write defensive challenges

[northdpole]

All of our challenges are in the mentality of "here's the application break it", it would be nice to have challenges where the student is given a piece of broken code and they are required to fix it

[subhayanRM]

but that would be difficult to evaluate, unless peer review is an option.. but then again peer review works well only in strong peer groups. (it's like a prisoner's dilemma game .. you have 2 equilibria here)

[northdpole]

we could start with very simple challenges, like
here's a piece of code which is sqli vulnerable use the correct escaping
function to fix it.
and then we test either by running a piece of the code or by regex
On 27/04/2014 10:03 μμ, Subhayan Roy Moulick wrote:

but that would be difficult to evaluate, unless peer review is an
option.. but then again peer review works well only in strong peer
groups. (it's like a prisoner's dilemma game .. you have 2 equilibria
here)

—
Reply to this email directly or view it on GitHub
#69 (comment).

[MisterIcy]

Or we can create an interpreter to parse javascript/ruby/whatever language and get the output. While it's practically possible, it may do much more harm to someone, since the result might be valid, but the means (the way the solution is written) are trashy. Memory leaks, new holes, etc. might appear in the "correct" code. As @subhayanRM, this requires peer review

[gameFace22]

Can we add codes which are vulnerable to Buffer Overflow and let fixing it be a challenge?!
Just a suggestion.
And why haven't there been any improvements in creating defensive challenges?

[northdpole]

How would you test for buffer overflow without executing the code?

On 17.12.2014 18:35, Nishaanth Gunasekaran wrote:

Can we add codes which are vulnerable to Buffer Overflow and let
fixing it be a challenge?!
Just a suggestion.
And why haven't there been any improvements in creating defensive
challenges?

—
Reply to this email directly or view it on GitHub
#69 (comment).

[gameFace22]

We could probably add a vulnerable file and ssh it. Access the file. Fix it and upload it again. We can have an option to download the file or better ssh and access the file.

[pchaigno]

@gameFace22 It doesn't resolve the issue of checking for the correctness of the answer...

[gameFace22]

Oh,yes!
I never thought of that.

[northdpole]

We need a sandbox for that, something where you are able to execute code
without affecting the server. Luckily there's a team in OWCS working on
it. Let's what they come up with.

On 17.12.2014 20:29, Nishaanth Gunasekaran wrote:

Oh,yes!
I never thought of that.

—
Reply to this email directly or view it on GitHub
#69 (comment).

[gameFace22]

Great! I will go search for more defensive challenges.

[northdpole]

for sqli challenges in js
https://github.com/google/lovefield

[a0xnirudh]

I believe we have a much better solution for this now using docker ;). We already have a sample PHP challenge (dealing with XSS in the branch a0xnirudh/docker) which is intentionally vulnerable and users should fix the code and submit back to interface which then tells you if you have done a correct fix or not.

Since we are actually executing code, chances of false positives are much low. Do test when any of you has some time and let me know. I will be adding more challenges and support to other web languages (only PHP support now) like Nodejs, ROR etc in the near future.

Thanks !

[northdpole]

@a0xnirudh is right, we finally haz sandbox 💯 challenge looks cool on a first glance, I'll check it when i'm back behind a computer

[RahulPratapSingh]

@northdpole We can put vulnerable code for Owasp Top 10 like Injection (Header, SQLi, etc) , XSS, LFI, RFI, CSRF, etc.

[a0xnirudh]

@RahulPratapSingh Yes, I will working on the same this summer !

@northdpole I think we can close this issue now ?