In 2014 I discovered a vulnerability on Yahoo's Login Protection seal that allowed for CSS injection. This information was saved to the browser and IP, persisting across login sessions on that computer. The protection seal feature has since been removed from the login page, but the feature still exists in your account preferences.
- CTF: CSAW 2015
- Challenge: Weebdate
- Category: Web
- Points: 500
Since the Ashley Madison hack, a lot of high profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that means they're taking more safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site called "weebdate" and also selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can break into his profile and investigate. Flag is md5($totpkey.$password) http://18.104.22.168/
Original Post: http://potatohatsecurity.tumblr.com/post/126411303994/defcon-23-badge-challenge
Brett, Jon, and I teamed up with Council of 9 and won this years badge challenge after having great success in the DEFCON 22 Badge Challenge. Over the last year we have studied a huge number of cryptographic methods and ancient languages to prepare for this. We also released our own crypto-challenge website for the community to follow along and have fun challenging themselves. With our new knowledge and a great team in tow we headed out to DEFCON.
Here is the entire adventure as we experienced it with all of the puzzles, their solutions, and the steps to solve them. Understand that this document contains MASSIVE spoilers so if you do not want to ruin it for yourself please stop reading now.
This is part two of a three part series on detecting traffic generated by the security tool Burp Suite. These methods are by no means exhaustive, but are simple tricks that can be used for detecting some of the malicious traffic on your web server.
Original Post: http://potatohatsecurity.tumblr.com/post/94565729529/defcon-22-badge-challenge-walkthrough
Brett, Jon, and I recently went to DEFCON and completed the Badge Challenge put together by 1o57. Here is the entire adventure as we experienced it with all of the puzzles, their solutions, and the steps to solve them. Understand that this document contains MASSIVE spoilers so if you do not want to ruin it for yourself please stop reading now.
I recently started to review the automated vulnerability scanner Burp Suite because of its widespread usage. The tool is used by many security bounty hunters, security professionals, and blackhat hackers for automated scanning and vulnerability detection. While I was using Burp, I was wondering to myself how easy it is for a server to detect that I am using this tool.