Security competition
As you know joomla is often accused of being insecure. Nearly always this accusation is wrong! Joomla is secure, but 3rd party components are most of the time not.
There are different reasons for this, but the most obvious in my eyes is the fact that it is super easy to create an extension. And most of the time those extensions are created from people that don't have enough experience and ....
I don't want to be one of those 3rd party developers that end up blamed for security holes, that is why we've organized this small hacking competition at compojoom.com (more info here ) The idea is pretty simple - if you find a way to hack compojoomComment (the former joomlaComment) you are going to win a prize. So far it is been a great fun! Several people tried XSS attacks, few SQL injections, I have friends trying to crack the captcha with some brute force attacks. (thank god we are still holding tight :D)
I know that some really clever people are visiting the ATAAW page and I really hope that you are going to try your skills against compojoomComment!
You can experiment here: http://hackme.compojoom.com/
If you want to throw a look at our code you can always visit the repository:
frontend and backend
If you have any questions let me know!
Daniel
There are different reasons for this, but the most obvious in my eyes is the fact that it is super easy to create an extension. And most of the time those extensions are created from people that don't have enough experience and ....
I don't want to be one of those 3rd party developers that end up blamed for security holes, that is why we've organized this small hacking competition at compojoom.com (more info here ) The idea is pretty simple - if you find a way to hack compojoomComment (the former joomlaComment) you are going to win a prize. So far it is been a great fun! Several people tried XSS attacks, few SQL injections, I have friends trying to crack the captcha with some brute force attacks. (thank god we are still holding tight :D)
I know that some really clever people are visiting the ATAAW page and I really hope that you are going to try your skills against compojoomComment!
You can experiment here: http://hackme.compojoom.com/
If you want to throw a look at our code you can always visit the repository:
frontend and backend
If you have any questions let me know!
Daniel
Views: 20
Tags: competition, compojoomComment, hacking, joomla
-
Comment by Amy Stephen on August 4, 2010 at 7:39pm
-
I gotta say, this is pretty darn brave. lol! Daniel - I hope you consider writing about this in the mag. It might make a nice article to be included in the security section. Pretty interesting.
-
Comment by Robert Vining on August 4, 2010 at 9:23pm -
I agree... you are definitely raising the bar for 3PD and security! Great to see an initiative like this!
-
Comment by Parth Lawate on August 4, 2010 at 11:01pm -
I think its hacked already.. Its redirecting after about 2 seconds to http://jeffchannell.com/
-
Comment by Parth Lawate on August 4, 2010 at 11:04pm
-
Well i think not automatically.. but if u click just about anywhere
-
Comment by Parth Lawate on August 4, 2010 at 11:14pm
-
Its not even on click..on hover only..
& this is what is causing it..
-
Comment by Jeff Channell on August 5, 2010 at 12:41am -
Sorry about the xxx.com - I wasn't thinking about the url resolving. :/
Also sorry about actually blocking the whole page. Can someone over there delete all the entries from my IP (but don't block me, because I'm not done yet).
-
Comment by Daniel Dimitrov on August 5, 2010 at 2:07am -
Hahaha! So here are all the hackers in the joomla community :) Nice work Jeff!
Get a few hours of sleep and you've been forwarded :D:D:D Let us see how to fix this.
-
Comment by Daniel Dimitrov on August 5, 2010 at 3:30am
-
Ok, I think that I clearly need more sleep :)
I think that you won't be able to make such XSS attacks anymore.
I was not checking the content of the link for malicious code and that was obviously a bad idea.
http://hackme.compojoom.com/#josc46
Jeff you got yourself 1 year SalvusAlerting subscription and perhaps 200€ if nobody else find additional security related bug :)
-
Comment by Jeff Channell on August 5, 2010 at 3:40am
-
Daniel - I found a reflective XSS too... reported to your support@ email!
There's 2!
-
Comment by Jeff Channell on August 5, 2010 at 4:18am
-
Ouch, sorry to post #3 here... I see it got deleted. ;)
© 2012 Created by Amy Stephen.
You need to be a member of All Together, As A Whole to add comments!
Join All Together, As A Whole