42 comments

[ 2.8 ms ] story [ 83.0 ms ] thread
(comment deleted)
Not too shabby. Was pretty trivial to do with Safari's developer tools, actually.

I submitted this as my resume: http://www.russellheimlich.com/blog/wp-content/uploads/2007/...

Hmm, did you modify the session cookie? Because that is _not_ trivial with Safari developer tools.

Edit: Removed potential spoilers.

It's unfortunately not easy to do with Chrome either (with or without extensions). I wound up downgrading to Firefox 3 from beta 4 to get back to the more mature plug-ins that make this light work.
Ha, I submitted my 'CV' as a (trivially) encrypted PDF. If I have to hack their site to apply, they have to hack my CV to read my application :-)
This is phenomenal. Makes the application process way more interesting. Hope your quality of applicants goes through the roof.
I just completed it, it shouldn't take more than 15 minutes or so. There's no real hacking involved, it's mostly just using a tool like firebug.
I'm interested in seeing applications that submit themselves :)
Fun challenge. It took me about 10-15 minutes using curl.

I think it's the right level of difficulty: Difficult enough that you're able to weed out a lot of really low quality applicants, but not so difficult that you run the risk of excluding high quality applicants.

Honestly they should not have made this announcement public, it should be a private message to anyone submitting an application, otherwise random people pick up the challenge and post the answers online.
Waaay too easy...honestly, I'm not tooting my own horn.

But I guess it would keep the lazy applicant from applying.

EDIT: on second thought, maybe it is the right level. They aren't likely looking for $100k+ hacker geniuses, just guys who can think outside the box and know how to do basic digging and prevent your typical hack.

I retract my statement. Clever application process.

it seems a bit on the easy side (only took me a few mins), but I like the idea. It was a fun challenge.
(comment deleted)
Damn, you guys are way smarter than me. Took me like 2 hours for the first step. The rest was easier. I am not good at riddles I guess...
The first step being actually accessing the back-end? That took me about 30 seconds, but I got bored as soon as I got there, mostly because I'm just taking a break from working on a personal project.

I actually applied with SeatGeek awhile back, and I guess my resume was tossed in the fluff pile. I sort of wish they'd had this at the time, since I'm sure I could figure it out based on the other replies in this thread. But fuck it, I've gotten a job since then with what seems like a pretty cool company, so I can't complain. :)

Took me about that long for the first step, then did a facepalm once I realized the solution. Was way overthinking that one, but it's like you either know it or you don't -- if you know it you'll figure it out eventually.
Regarding whether or not it's too easy...that's something we wondered about. We decided we wanted a relatively straightforward initial screen rather than an complex brainteaser.

So I would by no means liken this to the Greplin Challenge, but we're trying to accomplish something different. We're hoping to eliminate the crappy applicants so we can spend more time on the good ones.

After I initially overreacted about it's simplicity, I saw the point more clearly. In fact, the more I think about it the more I loved it. (from your business's standpoint)

Whenever I've been apart of interviewing candidates, ≈70% of the time was wasted on applicants who fluffed their resumé, got an interview, and were obviously not what they claimed to be. This would probably significantly reduce that overhead and at the same time attract people who enjoy coding vs. do it just to pay the bills.

That was roughly our thought process (I'm another seatgeeker btw). We wanted to come up with something that would be pretty quick to solve if you know what you're doing, but at the same time, demonstrates that you've got a pretty good understanding of a bunch of the moving parts of web development.
I interviewed with a pretty big company awhile back, and they told me that 50% of the people they talked to couldn't pass a basic phone screen - the technical portion of which basically consisted of making sure I knew what the modulo operator was, what it did, and some practical applications thereof.

How were y'all's percentages in that regard? How many applicants flat-out couldn't write code to save their life?

I think that you may have erred on the side of too easy. I have very little web development experience, but I was able to solve it in a few minutes. I didn't even use any developer tools.
Edit: I didn't realize that there was a second part. Maybe it wasn't too easy after all.
(comment deleted)
Not a web developer, but a scientist who plays around with it a little bit. Here is what I tried:

1) Viewed source. Didn't see any obvious comments.

2) Looked at .css files. Nothing obvious there, though there are styles for form/etc classes and elements that aren't used in the page.

3) Tried creating some forms with input and label elements in the markup in Firebug to see if CSS labeling on buttons showed anything. Just showed "Submit Query".

4) Looked at session headers in Firebug/Safari and saw something along the lines of

  < HTTP/1.1 403 Forbidden
  < Server: nginx
  < Date: Tue, 26 Oct 2010 09:10:58 GMT
  < Content-Type: text/html; charset=utf-8
  < Connection: keep-alive
  < Status: 403 Forbidden
  < X-Runtime: 0.001014
  < Content-Length: 1552
  < Set-Cookie:   sg.session=%7B%22csrf.token%22%3A%228KSf5VQhEB6DRoS0Z9PWW6ugXnH4e132LzBH8E76dE4%3D%22%7D; path=/
5) Noticed 'csrf.token' and googled to figure out it was a cross site request forgery prevention token, which seems sort of related.

Tried to mess around with this in Python and sort of got somewhere with this

  >>>urllib.unquote("%7B%22csrf.token%22%3A%22R5wuQON8nVfha%2F7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D%22%7D")
  '{"csrf.token":"R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw="}'
Then tried re-encoding:

  >>> urllib.quote(eval(urllib.unquote("%7B%22csrf.token%22%3A%22R5wuQON8nVfha%2F7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D%22%7D")).values()[0])
  'R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D'
and then doing an HTTP POST with curl

  curl -v -d "csrf.token=R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D" apply.seatgeek.com
But no dice. Is this totally the wrong direction? Is this puzzle really that obvious to any real web developer worthy of the name, and if so where did you earn your spurs/what books/sites did you read?
Not totally -- you're looking at the right things. As people have been saying there are kind of two parts to it. The first part has a lot more to do with the page content than the technical specifics.
No worries, I'm certainly not "getting" the riddle myself. I tried md5sum'ing the response body and base64 encoding it and replacing the cookie's csrf.token value with that, which didn't work (I did notice, however, that the server is accepting whatever you put in the cookie without re/over writing it).

I tried POSTing and PUTing with data values like "csrf=valuefromcookie" and (this may seem stupid) "browser=seatgeek".

I hand crafted a request using cURL.

I also discovered their VHOST settings aren't quite right either because when you POST to https://apply.seatgeek.com it takes you straight to the homepage (instead of redirecting you to the http://apply.seatgeek.com page).

Either way, kudos to those that got it in 15 minutes - I wasted far too much time chasing my tail on this one.

Not so stupid. The error message is important.
face palm

What's more annoying is I did do it correctly the first time - I just misspelled it! :-/

(comment deleted)
Interesting, but not difficult. I approve highly of the idea, though; perhaps something with XSS next time?
Would be funny if somebody went overboard and actually rooted the box, deleted the other entries and changed the site so the problem couldn't be solved (or closed the competition).

Then I guess you'd have to give him the job by default :-)

Always has to be a "him" right? Myopic macho nonsense, just like this company that wants "hyper-motivated" applicants. Ridiculous, geek-macho, over-caffeinated boys who speak first and (maybe) think later.
which pronoun should one use ?
That was fun. Personally I wouldn't make it any harder as it would already weed out a huge portion of the candidates I have interviewed in the past. I would perhaps add something that required a little JavaScript or something written though.

I wonder how many applications you get from people that don't actually want the job.

I quite enjoyed this :-) Reminds me of an online game that I played through years ago which I'm having trouble digging references to now; hack your way through successive levels, starting with really trivial things like default passwords and working your way up through all the exploitation techniques through to the more interesting ones (buffer overflows, off by 1 errors etc).

I was well hooked on the writings of Aleph1, Mudge and Rain Forest Puppy at the time, and this game was an excellent tool for teaching developers about vulnerabilities and thus how to defend against them. I know that the game spawned a plethora of copy-cats later on of varying qualitites - does anybody happen to know the one I'm referring to?

I wonder if you're thinking of Uplink? http://en.wikipedia.org/wiki/Uplink_(video_game)

I was completely addicted to that game in college. The also apparently have a version on steam now.

Thanks for the link, had not seen Uplink before. It's not what I was trying to remember though. I'm basically talking about a website. On the first screen it has a username and a password box. The password check is hardcoded into the JS on the page and viewsource gives it to you. Completing it gets you to the next stage. The next stage has no such info, but the password is easily guessable. The one after can be beaten by a cookie modification, the one after that involves injecting some variables into a server-side script etc etc... At each stage it links you to articles which may be relevant tothe task at hand; It's like a step-by-step training to hacking websites, graded nicely in difficulty from the trivial up to some reasonably difficult techniques at the higher stages.
Answering my own question here, but curiosity got the better of me so I trawled through my mail archives and found the site. It was http://quiz.ngsec.com/ and it's unfortunately offline now. Shame.
(comment deleted)
(comment deleted)
Great idea! I thought I had it figured out last night but the blank screen I got when submitting kept bothering me. This morning I double checked the requirements and saw if I got a blank screen I had not done it right.

I went back and got it figured out - I think the barrier to entry for this is just right.