-
Notifications
You must be signed in to change notification settings - Fork 0
Types of challenges
This page is meant as a (temporary?) placeholder to track the various types of challenges, and how to address various concerns in implementation. By "types" of challenges, I mean less SQL injection/cross site scripting/timing attack and more in the "this runs locally as a binary on the user's machine", "this is done server side", "this is just a blob of data we pass to the user for processing."
For now this is mostly a placeholder list, I'm certainly not solid on any of the following terms/categories but they make sense for the time being. ~sam
This would be applications given to the user to run/exploit on their own machines, similar to the old-style application challenges. This is anything the user will have the full code of the challenge at their disposal, making hiding a token or function call useless. Off the top of my head, I don't have a good solution for this yet.
This would be things like handing out a crafted pcap with a plain-text http stream with a random password in it or a randomly generated password hash. In these cases, finding the data itself is the challenge and using a token should work as long as it's generated in a way that isn't easy to regex out of the container (unless that's the challenge?)
This is most of what the old-style challenges are. There's probably a lot of sub-categories here and each would have a different implementation, but these are likely to be easier or more conventional solutions since we've got more control over their execution/protection. We've also got a lot of (good and bad) examples from the old code base :P