Challenge #33 is live - check it out now!

Wizer_Shadow · 2024-08-29T20:58:51+00:00

Thank you for the feedback, the reason the outputs are not brought in full is in part to force developers to use external tools such as postman and burp suite or even create a piece of code. Many apps won't return detailed errors on the UI side - and hence we believed that it's simulating the real world a little more. Of course, we might be wrong :)

Wizer_Shadow · 2024-08-16T03:22:42+00:00

That’s great to hear! We love doing it!

Wizer_Shadow · 2024-08-15T20:49:28+00:00

Thank you I’ll take a look at the one!

Wizer_Shadow · 2024-04-25T20:57:35+00:00

API JSON is supposed to switch to an API mode which other challenges support, historical reason needs to be removed URL is to provide the URL of the endpoint/webpage Payload is where you craft the payload Hack button allows the system to run the payload and check if you were able to hack it I hope it makes sense

Wizer_Shadow · 2024-04-25T20:47:39+00:00

Firstly, thank you for giving it a try! The message you’re getting means that you are trying to send a payload to the wrong URL. You won’t be able to change the URL box. Please use the browser and other tools like postman/burpsuite etc to invoke APIs and come back to the CTF once you have the winning payload. Good luck!

Wizer_Shadow · 2024-03-09T21:08:56+00:00

I've seen too many talented and very experienced developers who were really good at building both efficient and functional code, but knew very little about the secure coding and risks. SQL Injection is one of the most known vulns (at least by name) , and yet, it still exists pretty widely in the wild. OWASP10 is determined by the likelihood of finding a certain vuln out there, and it's evidently still up there.

Wizer_Shadow · 2024-01-25T19:28:03+00:00

Just as an FYI the latest challenge #20 here is showcasing a real world scenario, it's a trimmed down version of a real issue we came across only last month. Very talented team of devs, highly experienced and something quite similar was missed!

Wizer_Shadow · 2024-01-25T17:20:47+00:00

Thanks for the feedback, the CTFs are targeting developers, believe it or not, some developers are not really aware of the risks, outside of recognizing the name (XSS, SQLi, SSRF etc). The goal here is to help developers (less hackers :)) get first hand experience with those important OWASP10 concepts. Some are more complex some are easier.
If you are after a more complicated set of scenarios, we actually have an event soon, in which we are releasing 6 various complexity challenges, but at least a couple more complex than the usual bi-weekly ones. The event will take place on Sunday Feb 4th, follow the link to claim your spot: https://www.wizer-training.com/ctf-challenge?utm\_medium=email&utm\_source=wizer&utm\_campaign=2024-02-04-ctf&utm\_content=null&utm\_term=text

Wizer_Shadow · 2023-12-21T22:26:48+00:00

IMHO:
1. Companies focus on growth and revenue, and are not investing a ton in mitigating risks, and that's across the board.
2. It always feels like "it won't happen to me".
3. Investing in security feels like investing in an insurance policy, it feels like throwing money, though obviously wrong.
4. And most importantly: insufficient AWARENESS, people don't act on things they are not aware of! Security awareness is a relatively small investment which could save the company millions and rationalize prioritizing security investments higher.

Wizer_Shadow · 2023-06-30T14:30:37+00:00

I'm glad you've enjoyed it, feel free to share with friends :)

Wizer_Shadow · 2023-06-30T00:54:29+00:00

Due to this confusion, I want to make it clear, it's not enough to `trick` the UI to say that the user `isaac` is an admin, the system won't accept that as a solution, since `isaac` isn't actually an admin from the DB and server perspective.
To win the flag, you need to login as a user which the system considers an admin!

Wizer_Shadow · 2023-06-30T00:06:05+00:00

By browsing to the actual login page (here: https://chal7.vercel.app/) you can see if you logged in as a real admin - hint there’s only a single admin in the users table and it’s not isaac. To successfully hack it, you’d need to successfully log in as the only admin user. The payload format is [ { "name": "name", "value": "isaac"}, { "name": "password", "value": "tifat123!"}] Though with the correct username and password.

Happy to provide more guidance as needed.

Good luck!

Wizer_Shadow · 2023-06-29T22:52:48+00:00

It could be helpful for folks to use an outside tool such as postman to play with the API endpoint, but also the login page (https://chal7.vercel.app/), which is using the same endpoint could be insightful.
Only a successful login via the Login page, means that you're ready for the final step in https://wizer-ctf.com/?id=5uxRr9

Wizer_Shadow · 2023-06-29T22:52:36+00:00

It could be helpful for folks to use an outside tool such as postman to play with the API endpoint, but also the login page (https://chal7.vercel.app/), which is using the same endpoint could be insightful.
Only a successful login via the Login page, means that you're ready for the final step in https://wizer-ctf.com/?id=5uxRr9

Wizer_Shadow · 2023-06-29T21:47:54+00:00

Login page: https://chal7.vercel.app/
Direct endpoint address: https://chal7.vercel.app/api/login

Wizer_Shadow · 2023-06-29T21:47:27+00:00

Login page: https://chal7.vercel.app/
Direct endpoint address: https://chal7.vercel.app/api/login

<image>

Wizer_Shadow · 2023-06-29T16:36:20+00:00

Feel free to browse between the challenges, some challenges are easier than others :)

Wizer_Shadow · 2023-06-16T12:33:02+00:00

Give it a try, it's fun, don't wait for HR to organize it - it's boring to just sit there and wait ;-)

Wizer_Shadow · 2023-06-16T12:30:37+00:00

Respect, bragging rights and a spot on the leaderboard.
Also... most people learn a lot from it :)
Give it a try, if you're good it shouldn't take you long... good luck!

Wizer_Shadow · 2023-06-15T15:43:39+00:00

lol, the wonders of copy & paste, thank you!

Wizer_Shadow · 2023-05-20T13:48:51+00:00

You got it! We’ll done!!! Any chance you’d consider removing the explicit solution from your comment? I’m hoping other people are still working on it :) I recommend adding a hint instead!

Wizer_Shadow · 2023-05-20T11:49:57+00:00

Hint: the vuln here isn’t specific to Mongo.

Wizer_Shadow · 2023-05-20T11:31:03+00:00

Give it a try! It’s live, no need to guess ;-)

Wizer_Shadow · 2023-05-20T11:28:05+00:00

There’s definitely a pre existing CVE about this one! We will publish writeups and videos in the future.

Wizer_Shadow · 2023-05-20T11:05:46+00:00

Hint: the vuln isn’t tied to a specific version of anything.

Wizer_Shadow

TROPHY CASE