Slashdot Mirror

← Back to Stories (view on slashdot.org)

Capturing the Flag, SQLi-Style

Posted by timothy on from the slipping-one-in dept.

CowboyRobot writes "Penetration tester and long-time security professional Sumit 'Sid' Siddharth has developed a real-world SQL injection sandbox simulator, and invites the public for a capture the flag event later this month. 'The only way you can understand the true impact of vulnerabilities is by practicing exploitation. Even vulnerability identification goes hand-in-hand with exploitation,' says Siddharth. 'Sometimes identifying the vulnerability is really difficult, and it's only when you know advanced exploitation techniques that you can do so. We've also put together some really nice examples where identifying the vulnerability is really difficult, and we've asked people to find the needle in the haystack because that's how websites get compromised at the end of the day,'"

14 of 24 comments (clear)

  1. real world by Moblaster · · Score: 1

    Real world SQL injection usually ends badly. The last SQL injection that actually worked in real life was The Empire Strikes Back. So yes. I agree. SQL injection is usually a disaster.

  2. Pitifully... by cyberpocalypse · · Score: 1

    Either his site is being SQLi'd to death or he is being /.'d ctf.notsosecure.com no worky. Maybe he can come back and monetize this CTF to include: "How to run a webserver while being visitedDoS'd"

  3. relevant (xkcd) by Anonymous Coward · · Score: 1

    http://xkcd.com/327/

    1. Re:relevant (xkcd) by wonkey_monkey · · Score: 1

      If you can't tell by the number alone, get out.

      --
      systemd is Roko's Basilisk.
  4. Requires Credit Card or Paypal by giantism_strikes · · Score: 1

    They are offering a free 30-day trial as long as you give them payment information. This is the same as all of the "Free Credit Reports" that require you to sign up with a credit card and cancel at the end of the free trial.

    1. Re: Requires Credit Card or Paypal by gl4ss · · Score: 1

      oh so it is "invites customers".

      aaadveeeeeert. I thought I clicked the checkbox for no adverts.

      --
      world was created 5 seconds before this post as it is.
  5. Who still writes SQL by hand? by NewWorldDan · · Score: 1

    While I do write some stored procedures, everything in the application is done through a data access layer like EntityFramework (we're a visual studio shop). Now, XSS attacks, escalation of privileges, and any number of other web based attacks are still a big deal. But SQL injection is the least of my worries. Is this different elsewhere?

    1. Re:Who still writes SQL by hand? by CastrTroy · · Score: 1

      While I think that object relational mappers are great for simple CRUD operations, I find they really start to break down once you want to do a somewhat complex queries. They can get the job done, but the biggest problem I have with them is the readability of the resulting code. SQL is much more readable than the equivalent for more complex queries.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Who still writes SQL by hand? by malacandrian · · Score: 1

      Even PHP has database abstraction these days.

    3. Re:Who still writes SQL by hand? by Garridan · · Score: 1

      Srsly. I type my SQL in through a keyboard. My handwriting and OCR do not play nicely together.

      obligatory

    4. Re:Who still writes SQL by hand? by OdinOdin_ · · Score: 1

      "these days" ? What era was the date it did not have this ? You mean the PHP ecosystem has opened its eyes to finally using some good methodology.

  6. First task by Anonymous Coward · · Score: 1

    First task: Bypass the SQLi Lab authentication and use the site without registration. :-)

  7. It's a trap! by fldsofglry · · Score: 1

    It's a trap! Don't do it...this is a honeypot set up by government organizations to catch criminals and bring them up on hacking related charges! http://www.youtube.com/watch?v=piVnArp9ZE0 -- Lord, I hope the sarcasm comes through.

  8. Another slashvertisement by dutchwhizzman · · Score: 1

    You can get plenty of free SQLi trainings and labs at sites like enigmagroup and hackthissite. OWASP has good training VM images available as well, This is a commercial lab where you have to pay to take the class and get access to the labs.

    --
    I was promised a flying car. Where is my flying car?