Attack and Defence Secure Coding Challenge

The Attack and Defence challenge is an innovative multiplayer secure coding challenge. Players are assigned a fully containerised app and must first patch its security vulnerability. The SecDim platform then executes tests against the patch, deploys the app, and generates a unique URL for the player’s app.

After this, each player enters a battle lobby where they can target other players' apps by accessing their deployed apps or reviewing other players' patch code. Players have the ability to access other players' source code, run, debug, and test other players' apps locally on their workstations or in the cloud-based Visual Studio Code.

When a player identifies a weakness in another player’s app, they exploit it to obtain a flag as proof of successful exploitation. The player then submits the flag to the SecDim platform to receive the hacking score. The player whose app is exploited is removed from the hacker lobby to work on creating a better patch before re-entering the challenge. Similar to a king-of-the-hill game, the player who remains in the battle the longest is the winner.

Quick Start

To try an Attack and Defence challenge:

  1. Head to https://play.secdim.com and then Attack & Defence.

  2. Select one of the available languages (e.g. Python).

  3. Click on File.py.hth.

  4. Watch the video tutorial.

  5. Click on Play to start the challenge.

  6. Click on Open In CDE to start a cloud-based Visual Studio Code.

  7. Click on Ready to open a new tab where you access Visual Studio Code.

  8. Follow the commands in the terminal:

    1. To run the app: make run

    2. To run usability tests: make test

  9. Make changes to the source code to patch the app.

  10. Run usability tests to ensure they pass.

  11. Push your code to kick off server-side testing (make push).

  12. Go to the challenge page. After a minute, your app will be published, and you will enter the hacker lobby.

There are no security tests in Attack and Defence challenges.

While you are in the hacker lobby, you can target other players by accessing their published app or cloning their git repository and reviewing their patch.

To hack another player’s app:

  1. Select one player (e.g. alice) to target.

  2. Copy their app URL.

  3. Open a new tab and navigate to their app’s URL.

  4. Interact with the app. Try to see if you can read any other files.

  5. If you wonder where the flag is, navigate to the first tab and open Hints.

  6. To hack the app, you can enter flag.log as the name and ../ as the subdirectory in a request to the /log endpoint:

curl -X 'POST' \
  'https://<PLAYER_URL_HERE>/log' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "flag.log",
  "subdir": "../"
}'

  1. Copy the flag: SecDim{…​.}.

  2. Navigate to the first tab and enter the flag.

  3. Congratulations! You have hacked Alice and gained a hacking score!

You can also view Alice’s Git repository by clicking on View Source Code and copying their Git URL. You can clone this URL in your cloud-based Visual Studio Code or locally.

If someone hacks your app, you will lose your score and be removed from the battle page. You can then review your patch and re-enter the battle page again.