Announcement
$100 prize for finding XSS vulnerabilities
by bbi5291 on Oct 03, 2010 - 5:49:06 am UTC
I am offering a $100 prize to the first person to discover an XSS vulnerability in the PEG Judge. Here's an example: if you discovered that submission details were not properly escaped, you might be able to manipulate your submission so that when an admin views your submission detail, some nasty JavaScript gets injected into the page which steals his cookie and gives you admin access.
On the other hand, if you're the first to find some non-XSS vulnerability, such as some server-side PHP function that only checks authentication in the front end and not the back end, that would allow you to perform some action you're not supposed to be able to do by sending custom POST variables, I'll pay you $50.
Note that if you actually implement this exploit and compromise security in a destructive way, you're not going to receive the prize. Also, this offer does not extend to the wiki or forum. Those just contain a lot of code that we don't understand.
I'm pretty sure the Judge is secure right now. However, I will be implementing the problem-setter and contest-setter features soon (in imitation of SPOJ); this of course will increase the probability of exposure to insecure user-generated content.
On the other hand, if you're the first to find some non-XSS vulnerability, such as some server-side PHP function that only checks authentication in the front end and not the back end, that would allow you to perform some action you're not supposed to be able to do by sending custom POST variables, I'll pay you $50.
Note that if you actually implement this exploit and compromise security in a destructive way, you're not going to receive the prize. Also, this offer does not extend to the wiki or forum. Those just contain a lot of code that we don't understand.
I'm pretty sure the Judge is secure right now. However, I will be implementing the problem-setter and contest-setter features soon (in imitation of SPOJ); this of course will increase the probability of exposure to insecure user-generated content.
Comments (Search)