

Securing Stripe's Capture the Flag - gdb
https://blog.gregbrockman.com/2012/08/system-design-stripe-capture-the-flag/

======
philfreo
Thanks for putting this together. Was very educational working through each
level (and felt great to capture the flag). Loved that it was spread out
across node.js/python/ruby/php/javascript.

Were any unexpected security vulnerabilities found (or patched mid-game by
you) in the overall infrastructure?

Not sure if this was intentionally left open-ended but for example in Level 6
I exploited a Ruby session/cookie bug to gain access to the target user,
before realizing that the easier way was just a simpler JavaScript XSS
vulnerability.

~~~
gdb
There were a few unintentional vulnerabilities in the levels. Only one
actually made the levels significantly easy enough that it was worth patching
-- namely, the session cookie bug you reference (it actually affected three
levels). There was also a bug in the CTF architecture where you could set your
user's URL to a javascript: URL. But to my knowledge no one has found
vulnerabilities in the rest of the infrastructure :).

~~~
ryan-c
I was one of the ones who went through those three levels with the session
cookie bug. How many people reported it? Do you have a problem with me posting
a write-up on the bug somewhere (now that it's fixed)?

~~~
gdb
We fixed it as soon as it was reported, and have probably gotten four or five
independent reports at this point. Feel free to post away!

------
obituary_latte
_heart attack_

Thought for a minute after seeing the headline maybe the CTF was closed... I'd
have thrown many (more) monitors out the window if I didn't get to finish lvl8
after spending so long on it...or at least ditch a few more monitors trying to
finish it.

------
ben1040
Thanks for the writeup - while going through the levels, I was wondering how
some of this stuff was set up from the game-master's perspective.

This was really fun to play, and I learned a thing or two (specifically the
manner in which you solve #7 was totally new to me).

Thanks for putting the CTF together!

------
zx2c4
Next time, use grsecurity & pax. No excuses not to. Kernel hardening that you
must absolutely have on a shared box.

<http://grsecurity.net/> <http://en.wikibooks.org/wiki/Grsecurity>
<http://en.wikipedia.org/wiki/Grsecurity> <http://en.wikipedia.org/wiki/PaX>

Grsec's RBAC isn't strictly necessary, but it's quite nice too.

------
copithod
The CTF was one of the more educationally useful things I've done in a while,
thanks!

------
fijter
You guys did an awesome job, great stuff to waste some evenings on. It's nice
to read about all these measures, especially since I've already noticed most
of them while capturing the flag :)

------
antsam
Really enjoyed the CTF, thanks for hosting it! Had to run my code twice to get
the last chunk on level 8, not sure why though... Was it jitter? Also, will
you be sending confirmation e-mails for the t-shirts?

~~~
gdb
I'll avoid posting spoilers here, but feel free to shoot me an email
(gdb@stripe.com) if you want to discuss more. We will indeed send out
confirmation emails for the shirts -- you'd be surprised by how many people
typo their addresses.

------
elliottcarlson
Awesome write up and awesome challenge - look forward to the next one!

------
bvdbijl
Great job on the CTF, had only minor issues with level 8 because of the
traffic (which made it more of a challenge) and I was wondering how you guys
did the XSS vulns, really nice job!

------
emilw
Greg, I'm sorry I can't comment on the original article I don't have a FB
account.

What was the amount of traffic at peak times between level 2 and 8?

~~~
gdb
I don't have numbers on that. We did have level02-2 hitting load 100 at one
point, though. Also, from the first level08 server we put into the pool:

root@leveleight2:~# ifconfig eth0 |tail -n 2 RX bytes:8200746652 (8.2 GB) TX
bytes:27399989757 (27.3 GB)

~~~
emilw
Thank you

------
tlrobinson
Nice writeup. I loved the CTF. Need moar.

Seriously, what else is out there like this?

~~~
gdb
Glad you enjoyed :). We have a few places linked on <https://stripe-
ctf.com/about> (namely <http://google-gruyere.appspot.com/> and
<http://www.hackthissite.org/>).

------
Axsuul
Stripe CTF made me feel like I was in college again! It was a good feeling.

------
xPaw
CTF was lots of fun, but I never really bothered finishing final level :(

~~~
antsam
There's still time (I think) and it's surprisingly easy once you realize what
you're supposed to do!

~~~
tvdw
"It's easy once you know the answer"

Well, of course it is...

------
jiggy2011
I haven't done this yet, is it still online? How difficult is it?

~~~
the_mitsuhiko
It's not that hard until level 8. At that point I got too lazy to actually
continue with it :)

------
zobzu
"we make CTF and recommend using chroot"

/facepalm

~~~
ab
While they're not great, chroots are much more powerful than most people give
them credit for. The trouble comes when people think you can keep a root user
contained in a chroot.

~~~
zobzu
Correct, and that make them much less powerful than most people think :)

