Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There were a few unintentional vulnerabilities in the levels. Only one actually made the levels significantly easy enough that it was worth patching -- namely, the session cookie bug you reference (it actually affected three levels). There was also a bug in the CTF architecture where you could set your user's URL to a javascript: URL. But to my knowledge no one has found vulnerabilities in the rest of the infrastructure :).


And the ruby regex newline vulnerability that featured in one of the later XSS levels was also present in an earlier level, but wasn't necessary for the intended vector, so I wondered if it was an unintentional oversight, or left as an alternate exploit, or just a red-herring? (being intentionally vague so as not to spoil it for anyone...)


Actually, it wasn't supposed to be there in any of the levels :).


I was one of the ones who went through those three levels with the session cookie bug. How many people reported it? Do you have a problem with me posting a write-up on the bug somewhere (now that it's fixed)?


We fixed it as soon as it was reported, and have probably gotten four or five independent reports at this point. Feel free to post away!


I also used that bug for the three levels. At that time I was more concerned in catching up (I started late) and the thought of it being an unintentional bug never crossed my mind. Though hours later I thought it was a bit strange that all three levels had to be solved in a similar way.


I'd love to read a write-up of this bug if you get a chance.


There was the unintended XSS on level02 - granted, you could only XSS yourself, but having a space in the filename you could inject whatever you wanted. :)




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: