At PHDays 9 for the first time as part of a cyber battle hackathon for developers. As defenders and attackers battled for control of the city for two days, developers had to update pre-written and deployed applications and keep them running smoothly under a barrage of attacks. Let's talk about what came out of it.
Only non-commercial projects submitted by their authors were accepted to participate in the hackathon. We received applications from four projects, but only one was selected - bitaps (). The team is engaged in blockchain analytics for bitcoin, ethereum and other alternative cryptocurrencies, performs payment processing and develops a cryptocurrency wallet.
A few days before the start of the competition, the participants received remote access to the gaming infrastructure to install their application (it was placed in an insecure segment). At The Standoff, the attackers, in addition to the infrastructure of the virtual city, had to attack the application and write bug bounty reports on the vulnerabilities found. After the organizers confirmed the presence of errors, the developers could optionally correct them. For all confirmed vulnerabilities, the attacking team received a reward in publics (The Standoff game currency), and the development team was fined.
Also, under the terms of the competition, the organizers could set tasks for the participants to finalize the application: it was important to implement new functionality without making mistakes that affect the security of the service. For every minute of the correct operation of the application and for the implementation of improvements, developers were awarded precious publics. If a vulnerability was found in the project, as well as for every minute of downtime or incorrect operation of the application, they were written off. This was monitored closely by our robots: if they found a problem, we reported it to the bitaps team, giving them a chance to fix the problem. If it was not eliminated, it led to losses. Everything is like in life!
On the first day of the competition, the attackers probed the service. By the end of the day, we received only a few reports of minor vulnerabilities in the application, which the bitaps guys quickly fixed. Somewhere at 23:XNUMX, when the participants were about to get bored, they received a proposal from us to improve the software. The task was not easy. Based on the payment processing available in the application, it was necessary to implement a service that would allow transferring tokens between two wallets using a link. The sender of the payment - the user of the service - on a special page must enter the amount and specify the password for this transfer. The system should generate a unique link that is sent to the payee. The recipient opens the link, enters the password for the transfer and indicates his wallet to receive the amount.
Having received the task, the guys perked up, and by 4 o'clock in the morning the service for transferring tokens via the link was ready. The attackers did not keep themselves waiting, and after a few hours they discovered a minor XSS vulnerability in the created service and reported it to us. We checked and confirmed its presence. The development team successfully fixed it.
On the second day, the hackers focused their attention on the office segment of the virtual city, so there were no more attacks on the application, and the developers could finally take a break from a sleepless night.
As a result of the two-day competition, we awarded the bitaps project with memorable prizes.
As the participants admitted after the game, the hackathon made it possible to test the strength of the application and confirm its high level of security. βParticipation in a hackathon is a great chance to test your project for security and get an expertise on code quality. We are glad: we managed to resist the onslaught of the attackers, - shared his impressions Alexey Karpov, member of the bitaps development team. β It was an unusual experience, as we had to refine the application in a stressful situation, for speed. You need to write high-quality code, and at the same time there is a high risk of making a mistake. In such conditions, you begin to use all your skills..
Next year we are planning to host a hackathon again. Follow the news!
Source: habr.com