Website Hacking Challenge Varna – 2014

Website Hacking Challenge Varna – 2014

Posted by ethical-hacker | Tuesday December 16th, 2014 | News

On 14 Dec the hacking competition Web Hacking Challenge 2014 took place. Teams which took part in the competition had two tasks:

  • To gain access to one of the most commonly used web site systems – WordPress.
  • To provide solutions in order to improve the security in one of the most commonly used online sales system – OpenCart.

The competition begun with a two hour hacking lecture and the aim was to prepare those who are newer in the game.
Each team had an hour and a half to attack (task1) and two hours to build up the defense (task2).

 

The team with most points, the winning team is the team of Lammers Inc:
Miroslav Koshutanski, Stanislav Madjarov, and Theodora Yanakieva.

The team successfully performed a XXS attack against the website’s administrators, by taking advantage of a flaw in WordPress core. At first, the XXS attack looked harmless but it was brilliantly executed and granted access over the whole website.

What makes their attack and success unique is that it’s not traceable and the fact that it takes advantage of a flaw in the core installation rather than a flaw in module or a theme. WordPress is the most commonly used system by web designers, around 55% of the websites are created on WordPress. The version used in the competition – 3.9.1 was released midway through 2014 and that leaves a lot of questions regarding the security of hundreds of thousands websites.

 
The team also successfully took advantage of a flaw in one of WordPress modules and performed an “Arbitrary File Download” attack which allowed them to download the systems configuration file. The only nemesis of Lammers Inc was time and they couldn’t get root access of the server.

Dimitar Mirchev, Todor Vachev and Iasen Ianchev’s team got the most points for defense (task2). They offered many solutions in order to improve Opencart’s security. The points they got for defense were not enough to bypass Lammers Inc, who had a solid lead from the first part, the attacking part, so they finished in second place.

The third place is for Hristo Hristov and Jivko Kabaivanov. They provided excellent defense solutions, and solved a lot of problems.

Sponsors:



Thanks to:

Todor Donev, Zhana Yordanova and Venko Dobrev

WordPress version used in competition is 3.9.1
Opencart version is 2.0.

You can find arhive with software used in competition her.
Password for archive is: ethical-hacker.org

Add a comment

Related Blogs

GDPR, информационна сигурност
Posted by ethical-hacker | 02 April 2018
По-малко от два месеца остават до навлизането на регламента за защита на личните данни. Фирмите вече са в трескава подготовка, за да удовлетворят изискванията на новия закон. Промените засягат всички...
Регламент (ЕС) 2016/679
Posted by ethical-hacker | 04 July 2017
Европа въвежда правила за киберсигурност, които ще важат за всички фирми с повече от 40 служители от догодина. Така всяка фирма ще трябва да премине през тест за сигурност и...
INTERNATIONAL CYBERSECURITY ASSOCIATION , международна асоциация по киберсигурност
Posted by ethical-hacker | 29 June 2017
Just 5 months ago we inform one of the leading accounting software company in Bulgaria (warehouse software, gas station software, etc.), about a critical vulnerability in the administration software they...