Stripe Capture The Flag 2.0 - Problem 0
9/Sep 2012
Stripe just finished running a second “capture the flag” challenge. They ran a similar challenge this February and was more focused on system level. This time, it’s full-on web security.
In the next few posts, I’m going to discuss the problems in the challenge, how I solved them and what did I learn from from each challenge.
Problem 0
Here are the code for level 0:
So you have a node.js server script, with an HTML front-end. The front-end allows you to submit a web form which allows you to retrieve your stored secret but the secret to level 1 is also stored in the same database.
Reading the code, the query on line 34 jumps out at you:
var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
Even though I’m not too familiar with nodejs or its db API, the part where it concatenates user input with “.%” looks suspicious. ||
is the SQL operator for concatenation, and ‘%’ is the SQL wildcard that matches 0 or more characters of any kind. What if my user input is “%”?
VoilĂ ! That’s it! %.%
gives you all passwords with namespace that has a dot in the middle.
Conclusion
SQL-injection is a known security issue for a long time yet you’d be surprised how many sites are still subject to such exploits. The problem with level 0 code is exactly that: unsanitized user input is sent directly to the database for execution. So everytime a string concatenation is seen in a SQL statement, you have to ask yourself: is the ting being concatenated trustworthy? Use prepared statement or your database’s escape function wherever possible.