Web Bots - CTF Game

Goals:

- write secure software- kill bad bots-scrape nimbly

Tuesday, June 30, 15

More info on logos in previous slide

• LifeLock XSS: http://techcrunch.com/2015/06/30/vulnerability-in-security-service-lifelock-could-have-exposed-logins-and-passwords/

• Facebook doubles bug bounty: https://threatpost.com/facebook-to-double-bounty-payouts-for-ad-code-bugs/108863

• Apple CelebGate: http://appadvice.com/appnn/2014/09/apple-knew-of-icloud-vulnerabilities-that-led-to-celebgate-since-march-2014

• eBay xss password stealing bug https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/

• Google.com XSS vulnerabilities http://news.softpedia.com/news/Experts-Find-DOM-Based-XSS-Vulnerability-in-Google-com-305585.shtml

Scrapers

Python

Mechanize

Detection & Prevention

browser fingerprinting

Traffic patterns

captcha, recaptcha

Obfuscation (ajax, headers, etc.)

trap and sleep()

Web Bots CTF

AttackersYou manage to control a script that the defenders

have included on their website

A) Modify this script to steal a cookie or username / password data

B) Automate making it past the captcha

C) Scrape all the content from behind the login

D) Don’t take the server down!

DefendersPretend you missed the XSS vulnerability (or rely

on a compromised script for your website to function)...and secure everything else.

A) Make it a bit harder for bots to login

B) Set some traps, make sure you hide them!

C) Try to differentiate legitimate users from bots

D) Don’t let the server go down!

Web Bots - CTF Game

Documents

Transcript of Web Bots - CTF Game

CTF & Ketsana

What are bots? › › (PDF).pdf · 2020-01-17 · 48.2% Humans 28.9% Bad Bots 22.9% Good Bots 1.2% Monitoring Bots 2.9% Commercial Crawlers 6.6% Search Engine Bots 12.2% Feed Fetchers

Bots Not Cattle - GitHub Pagesjberkus.github.io/pdf_presos/bots_not_cattle_automacon.pdfnew bot rules 1. bots initialize themselves 2. bots know their own state 3. bots share their

CTF Bulletin

LNAI 7691 - Game Designers Training First Person Shooter Botsstaff.itee.uq.edu.au/marcusg/papers/mcpartland_gallagher_ai12.pdf · Game Designers Training First Person Shooter Bots

Chile CTF-IDB Concentrated Solar Power Project · Chile CTF-IDB Concentrated Solar Power Project p. 3 Name of Project or Program Chile CTF-IDB Concentrated Solar Power Project CTF

CTF Programme

Telegram bots

Bushido bots

CTF/TFC.8/4 Meeting of the CTF Trust Fund …...CTF/TFC.8/4 October 14, 2011 Meeting of the CTF Trust Fund Committee Washington, D.C. November 4, 2011 Agenda Item 4 CTF INVESTMENT

NGNP CTF Feasibility Recommendations R0-FINAL Documents/Westinghouse/HTGR Component Test...NGNP-CTF 20-CTF HTGR Component Test Facility (CTF) Recommendations 3 of 68 NGNP CTF Feasibility_Recommendations_R0-FINAL.doc

Bots: An introduction for developers - AgentNnamdi · Bots: An introduction for developers Bots are third-par ty applications that run inside Telegram. Users can interact with bots

CTF Workshop - University of Oulu · CTF (Capture the Flag) •Capture the Flag (CTF) is a computer security competition. •CTF are usually designed test and teach computer security

CTF - Customers' Testing FacilityCTF - Customers' Testing Facility CTF Assessment Report (CTF Stages 3 and 4) (Based on ISO/IEC 17025:2017) CTF name CTF address,

Museum Bots

Twitter Bots

Tug of War Battle Bots - TeachEngineering › content › nyu... · Battle Bots: The Tug of War Game •After design modifications, tug of war begins •Winner: The robot that wins

CTF Peroxisome

Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $

CTF Playing Rules & Bylaws - Canadian Tenpin Federation · All CTF rules and specifications shall be followed for all CTF adult and CTF Youth competitions (leagues and tournaments)