Page 1 of 1

Hall of Fame Consistency

PostPosted: Tue May 13, 2008 12:36 pm
by Nines
I think there should be a more consistent and reasonable point allocation for Hall of Fame entries..

"Stenoplasma : Found a way to abuse old unused code to login as any user with just his passhash and userid. Proof of concept gave him to get full administrator access on the site." - 25 Points

"leoj : Leoj found an XSS attack in the logic missions. Leoj was able to inject any HTML/JS he wanted." - 50 points

From what I can gather, the XSS that leoj found couldn't have been persistent, yet he got more HoF points than Stenoplasma, who could get admin access to the site.

Another example being Darkcoder and Stenoplasma finding the exact same sort of vulnerability but one was allocated 200 points, the other 250 (500/2 since he found the same thing twice)

Another being where Stenoplasma found two seperate SQL injections, together worth 200 points, while Nauticulus found one worth 300.

Shouldn't there be a more consistent system for allocating points?

Re: Hall of Fame Consistency

PostPosted: Wed May 14, 2008 7:09 pm
by TheMindRapist
Nines9 wrote:I think there should be a more consistent and reasonable point allocation for Hall of Fame entries..

"Stenoplasma : Found a way to abuse old unused code to login as any user with just his passhash and userid. Proof of concept gave him to get full administrator access on the site." - 25 Points

"leoj : Leoj found an XSS attack in the logic missions. Leoj was able to inject any HTML/JS he wanted." - 50 points

From what I can gather, the XSS that leoj found couldn't have been persistent, yet he got more HoF points than Stenoplasma, who could get admin access to the site.

Another example being Darkcoder and Stenoplasma finding the exact same sort of vulnerability but one was allocated 200 points, the other 250 (500/2 since he found the same thing twice)

Another being where Stenoplasma found two seperate SQL injections, together worth 200 points, while Nauticulus found one worth 300.

Shouldn't there be a more consistent system for allocating points?


I think the points partly depend on how much the person who finds them elaborates on how they could possible be used. And for your first example, the code wasn't used so it makes sense it would be less.

Re: Hall of Fame Consistency

PostPosted: Thu May 15, 2008 5:28 am
by Nines
TheMindRapist wrote:I think the points partly depend on how much the person who finds them elaborates on how they could possible be used. And for your first example, the code wasn't used so it makes sense it would be less.


Ah, my understanding was that the code was actually on the site (like some sort of "oldlogin.php") that'd been found and exploited. Still though.. Devs are well aware of the damage that an SQL injection vulnerability could cause, I wouldn't think they'd need ways of using it listed :/

Re: Hall of Fame Consistency

PostPosted: Sun May 18, 2008 3:38 pm
by TheMindRapist
Yeah, but the points aren't for the devs, they are for you, so you have to show that you actually understood what you found. Although I don't really know, I've never gotten HoF.

Re: Hall of Fame Consistency

PostPosted: Mon May 19, 2008 1:50 pm
by Nines
I've got one so far... Submitted an SQL Injection vulnerability yesterday that I think me and evinyatar should get in again for :D ... Not sure on the status of bug reports at the moment, not sure how long these things normally take.

Re: Hall of Fame Consistency

PostPosted: Sun Jun 08, 2008 3:08 pm
by djpitagora
Just wanted to remind people that realistic mission one is worth 20 points. Realistic 16 is worth 400. Realistic 3 is 50 points.

Taking that as a scale this hof hack is a little over changing a parameter in the url on realistic one. Something doesn't feel right....

Re: Hall of Fame Consistency

PostPosted: Sun Jun 08, 2008 5:40 pm
by Nines
Yeah, don't mean to be an asshole about it but:

  • Leoj found an XSS attack in the logic missions. Leoj was able to inject any HTML/JS he wanted. (50 points)
  • Nines9 and StenoPlasma found a CSRF vulnerability in the Forum BBCode that allowed them to make themselves site Administrators, log out users, flag comments, accept and delete IRC linked Nicknames, etc. (50 points)

Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)

Not to mention that xenoix was added for exactly the same thing (But without proof of concept for administrator access) and got 400 points for it. :?

Re: Hall of Fame Consistency

PostPosted: Thu Jun 12, 2008 7:37 am
by comperr
the majority of it has to do with who adds it.
I tend to be very conservative with points. Some of the past devs were very liberal. Also - there is no way for devs to change the point values once they are up.

I will post this on the dev forums and try to come up with some clear guidelines.

Re: Hall of Fame Consistency

PostPosted: Thu Jun 12, 2008 8:42 am
by Rijnzael
Nines9 wrote:Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)


I disagree. CSRF vulnerabilities aren't difficult to find in a site that doesn't have any sort of protection against them. I'd consider vulnerabilities which are harder to execute and find at a much higher tier than CSRF vulnerabilities.

Re: Hall of Fame Consistency

PostPosted: Thu Jun 12, 2008 12:12 pm
by Nines
Rijnzael wrote:
Nines9 wrote:Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)


I disagree. CSRF vulnerabilities aren't difficult to find in a site that doesn't have any sort of protection against them. I'd consider vulnerabilities which are harder to execute and find at a much higher tier than CSRF vulnerabilities.


I was making a comparison just between those two entries.. I wouldn't really class that XSS as a vulnerability since you can't actually use it. Injecting XSS into the logic missions would only display on the page that the person injecting it would see.. I can't see any way (other than to use an external site and grab cookies through an iframe or something) that you could use it for any sort of access. :/

evinyatar and I found an XSS you could actually use for half the points.. :/ .. I know this sounds like a bitchmoan but surely there should be some sort of standard for it.