How did the first hackathon on The Standoff

On PHDays 9, for the first time, a hackathon for developers was held as part of The Standoff cyber battle. While defenders and attackers fought for control over the city for two days, developers had to update pre-written and deployed applications, as well as ensure their uninterrupted work under a barrage of attacks. We tell what came out of it.

Only non-commercial projects submitted by their authors were accepted to participate in the hackathon. We received bids from four projects, but only one passed the selection - bitaps ( bitaps.com ). The team is engaged in analyzing the blockchain bitcoin, ethereum and other alternative cryptocurrencies, performs payment processing and develops a cryptocurrency wallet.

A few days before the start of the competition, participants received remote access to the game infrastructure to install their application (it was placed in an unprotected segment). On The Standoff attackers, in addition to the infrastructure of the virtual city, had to attack the application and write bug bounty reports on the found vulnerabilities. After the organizers confirmed the presence of errors, the developers could correct them at will. For all the confirmed vulnerabilities, the attacking team was rewarded in the pubs (game currency The Standoff), and the development team was fined.
')
Also, according to the conditions of the competition, the organizers could set participants the task of finalizing the application: it was important to implement the new functionality, not allowing errors that affect the security of the service. For each minute of the correct operation of the application and for the implementation of improvements developers were charged precious public. If a vulnerability was found in the project, as well as for every minute of idleness or incorrect operation of the application, they were written off. Our robots closely watched this: if they found a problem, we reported the bitaps team about it, giving them a chance to fix the problem. If it was not eliminated, it led to losses. Just like in life!

On the first day of the competition, the attackers were testing the service. By the end of the day, we received only a few reports of minor vulnerabilities in the application, which the guys from bitaps promptly fixed. Somewhere at 23 o'clock, when the participants had already gathered to get bored, they received from us a proposal for finalizing the software. The task was not easy. It was necessary, on the basis of the payment processing in the application, to implement a service that would allow transferring tokens between two wallets by reference. The sender of the payment - the user of the service - on a special page must enter the amount and specify the password for this transfer. The system must generate a unique link that is sent to the payee. The recipient opens the link, enters the password for the transfer and indicates your wallet to receive the amount.

After receiving the assignment, the guys came to life, and by 4 o'clock in the morning the service for transferring tokens by reference was ready. The attackers did not take long to find themselves and within a few hours they discovered a minor XSS vulnerability in the created service and reported it to us. We checked and confirmed its availability. The development team successfully eliminated it.

On the second day, the hackers focused on the office segment of the virtual city, so there were no more attacks on the application, and the developers finally could have a rest from their sleepless nights.



Following the two-day competition, we awarded bitaps with memorable prizes.
As the participants admitted after the game, the hackathon allowed to test the application for strength and to confirm the high level of its security. “Participation in the hackathon is a great chance to test your project for security and get expertise in the quality of the code. We are pleased: we managed to resist the onslaught of the attackers, ”shared a bitapps team member Alexaps Karpov. - It was an unusual experience, since we had to modify the application in a stressful situation, for speed. You need to write quality code, and at the same time there is a high risk of making mistakes. In such conditions, you begin to use all your skills . ”

Next year we plan to hold a hackathon again. Follow the news!