Posted by ethical-hacker
| Tuesday December 16th, 2014 | News
On 14 Dec the hacking competition Web Hacking Challenge 2014 took place. Teams which took part in the competition had two tasks:
- To gain access to one of the most commonly used web site systems – WordPress.
- To provide solutions in order to improve the security in one of the most commonly used online sales system – OpenCart.
The competition begun with a two hour hacking lecture and the aim was to prepare those who are newer in the game.
Each team had an hour and a half to attack (task1) and two hours to build up the defense (task2).
The team with most points, the winning team is the team of Lammers Inc:
Miroslav Koshutanski, Stanislav Madjarov, and Theodora Yanakieva.
The team successfully performed a XXS attack against the website’s administrators, by taking advantage of a flaw in WordPress core. At first, the XXS attack looked harmless but it was brilliantly executed and granted access over the whole website.
What makes their attack and success unique is that it’s not traceable and the fact that it takes advantage of a flaw in the core installation rather than a flaw in module or a theme. WordPress is the most commonly used system by web designers, around 55% of the websites are created on WordPress. The version used in the competition – 3.9.1 was released midway through 2014 and that leaves a lot of questions regarding the security of hundreds of thousands websites.
The team also successfully took advantage of a flaw in one of WordPress modules and performed an “Arbitrary File Download” attack which allowed them to download the systems configuration file. The only nemesis of Lammers Inc was time and they couldn’t get root access of the server.
Dimitar Mirchev, Todor Vachev and Iasen Ianchev’s team got the most points for defense (task2). They offered many solutions in order to improve Opencart’s security. The points they got for defense were not enough to bypass Lammers Inc, who had a solid lead from the first part, the attacking part, so they finished in second place.
The third place is for Hristo Hristov and Jivko Kabaivanov. They provided excellent defense solutions, and solved a lot of problems.
Todor Donev, Zhana Yordanova and Venko Dobrev
WordPress version used in competition is 3.9.1
Opencart version is 2.0.
You can find arhive with software used in competition her.
Password for archive is: ethical-hacker.org