I am proud to announce our second hacking challenge for the community! This is again an SQL Injection and Filter Evasion Challenge that includes the following updated defenses:
Target Demo Applications
We have setup ModSecurity to proxy to the following 5 commercial DAST scanner demo sites:
To successful execute SQLi against the scanning vendor demo websites and to try and evade the OWASP ModSecurity CRS.
ModSecurity Project Team Goals
To test out both our current SQLi Detection Rules and also some rulesets labeled as experimental. We need to field test these rules for accuracy and gauge their suitability for production use.
To successfully complete the challenge, participants must do the following:
- Identify a SQL Injection vector within one of the demo websites listed above.
- Successfully enumerate the following information about the database:
- DB Name(s) - provide request data.
- Table Name(s) - provide request data.
- Column Name(s) - provide request data.
- DB Account Name(s) - provide request data.
There is only 1 level to this challenge:
Filter Evasioni/Bypass (Status: OPEN)
Winners of this level will be anyone who is able to enumerate the data listed above for each demo app without triggering an Inbound ModSecurity Alert. If ModSecurity sees any inbound attacks or outbound application defects/info leakages, it will prepend a warning banner to the top of the page. Here is an example:
Your challenge is to try and evade the ModSecurity inbound filters while still enumerating the same data from above.
| ModSecurity Alert Message: |
CRS Anomaly Score Exceeded (score 43): SQL Injection Attack Detected via Libinjection
TX ID: OP2xvcCo8AoAADEnscQAAAAL
There is no limit to the number of winners of this level. All winners will be listed in the right hand column of this page.
There are some pages in the demo sites that utilize 302 Redirects and therefore don't display the ModSecurity alert data to the user. Before submitting your data, please review the raw HTTP response and/or validate your SQLi payloads against the CRS demo page. If your payload is caught by the CRS demo then this is not a valid bypass payload and there may be an issue with the proxy setup.
Please send challenge submissions to firstname.lastname@example.org. When submitting Level II data, please also include the
TX ID from the alert banner data so that we can confirm in the ModSecurity audit log if any other rules triggered.
All winners will receive an official ModSecurity t-shirt from Trustwave's Spiderlabs.