Hall of Fame Consistency

Got an idea on how things should be done? A problem with something on the site? Voice your opinion!

Hall of Fame Consistency

Post by Nines on Tue May 13, 2008 12:36 pm
([msg=2361]see Hall of Fame Consistency[/msg])

I think there should be a more consistent and reasonable point allocation for Hall of Fame entries..

"Stenoplasma : Found a way to abuse old unused code to login as any user with just his passhash and userid. Proof of concept gave him to get full administrator access on the site." - 25 Points

"leoj : Leoj found an XSS attack in the logic missions. Leoj was able to inject any HTML/JS he wanted." - 50 points

From what I can gather, the XSS that leoj found couldn't have been persistent, yet he got more HoF points than Stenoplasma, who could get admin access to the site.

Another example being Darkcoder and Stenoplasma finding the exact same sort of vulnerability but one was allocated 200 points, the other 250 (500/2 since he found the same thing twice)

Another being where Stenoplasma found two seperate SQL injections, together worth 200 points, while Nauticulus found one worth 300.

Shouldn't there be a more consistent system for allocating points?
User avatar
Nines
Poster
Poster
 
Posts: 191
Joined: Sun Apr 13, 2008 5:57 pm
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by TheMindRapist on Wed May 14, 2008 7:09 pm
([msg=2463]see Re: Hall of Fame Consistency[/msg])

Nines9 wrote:I think there should be a more consistent and reasonable point allocation for Hall of Fame entries..

"Stenoplasma : Found a way to abuse old unused code to login as any user with just his passhash and userid. Proof of concept gave him to get full administrator access on the site." - 25 Points

"leoj : Leoj found an XSS attack in the logic missions. Leoj was able to inject any HTML/JS he wanted." - 50 points

From what I can gather, the XSS that leoj found couldn't have been persistent, yet he got more HoF points than Stenoplasma, who could get admin access to the site.

Another example being Darkcoder and Stenoplasma finding the exact same sort of vulnerability but one was allocated 200 points, the other 250 (500/2 since he found the same thing twice)

Another being where Stenoplasma found two seperate SQL injections, together worth 200 points, while Nauticulus found one worth 300.

Shouldn't there be a more consistent system for allocating points?


I think the points partly depend on how much the person who finds them elaborates on how they could possible be used. And for your first example, the code wasn't used so it makes sense it would be less.
Image
User avatar
TheMindRapist
Contributor
Contributor
 
Posts: 585
Joined: Mon Apr 14, 2008 4:57 pm
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by Nines on Thu May 15, 2008 5:28 am
([msg=2498]see Re: Hall of Fame Consistency[/msg])

TheMindRapist wrote:I think the points partly depend on how much the person who finds them elaborates on how they could possible be used. And for your first example, the code wasn't used so it makes sense it would be less.


Ah, my understanding was that the code was actually on the site (like some sort of "oldlogin.php") that'd been found and exploited. Still though.. Devs are well aware of the damage that an SQL injection vulnerability could cause, I wouldn't think they'd need ways of using it listed :/
User avatar
Nines
Poster
Poster
 
Posts: 191
Joined: Sun Apr 13, 2008 5:57 pm
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by TheMindRapist on Sun May 18, 2008 3:38 pm
([msg=2767]see Re: Hall of Fame Consistency[/msg])

Yeah, but the points aren't for the devs, they are for you, so you have to show that you actually understood what you found. Although I don't really know, I've never gotten HoF.
Image
User avatar
TheMindRapist
Contributor
Contributor
 
Posts: 585
Joined: Mon Apr 14, 2008 4:57 pm
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by Nines on Mon May 19, 2008 1:50 pm
([msg=2812]see Re: Hall of Fame Consistency[/msg])

I've got one so far... Submitted an SQL Injection vulnerability yesterday that I think me and evinyatar should get in again for :D ... Not sure on the status of bug reports at the moment, not sure how long these things normally take.
User avatar
Nines
Poster
Poster
 
Posts: 191
Joined: Sun Apr 13, 2008 5:57 pm
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by djpitagora on Sun Jun 08, 2008 3:08 pm
([msg=4293]see Re: Hall of Fame Consistency[/msg])

Just wanted to remind people that realistic mission one is worth 20 points. Realistic 16 is worth 400. Realistic 3 is 50 points.

Taking that as a scale this hof hack is a little over changing a parameter in the url on realistic one. Something doesn't feel right....
djpitagora
New User
New User
 
Posts: 24
Joined: Sun May 25, 2008 5:49 am
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by Nines on Sun Jun 08, 2008 5:40 pm
([msg=4306]see Re: Hall of Fame Consistency[/msg])

Yeah, don't mean to be an asshole about it but:

  • Leoj found an XSS attack in the logic missions. Leoj was able to inject any HTML/JS he wanted. (50 points)
  • Nines9 and StenoPlasma found a CSRF vulnerability in the Forum BBCode that allowed them to make themselves site Administrators, log out users, flag comments, accept and delete IRC linked Nicknames, etc. (50 points)

Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)

Not to mention that xenoix was added for exactly the same thing (But without proof of concept for administrator access) and got 400 points for it. :?
User avatar
Nines
Poster
Poster
 
Posts: 191
Joined: Sun Apr 13, 2008 5:57 pm
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by comperr on Thu Jun 12, 2008 7:37 am
([msg=4591]see Re: Hall of Fame Consistency[/msg])

the majority of it has to do with who adds it.
I tend to be very conservative with points. Some of the past devs were very liberal. Also - there is no way for devs to change the point values once they are up.

I will post this on the dev forums and try to come up with some clear guidelines.
User avatar
comperr
Poster
Poster
 
Posts: 373
Joined: Mon Apr 07, 2008 6:52 pm
Location: /dev/null
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by Rijnzael on Thu Jun 12, 2008 8:42 am
([msg=4594]see Re: Hall of Fame Consistency[/msg])

Nines9 wrote:Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)


I disagree. CSRF vulnerabilities aren't difficult to find in a site that doesn't have any sort of protection against them. I'd consider vulnerabilities which are harder to execute and find at a much higher tier than CSRF vulnerabilities.
Rijnzael
Poster
Poster
 
Posts: 164
Joined: Sun Apr 13, 2008 10:12 am
Location: 128.0.0.0/8
Blog: View Blog (0)


Re: Hall of Fame Consistency

Post by Nines on Thu Jun 12, 2008 12:12 pm
([msg=4611]see Re: Hall of Fame Consistency[/msg])

Rijnzael wrote:
Nines9 wrote:Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)


I disagree. CSRF vulnerabilities aren't difficult to find in a site that doesn't have any sort of protection against them. I'd consider vulnerabilities which are harder to execute and find at a much higher tier than CSRF vulnerabilities.


I was making a comparison just between those two entries.. I wouldn't really class that XSS as a vulnerability since you can't actually use it. Injecting XSS into the logic missions would only display on the page that the person injecting it would see.. I can't see any way (other than to use an external site and grab cookies through an iframe or something) that you could use it for any sort of access. :/

evinyatar and I found an XSS you could actually use for half the points.. :/ .. I know this sounds like a bitchmoan but surely there should be some sort of standard for it.
User avatar
Nines
Poster
Poster
 
Posts: 191
Joined: Sun Apr 13, 2008 5:57 pm
Blog: View Blog (0)



Return to Comments & Suggestions

Who is online

Users browsing this forum: No registered users and 0 guests