We set up a highly insecure Web shop, that – in real life – would have quickly ruined the company running it.
Participants could first visit our “security training camp” to learn about the different types of attacks today’s Web applications are exposed to.
Everyone who felt up to the challenge could then enter the competition and try to solve as many of the following tasks as possible:
- Buy cheaper than the shop owner wants you to
- Access the file /tmp/stealme.txt
- Find the source code of the page ccdata.jsp
- Acquire another customer’s credit card data (for scientific reasons only)
- Become administrator
- Find an alternative way to become admin – just in case someone fixes the other bug
- Change the product list
- “Borrow” the login data of another user
There were really a lot of people visiting and participating – even those that initially had no idea what Web application security actually means.
Our main goal was to raise awareness among participants by demonstrating “hands on” how easy it can be for an attacker to break into a Web application if the developers don’t do their homework.
Additionally the “Security Corner” was supposed to be fun for everyone just by participating and the lucky winner went home with a video iPod in his pocket. Well done, Igor!
But there was one participant that didn’t have a good time at all: after reading trough our training system he left TechEd and went to fix his bugs…