There are lots of insecure web applications floating around the web. You know the drill.
Here's a little fake news site where users can submit articles and the admin can approve them to show up on the home page:
The source code and database structure are here:
Directory listing is also on for convenience:
The challenge is to get a javascript alert to open on the "home page" of the example site (home.php) for any visitor who comes to the site. The text in the alert box should be either your name, or, if you're bashful, a hash of some string that you can later provide (as well as the hash algorithm) that we can verify you really were the person who put it there on the home page.
What we'll do (that is, Justin, who's running this contest) is occasionally go to the page that lists unapproved items (unapproved_news.php) while logged in as the user "admin". We won't click the "approve this news item" link for any of the unapproved items, though.
I may add more detailed descriptions of the various pages later, but there's nothing you won't be able to see in the scripts you can download using the link above.
My hope is that this contest is harder than the last. Those who don't know where to start, feel free to ask questions.
Note: goatse.cx, etc., will get you disqualified =).
You win one book of your choice (out of two) of books donated to the UA Computer Security Club by No Starch Press!
You also get your name mentioned as the winner of the contest. We'll probably list the top three.
Note: If you have been a recent winner of a contest, you can still be aknowledged as the winner of this one but you can't win the prize. We want to share the wealth, you see.
Please respect the contest server. It's not a DoS contest. If your solution involves making multiple requests or connections to the server, that's fine, but please do them sequentially unless your solution requires them to be concurrent (in which case, please be kind).
Pretty much, if you know something wasn't intended and you know it may negatively impact the server, don't do it.
The contest is intended for University of Arizona students and faculty. If you aren't from the UA, you are welcome to give it a try, but you won't be credited with winning the contest and non-UA IP addresses are subject to blocking if they are abusive.
Send your victory reports and questions (and requests for hints) to contests -at- uacompsec.org.
No winner yet.
Solutions will be made available after the contest has ended.