55 comments

[ 4.2 ms ] story [ 108 ms ] thread
Very cool, but why doesn't it tell you what the correct answer is when you get it wrong?
I was wondering that too... With some sort of insight into the correct response, one might be able to learn rather than just be tested. A lot of fun regardless.
I like the idea. I feel like a few seconds are spent trying to figure out what language it's in, but maybe I'm just a dummy.
It is good as a game, not so good as a learning tool. There should be an option to go back and analyze things with time for some research
Play it on an iPhone. You can pause the timer by holding your finger on the iPhone's screen.

Yeah, it's cheating, but isn't that what it's all about?

I liked the one that was a C program that used argv[0] (or argv[1] - cant remember) as the connection string for an SQL database. Then the answer was SQL injection. I mean, sure, you can argue that's a flaw with the program, but it's also THE ONLY POSSIBLE USE for the program.

I got 5/5 on advanced, but I don't think that proves anything. For most of the questions my response would be "decomp your code better and use comments."

A little coloration and indentation would be great. Going through a chunk of 20 lines of unknown language in a couple seconds is already enough of a challenge especially for beginners, no need to add unreadability to it :P.
Fixing the indentation would also make the Python code readable. (For those who aren't aware, whitespace is significant in Python.)
How can I see the correct answers?
There's a big difference between having to select between four different kinds of vulnerabilities when given a piece of that you're told is insecure, and identifying them in the wild. This is more putting the square peg in the square hole than it is measuring the angles and being able to accurately identify the shape.
One of the questions that I got had an option that said "No vulnerabilities". I think having that option for every question with some solid code will let you find vulnerabilities more accurately.
I had hoped from the description this would be more like the latter, with vulnerabilities you had to exploit to advance to the next level. As a format, multiple choice quizzes are not that interesting.
Umm... have other people been able to spot the vulnerability but been unable to answer due to the answers not making very much sense?

Vuln hunting has its own vocab now :-(

Timer really put me off. I can solve these, I just need more time, having not used some of these languages in a while.

I'd rather the time counted up, losing points, instead of counting down until I'm told I fail.

After you answer a question, there should be an explanation of the right answer. I was able to guess through some that I had no idea what they actually were, and an explanation of why I did/didn't get it right will help a lot and actually help me identify vulnerable code.
Yeah. I have no CS background so I was hoping to learn something here. Nope.
Same here, I was able to guess through an answer which was "resource injection" by finding code 'PATH INFO' just made sense.
Yes! This is the first idea that occurred to me, show me why after each answer.
Like the idea (and infact I've submitted some code loosely based on an example I actually found in an application!), but yeah, the comments about needing more time because of having not used some of the languages applies here also. And yeah, an explanation of the right answer would help - especially if you haven't used the language (at all, or in a while).
You should aways have the answer "Non-exploitable code" for every question. For some questions, the lack of this answer makes it clear that there is a vulnerability, and the structure of the question makes it obvious which one of the answers is most likely (e.g., no SQL or methods dealing with SQL exclude all SQL based answers, a question with "sleep" is highly likely to be a DOS by Sleep, etc.)

I'm not a CS guy, but I was able to deduce a lot of the answers just from how the question was structured.

EDIT: The actual response in the app is "Non-exploitable code". Updated my comment to reflect this

Just ran through 4 of the "beginner" tests and almost none of the answers I ran across was "none exist." Not trying to prove or disprove your point but did find it odd.
Somewhat ironic that the high scores have already been hacked, though a little inevitable since the game is client side I guess.
Pretty easy, you can ace without knowing all the languages/APIs used, just follow the usual code smells.
Hmm, I saw duplicate questions in a single session.
Had to wonder if the "root" guy on the leaderboard actually hacked the game :)
Cool game. Would be great if it gave a quick summary of why it was a right answer and maybe some additional resources to learn more.
On beginner difficulty single player, I got the same question again and again. After the game ended, new game, still the same question.

IE11 FWIW.

Here's how to hack the hacking game. Pretty simple (in your console):

app.sendAnswer({answer: 1,time: -999999999999})

(I added the instructions on the leaderboard itself)

Crashing != hacking
(comment deleted)
On a related note, anyone else remembers http://try2hack.nl/? It was one of the first sites that got me into programming/hacking.
1. This is a vocabulary and syntax quiz, mostly.

2. The code is unreadable (formatting) on a phone after 1.5 Manhattans.

3. Anybody else read the title in Robert Pollard's voice?

I have no idea what most of those terms mean, no point in playing the quiz then
When you beat the advanced levels, and are looking for a real challenge, give http://escape.alf.nu a try. I didn't make it but it's the most difficult but still educational hacking challenge I've seen. Also, since it validates answers server-side these days, it isn't, itself, hackable.
I dare anyone to respond faster than my -1.7976931348623157e+308.

(Or is it -9007199254740991?)