digging and prevent your typical hack.

I retract my statement. Clever application process.

~~~
vinhboy
Damn, you guys are way smarter than me. Took me like 2 hours for the first
step. The rest was easier. I am not good at riddles I guess...

~~~
mcknz
Took me about that long for the first step, then did a facepalm once I
realized the solution. Was way overthinking that one, but it's like you either
know it or you don't -- if you know it you'll figure it out eventually.

------
atomon
Fun challenge. It took me about 10-15 minutes using curl.

I think it's the right level of difficulty: Difficult enough that you're able
to weed out a lot of really low quality applicants, but not so difficult that
you run the risk of excluding high quality applicants.

------
barrydahlberg
That was fun. Personally I wouldn't make it any harder as it would already
weed out a huge portion of the candidates I have interviewed in the past. I
would perhaps add something that required a little JavaScript or something
written though.

I wonder how many applications you get from people that don't actually want
the job.

------
pennig
Not too shabby. Was pretty trivial to do with Safari's developer tools,
actually.

I submitted this as my resume: [http://www.russellheimlich.com/blog/wp-
content/uploads/2007/...](http://www.russellheimlich.com/blog/wp-
content/uploads/2007/10/im-in-ur-office-earnin-ur-salry.jpg)

~~~
sovande
Hmm, did you modify the session cookie? Because that is _not_ trivial with
Safari developer tools.

Edit: Removed potential spoilers.

~~~
revolvingcur
It's unfortunately not easy to do with Chrome either (with or without
extensions). I wound up downgrading to Firefox 3 from beta 4 to get back to
the more mature plug-ins that make this light work.

------
morganpyne
I quite enjoyed this :-) Reminds me of an online game that I played through
years ago which I'm having trouble digging references to now; hack your way
through successive levels, starting with really trivial things like default
passwords and working your way up through all the exploitation techniques
through to the more interesting ones (buffer overflows, off by 1 errors etc).

I was well hooked on the writings of Aleph1, Mudge and Rain Forest Puppy at
the time, and this game was an excellent tool for teaching developers about
vulnerabilities and thus how to defend against them. I know that the game
spawned a plethora of copy-cats later on of varying qualitites - does anybody
happen to know the one I'm referring to?

~~~
harisenbon
I wonder if you're thinking of Uplink?
<http://en.wikipedia.org/wiki/Uplink_(video_game)>

I was completely addicted to that game in college. The also apparently have a
version on steam now.

~~~
morganpyne
Thanks for the link, had not seen Uplink before. It's not what I was trying to
remember though. I'm basically talking about a website. On the first screen it
has a username and a password box. The password check is hardcoded into the JS
on the page and viewsource gives it to you. Completing it gets you to the next
stage. The next stage has no such info, but the password is easily guessable.
The one after can be beaten by a cookie modification, the one after that
involves injecting some variables into a server-side script etc etc... At each
stage it links you to articles which may be relevant tothe task at hand; It's
like a step-by-step training to hacking websites, graded nicely in difficulty
from the trivial up to some reasonably difficult techniques at the higher
stages.

~~~
morganpyne
Answering my own question here, but curiosity got the better of me so I
trawled through my mail archives and found the site. It was
<http://quiz.ngsec.com/> and it's unfortunately offline now. Shame.

------
seanalltogether
Honestly they should not have made this announcement public, it should be a
private message to anyone submitting an application, otherwise random people
pick up the challenge and post the answers online.

------
shyknee
Great idea! I thought I had it figured out last night but the blank screen I
got when submitting kept bothering me. This morning I double checked the
requirements and saw if I got a blank screen I had not done it right.

I went back and got it figured out - I think the barrier to entry for this is
just right.

------
outsyder
Puzzles are always fun, thanks for sharing.

------
pseudonym
Interesting, but not difficult. I approve highly of the idea, though; perhaps
something with XSS next time?

