Paid Advertising
web application security lab

And We’re Off! Challenge 2 Underway

For those of you who are interested, the second challenge is underway. Click here to begin the challenge. Every thing you need is under that directory, and even after the contest is finished you are still able to participate, for those of you who don’t like the pressure of doing something in a certain timeframe. The forum is open for people who want to chat about this while they work. For everyone else, good luck!

Update: And the results are in! Pretty amazing times for the first several winners, and I’ll have to post on our “special winner” Stefan who managed to actually hack the test. Congrats to everyone who won! A spoiler is now live for anyone who is completely stumped.

2:04:53: NoS (Sergey Novotarskiy)

2:06:51: Stefan Esser

2:17:50: AviD

2:20:31: Mario Heiderich

2:21:00: christ1an

3:13:14: kuza55

3:17:22: Jibbler

4:32:43: barbarianbob

5:58:31: David Lindsay

6:22:45: fidels

And since he asked so nicely to be mentioned, Jesper came in 11th with a time of 6:28:05. DoctorDan followed at 6:52:11.

23 Responses to “And We’re Off! Challenge 2 Underway”

  1. ... Says:

    wtf….i dont knows english units of length… don’t understand the meaning of the question!!!!
    !! f**k!!

  2. RSnake Says:

    I suggest you look in the forums:,14714

  3. .mario Says:

    Very nice one ;) I am very looking forward for round 3…

  4. ChosenOne Says:

    Congratulations to the first winners. I didnt make it further than the “Sesame” yet - going to bed now :)

  5. christ1an Says:

    For the next round it would be cool if it was more web application security related.

  6. RSnake Says:

    I’m open to suggestions on what kinds of things you’d like to see. I’m wary about making the site exploitable directly, so anything I allowed you to do would have to be in the context of your own user only. Makes it tougher. But this did tie in a number of webappsec concepts. States, stupidly hard CAPTCHAs, cookie tampering, etc… You’re just so familiar with these concepts that it’s doesn’t seem like a stretch for you. Trust me, we have some interesting concepts up our sleeves for future versions. If anyone has interesting suggestions email me offline, and I may add some of it in, or parts of the ideas.

  7. Ronald Says:

    What isn’t there webappsec about it christ1an? I think it’s a cool one, and pretty much on the spot.

  8. christ1an Says:

    Well, its not even described as a webappsec challenge Ronald. However I’d wish some more relation to it.

    It is fun to play with if one is bored or needs some clothes for free. I can answer your question better after it’s finished.

  9. RSnake Says:

    Funny, we were actually thinking about moving away from webappsec only and bringing in some other concepts. We’ll have to buy a domain specifically for that to work, but I think it would be worth it if you all would like to try your hand at some completely different concepts.

  10. Ronald Says:

    That would be cool RSnake, have you thought about some really tough stuff? I mean really hard? stuff that takes a week or something, instead of 30-60 minutes ;)

    haha, still good stuff.

  11. RSnake Says:

    Well the stuff that takes weeks generally requires enumeration, iteration or tedious trial and error. I think most people would pull their hair out well before a week’s time. I dunno, I think I’ll slowly crank up the hardness scale until it’s more like a day’s time before we get all ten winners. Right now it’s still been 4 hours and 30 minutes and we still don’t have all ten winners. That means I cranked the hardness knob in the right direction. I also wanted to make sure people had something to play with. Last time there wasn’t enough interactivity. This time it’s got a lot more, but I’d like it to be even more over time. But I think there’s interesting ways to make it take longer without it being ultra-tedious. There’s a lot to web apps so there’s lots of techniques to build on.

  12. Ronald Says:

    Well, what about opening your telnet port? ;)

    Yes, indeed I really like this one. But, it does require controle over certain “features” of the browser. I’m not sure everyone knows about this, but it’s a great learning curve. That’s for sure, I hit the last clue in under 40 minutes and a beer, it could have been found way faster with some reasoning though. It’s too late here, have to catch some sleep.

    Enjoy everyone! :)

  13. Chris Says:

    Hey RSnake — doesn’t the HTTP RFC specify that cookie names and values cannot contain whitespace, commas, or semi-colons, unless they are URL-encoded? That has always been my understanding. Only after you posted the spoiler did I realize that I was encoding the cookie properly, but the challenge expected it to be submitted in a non-compliant format! Any thoughts?

  14. RSnake Says:

    @Chris - yes but there are a number of things in both this test and the last one that aren’t exactly RFC compliant or normal. In the JavaScript source I said admin=”bobs your uncle” not “bobs%20your%20uncle”. ;) Some people also noted that some browsers didn’t encode the single quote in the URL. It totally depends on the browser you are using. I intentionally made the script as stupid as possible so I did exact string compares, rather than the proper decoding of URL encoded strings. I don’t think I’ll ever make the challenge completely RFC compliant though, because there’s lots of interesting things within the HTTP headers that aren’t compliant that can be used to fingerprint webservers for instance.

  15. Chris Says:

    @RSnake — It was just an observation, and you raise a valid point on the server fingerprinting. The main reason I brought up the notion of RFC compliance is that one of your motivations with the challenges (I think) is to help teach people about web application security. So while you might not go so far as to disallow the non-compliant versions of the cookie, I would probably try to handle basic things such as URL encoding since it’s easy to reproduce. Fun challenge though, and at the very least you’ve probably introduced some people to the idea of cookie poisoning.

  16. Dhubh Says:

    I know the challenges are meant for people that know something about webappsec, but I was wondering if it was possible to get slightly more detailed spoilers for those of us without a clue, as a means of learning.

  17. Dhubh Says:

    I know the challenges are aimed at people that know webappsec, but is there any chance that slightly more detailed spoilers could be posted for people just starting out?

  18. Ronald Says:


    I think it’s important to have the right tools, it can make things easier. Firefox has good extensions which allow you to work from your browser instead of a terminal, netcat or telnet.

    A few I used:

    - Cookie editor
    - Tampter data
    - Firebug (most important)

    With Firebug all scripts become visible without even accessing them. Tampter data allows to modify the request, and cookies also. I found the first two clues with these tools under 5 minutes. Without them I probably be stuck on the first one.

    For me, these are really important tools in websecurity.

    Hope it helps ;)

  19. Ronald Says:

    Tamper data :D sorry I was typing with one hand and watching outside girls

  20. Dhubh Says:

    Thanks Ronald,

    I will mess around with them and see if I can make it any further.

    ps. Sorry for the double post, when I looked back a few hours later and didn’t see my 1st post I figured something messed up :)

  21. AviD Says:

    Hey, wassup with our prizes…?


  22. RSnake Says:

    I sent all the winners an email to give me their info, didn’t you get it? Check your spam bucket from a few days ago.

  23. AviD Says:

    Not in spam bucket either…. can you send me again?
    Can’t wait to get that t-shirt!!