We created a “Game of Hacks” – a viral Web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. During a 6-month timeframe, we witnessed each attack that came at this game, secured the app against it and studied how attackers adapted to the mitigation measures. The lessons learnt can be applied to any Web app introduced into the organization.
-----
How do hackers adjust, in real-time, to various strengthening measures of Web apps? We set to answer this question through an interactive Web app honeypot. For the honeypot, we created a viral Web-based gaming application. However, the lessons learnt could be applied to any Web application.
Aptly called “The Game of Hacks”, our gaming app was marketed as a tool to train developers to write secure code. The app presented users a piece of vulnerable code and a set of multiple choice questions from which the user had to choose the correct vulnerability – in the minimal amount of time. Storing a central database, the app kept a scoreboard of all players, displaying the top winners. Additionally, the app was built on crowd-sourcing capabilities where users could contribute their own piece of code and questions.
Our “Game of Hacks” quickly became a popular game, boasting more than 200K users within 2 weeks. Consequently, it also garnered the desired hackers’ attention. We were set to analyze, planning a continued 6-month analysis.
With the list of vulnerabilities in hand (and some that we added as we adapted to the threat landscape), we witnessed each attack that came at this game. Against each attack, we secured the app and studied the attackers’ next move. One by one, we crossed off the different attacks and had a live look at the way that attackers adapted to our mitigation measures.
We start this session with a brief introduction to “Game of Hacks” and the included vulnerabilities. We then proceed to simulate the actual honeypot activity in an interactive session similar to the actual cat-and-mouse game that we witnessed: for each vulnerability, we show how it was exploited, the corresponding security measure and how it was bypassed.
We examine vulnerabilities/ attacks such as: A) Business logic attacks. Here, hackers tweaked the timer so that their scores – based on parameters such as time and accuracy - became unsurpassable. B) DDoS attacks through site scraping where an external database was built to correctly respond to each question automatically. C) Comment spam enabled through the crowd-sourcing of questions.
We finalize the session with a summary of the methodologies we took to strengthen our gaming honeypot and share with attendees our insights. It is our hopes that attendees learn from these measures and apply them to any Web app being introduced in the enterprise.
