Restrict session to IP 

Challenge Idea : Fun Factor?

Global Rank: 617
Totalscore: 41337
Posts: 5
Thanks: 3
UpVotes: 3
Registered: 12y 140d
Wixxerd`s Avatar

The User is Offline
Challenge Idea : Fun Factor?
Google/translate0Thank You!0Good Post!0Bad Post! link
I have an idea for a challenge(s) where I provide the visitor with a TextAea, and a paragraph detailing tables available in a database. They have to submit a query that produces resultsets based upon the criteria in the paragraph.

I don't think they'll wind up being high ranking (really hard) challenges, but was curious if anyone would find them fun? I could do variations..."You're attached to a MySQL database and need to return a result joining these tables, sorted blah blah, with only 5 results, etc."

Their submissions would run against the tables (after I cleaned up injection vectors) and then check their results. I could encapsulate their queries in tries so as to not produce fugly errors, and strip out all the drops, delete, sp calls, etc. when I clean it for injection.

What you guys think? Worth it?
Global Rank: 33
Totalscore: 313364
Posts: 54
Thanks: 79
UpVotes: 58
Registered: 16y 324d

Last Seen: 1d 18h
The User is Offline
RE: Challenge Idea : Fun Factor?
Google/translate0Thank You!0Good Post!0Bad Post! link
It definatelly worth it.. I find it very good idea!

Maybe some will not find it very fun to play with challenges like these but it will be very educational if the queries become more and more complex. And if i remember correctly i think there were a couple of challenges like these in some challenge site but i can't remember which one.

But as you already know it needs a very careful setup because there could be attack vectors that go beyond the challenge and could result in bringing down your site..That's why many result in simulating solution queries which i don't think would work in this case..
Totalscore: 316909
Posts: 98
Thanks: 106
UpVotes: 105
Registered: 15y 222d

Last Seen: 157d 8h
The User is Offline
RE: Challenge Idea : Fun Factor?
Google/translate0Thank You!0Good Post!0Bad Post! link
Quote from criple_ripper
Oct 21, 2012 - 15:06:40

But as you already know it needs a very careful setup because there could be attack vectors that go beyond the challenge and could result in bringing down your site..That's why many result in simulating solution queries which i don't think would work in this case..

As I think already nearly happened after talking to dloser Smile
The challenge was up briefly then taken down after it was deemed unsafe - Wixxerd: I suggest having challenges beta tested before putting them online, but be sure your testers are up to the job.
Without meaning to volunteer anyone, you need to be looking to the like of dloser, tehron, criple_ripper and people of this calibre in order to get a thorough test done.
If you find time, head onto the irc (server: channel: #wechall) and ask around there, most of us are happy to help and we're available there a lot more than we are available here Smile

As you know, I too am happy to help out where I can (depending on my work situation) so drop me a line, and good luck with getting this fixed Smile

Last edited by sabretooth - Oct 21, 2012 - 15:14:41
Global Rank: 617
Totalscore: 41337
Posts: 5
Thanks: 3
UpVotes: 3
Registered: 12y 140d
Wixxerd`s Avatar

The User is Offline
RE: Challenge Idea : Fun Factor?
Google/translate0Thank You!0Good Post!0Bad Post! link
I've gotten a few really good suggestions already for securing it. (Don't worry was most definitely still in beta... Along with several other play versions...Smile ) Definitely moving it to a different DB instance that doesn't have anything else on it... I don't want the focus of these "specific" ones to be injection, but I find it hard to believe it wont get tried... a lot. Happy
Last edited by Wixxerd - Oct 21, 2012 - 15:58:11
Global Rank: 550
Totalscore: 46179
Posts: 224
Thanks: 212
UpVotes: 222
Registered: 14y 71d
space`s Avatar
The User is Offline
RE: Challenge Idea : Fun Factor?
Google/translate0Thank You!0Good Post!0Bad Post! link
Quote from sabretooth
Oct 21, 2012 - 15:13:14

Without meaning to volunteer anyone, you need to be looking to the like of dloser, tehron, criple_ripper and people of this calibre in order to get a thorough test done.

You forgot kwisatz and jjk… Happy
Contact only via c3BhY2VAd2VjaGFsbC5uZXQ= or PM...
Windows can be secure... but only if you don't use it Happy
Totalscore: 316909
Posts: 98
Thanks: 106
UpVotes: 105
Registered: 15y 222d

Last Seen: 157d 8h
The User is Offline
RE: Challenge Idea : Fun Factor?
Google/translate0Thank You!0Good Post!0Bad Post! link
Quote from space
Oct 21, 2012 - 18:37:36

You forgot kwisatz and jjk… Happy

Quote from sabretooth
Oct 21, 2012 - 15:13:14

and people of this calibre

tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, csuquvq have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 2910 times.