Skip to Content
Author's profile photo Former Member
Former Member
October 3, 2005 1 minute read

The TechEd 2005 “Hacking Challenge” in retrospect

At SAP TechEd, Boston, I offered a “guided hacking tour” in the SDN clubhouse. The idea was to raise awareness among the participants regarding how easy it can be for an attacker to break into a web application if the developers don’t do their homework.

The setup was an online shop running on my VMWare system with some serious security holes planted in the code.

Interested participants were confronted with 4 “hacking” goals to achieve:

  • Buy one of the items in the shop at a heavily discounted price: 1$
  • Get as many credit card information from the system as possible
  • Acquire another user’s logon credentials
  • Become Administrator of the shop

Practically all participants had no idea where or how to begin and started by playing around with the application. The idea was that everyone should try to break into the system as far as they could, but if someone got stuck, I’d give a hint.

This way all participants were in the position of an attacker rather than a developer and learned to look at applications with different eyes.
Telling people about security is one thing, but sitting right in front of a vulnerable system with a hidden back door just a few keystrokes away, is another.
After seeing the vulnerabilities some people even recognized that their own applications had the same type of problem…

There was no price to win, but still a lot of people came by and spent considerable time trying to break the application.
Everyone told me it was an eye-opener.
Everyone learned.
And most importantly: everyone had fun.

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Hi Andreas,
      I can only remember my college days ;). Will such a "guided hacking tour" be available in Bangalore? I really missed your event in Boston!
      Best regards,
      Felix
      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Felix,

      unfortunately this will not be avaliable in Bangalore this year.

      Regards,
      Andreas

      Author's profile photo Former Member
      Former Member
      Hi Andreas,
      any plans on letting the non-Boston-visitors know about your hands-on lesson?
      Any article/weblog planned? I'd love to read about that.

      Cheers,
      Max

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Max,

      well - I thought I had explained it in this blog... 🙂
      Anything in particular you'd like to know?

      Regards,
      Andreas

      Author's profile photo Former Member
      Former Member
      Well, you mentioned the goals, but I think it would be interesting to see your ways of achieving them, as well as some of the places the participants got stuck - so as to share the practical experience of this lessons.
      Author's profile photo Former Member
      Former Member
      Hi Andreas,
      I'll attend your presentation on friday at the TU in Munich. (Hoping that it will be same fun...)
      cu on friday
      Jürgen
      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Hi Jürgen,

      Good to know that there will be at least one interested attendee in the audience... 😉

      The presentation on Friday is slightly different but nonetheless fun, I hope...

      Regards,
      Andreas