What is the best way to detect security vulnerabilities in an application? Hackathons have proven to be a particularly useful collaborative event format. Experts from a wide range of specialist areas come together and together they track down possible vulnerabilities. The advantage: They look at problems from different angles in teams – and thus search for interdisciplinary solutions.
“Capture the Flag” event in Magdeburg
Within the framework of a hackathon, we invited in-house and external experts from the areas of IT security, software and hardware, administration, web development, consulting and testing to the Magdeburg branch. In strict compliance with Corona security measures, the participants were able to test their skills on the PHP/MySQL web application “Damn Vulnerable Web Application” (DVWA) – and in mutual exchange gained new insights into the security processes of web applications.
Identifying and exploiting security gaps
On Linux notebooks they tried out which security holes in a vulnerable application could be exploited. A particular challenge was that the training systems were not connected to the Internet. The few available tools had to be combined creatively: Software like netcat had to be extracted from the system to be attacked before it could be used. Elsewhere, scripts for carrying out the attacks had to be written first.
Gateway for attacks – supposedly secure web applications
The multidisciplinary teams did not let these multiple hurdles stop them – and gained access to the supposedly secure web application. Together, they bypassed poorly generated Cross-Site Request Forgery (CSRF) tokens, obtained Remote Code Executions (RCE), opened remote shells, and extracted data from the supposedly protected database.
In the course of the three-hour Capture the Flag event, participants were able to share their knowledge in a playful way – and above all, build up new knowledge.
Continuation of the “Capture the Flag” event series planned
Due to the extremely positive response from the participants, we will continue this series of workshops in the future – and thus continue to bring together experts from various fields who are enthusiastic about security and promote a lively exchange of ideas.