CyberSeed 2017 - Application Security
2017 October 21

I recently competed at the 4th Cyberseed event at UConn in the application development competition. The challenge was to build a secure application according to specific specifications before the competition. Then the individual teams would attack each others apps in order to collect various flags placed in our apps. This year was the first for this particular event, and the challenge was to build a secure medical repository. The teams were then given the source for each others apps a couple of days before the event. This event was a lot of fun and lead to a lot of lessons about secure app development for me.

The lessons include how difficult it is to build to spec. It was fairly difficult parsing out all of the requirements from a doc, that was not fully clear, and allowed a vast number of holes in the specs. It included roles, but no details on an authentication flow. This lead to there being no passwords being loaded into the system, making it much more difficult to capture the flags, and lead to dependence in programming errors or left behind admin credentials.

Some the requirements include leaving behind some backdoors into the application. These backdoors include things like injection of an admin user, loading and dumping the database, and storage and retrieval of various files within the file system. These backdoors were kind of difficult to secure, I ended up placing as a script that was ran over ssh and secured with public key authentication. This was our downfall. We ended up with our app being misconfigured with the admin credentials being injected before the game data was loaded. We left behind the our injected credentials in the configuration file. This allowed the other teams to log into our app once they found the credentials in our source code dump.

The hardest part of the whole event was actually capturing the flags. It was exceptionally difficult, because all of the teams knew what they were doing and the event organizers closed the really stupid holes like the default ssh passwords. My team did not manage to capture any flags at this event, but we did come in 5th place, because I found a requirements conflict in the specification. This event was a lot of fun, and a lot of stress. I might consider doing this again in the future with a full team.

*****
Written by Henry J Schmale on 2017 October 21