The game of capture the flag is a childhood staple. Each team hides a flag deep inside their base and mounts the best possible defense against an invading enemy team. The adult IT Security version of capture the flag is much the same game. Instead of the backyard, this game is played on web servers, and instead of dish towels, players are hunting for security loopholes. These adult versions of capture the flag serve as practice grounds for IT Security professionals and enthusiasts and are hosted by many different types of organizations around the world. Organizers set up servers that are meant to mimic real world applications with a wide gamut of security interfaces and protocols. You can expect to see challenges related to exploitation, cryptography, data forensics, and IP networking just to name a few. Points are awarded once a competitor obtains a special passphrase that is found in the challenge, behind a login screen or maybe hidden deep inside an encrypted file. For someone interested in IT security or white-hat hacking it is loads of fun. What I found, however, is there is also great value to be had by anyone who works in a developer role creating websites and applications for the real world.
I recently had the opportunity to compete in the CSAW CTF, which was put on by the NYU School of Engineering. I teamed up with a friend, Spencer Strausbaugh, who works directly in IT security auditing and specializes in data forensics. With no formal training in IT-Sec, I was going to have to lean heavily on Google and my web development experience to be of any help to our team. The 72 hour event kicked off on a Friday night. We bought more than a nerdy stereotype’s worth of energy drinks and hunkered down at our temporary battlestation in Spencer’s apartment for a long weekend of hacking. Spencer’s data forensics expertise carried us, and I set out with a “learn as I code” mentality to try and conquer some of the web and database challenges. As I researched each new challenge and tried to find a backdoor a recurring theme kept appearing. I knew how to create each of these log-in screens, database accesses, and API calls but I did not have an in depth knowledge of how the inherent security worked. All good developers debug but this was different than debugging this was intentionally breaking and I found that trying to break the code was the best way to learn how it all worked.
This thought is what leads me to suggest that all developers of every type should compete in at least one CTF event. The perspective that you gain from being on the proverbial “dark side” of the internet battle is immeasurable, and I know that since my first CTF event there has been a marked difference in my thought process while I code. I am much more wary of that random JS library that was suggested on Stack Overflow. It may easily fix my problem, but I now consider what loopholes it will leave open–especially given that I watched 3 different teams of undergraduate students all achieve perfect scores on the CSAW CTF with seemingly relative ease.