#HackWEEKDAY – Get Your Code On

REGISTRATION IS NOW CLOSED!

Why you should join HackWEEKDAY:

USD 1337 to be won!
Complimentary pass to HITBSecConf2011
Potential recruitment from the sponsors
Simply because it will be awesome!

Starts: 12th October 13:37 MYT
Ends: 13th October 13:37 MYT
Venue: HITB2011KUL @ InterContinental Kuala Lumpur
Agenda: DOWNLOAD

Inspired by the recently completed HackWeekend and GTUGKL hackathon, HackWEEKDAY is a 24-hour code off that runs alongside the 9th annual HITB Security Conference in Malaysia – Asia’s premier deep-knowledge network security event that routinely brings together some of the world’s leading security experts under one roof Kicking off at 13:37 on the 12th of October and ending a full 24-hours later on the 13th, we are inviting Asia Pacific coders from all walks of life to come together and work on open source security tools – Got an itch to write an 31337 Firefox plugin, new Maltego transforms or if you’re just a code junkie; we want you! You will get to hangout with HITB conference speakers and mingle around with the big names in security. It’s your chance to hack with the experts and learn from the best. Registration is completely FREE and we have space for approximately 75 developers whether in teams or individuals. Food, drinks and copious amounts of bandwidth will be provided; just bring your own laptop, plug in and get your hack on!

Objectives

  1. To promote secure coding practices
  2. Spark interest in security application development throughout the developer community. (developing web apps and developing security apps isn’t all that that different)
  3. Revive abandoned security projects and contribute back to the security community.
  4. Knowledge sharing directly from authoritative figures in the security community (HITB speakers and project owners)

Why Hack on a Weekday?

Accepted participants to HackWEEKDAY will also receive

  1. 1 x complimentary pass to HITBSecConf2011 – Malaysia’s Quad Track conference on the 12th & 13th of October
  2. Access to the HackWEEKDAY ‘arena’
  3. Food and drinks over the 24 hour period
  4. Wired access to #HITB2011KUL’s high-speed fiber
  5. A chance to show off your code / project in the HITB SIGINT lightning talk sessions on the 13th afternoon

Invited Developers

  1. Paul S. Ziegler (Independent Network Security Researcher)
  2. Jonathan Brossard (Founder / CEO, Toucan Systems)
  3. Jefrey Ong (Flexiroam)
  4. Meling Mudin (Founder, HackerspaceKL)
  5. Kaijern Lau (Founder, Xandora.net Project)
  6. Kamal Fariz (Rubyist / Founder, Fluent Space)
  7. Fadhil Luqman (DJ / Codelovr)
  8. Li Choong Tan (Flexiroam)
  9. doubleukay (OnApp M’sia / Lowyat.net)
  10. Dr. Whax (HITB.nl CTF Overlord 1.0)
  11. blasty (HITB.nl + fail0verflow)
  12. Arzumy MD (Founder, Codelovr)
  13. Arsyan Ismail (Orenscript IRC / Founder, Kawanster)
  14. Xanda (DontPhishMe / MyCERT)

Accepted Developers

  1. Thanh ‘RD’ Nguyen (VNSECURITY)
  2. Ahmad ‘sniffit’ Zulkarnain (HackerspaceKL)
  3. Suresh ‘networkg0d’ Ramasamy (evilb0x.org)
  4. Lim Cheng Soon (Netizens Media)
  5. Yin See Tan (Websmith ATP Sdn Bhd)
  6. Abdul Musawwir Islahuddin Jibril Abdullah (Madd Grizley)
  7. Raja Hafify Zaed
  8. Amir Haris Ahmad (Localhost)
  9. Fairuz Sulaiman (Syabas Sdn Bhd)
  10. Amir Khosro Amir Moghadami (Multimedia University)
  11. Esam Ali (UCTI APIIT)
  12. Huy Phan (Vithon.org)
  13. Khairul Amirin Ibrahim (TIME dotCom Bhd)
  14. Ardak Shaimerdenov (UCTI APIIT)
  15. Ghis Bakhour (Motionworks)
  16. Naing Tun Win (Raydar Research Sdn Bhd)

What are we hacking?

Mozilla Firefox Add-Ons

Firefox Add-ons let’s you add new features and/or change the way Firefox works. Among them are privacy and security add-ons that was written to help make end-users’ browsing experience much more secure. HackWEEKDAY gives you the chance to work on some of these excellent security add-ons;

a. DontPhishMe https://addons.mozilla.org/en-US/firefox/addon/dontphishme/

DontPhishMe is an addon to Firefox that alerts you if an online banking web page that you visit appears to be asking for your personal or financial information under false pretenses. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That’s why it’s important to browse safely with DontPhishMe. DontPhishMe will automatically warn you when you encounter a page that’s trying to trick you into disclosing personal information.

Tasks / Problems to be solved for HackWEEKDAY

i. Detecting/Fingerprinting phishing website that uses full images & CSS ii. Detecting/Fingerprinting phishing website that uses JavaScript obfuscation (i’ve got partial (but working) idea for this) iii. Auto generate ‘signature’ for current method

Disclaimer

1) Current code branch might not be released until new detection method implemented in v2 2) Can’t promise that the code/idea will be integrated in the code brunch. But any how, the idea is the most important thing 3) The code will be following the DontPhishMe license at any version of its release

b. SQL Inject Me https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/

SQL Injection vulnerabilites can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities.

Tasks / Problems to be solved for HackWEEKDAY i. Update for latest and greatest FF version

c. SQL Injection https://addons.mozilla.org/en-US/firefox/addon/sql-injection/

SQL Injection is an Upgrade from the old form free, it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page. It makes easier to test and identify SQL injection vulnerabilities in web pages.

Tasks / Problems to be solved for HackWEEKDAY i. Update for latest and greatest FF version

d. Access Me https://addons.mozilla.org/en-US/firefox/addon/access-me/

Access vulnerabilities in an application can allow an attacker to access resources without being authenticated. Access-Me is a Firefox extension used to test for Access vulnerabilities.

Tasks / Problems to be solved for HackWEEKDAY i. Update for latest and greatest FF version

e. XSS Me https://addons.mozilla.org/en-US/firefox/addon/xss-me/

Cross-Site Scripting (XSS) is a common flaw found in todays web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

Tasks / Problems to be solved for HackWEEKDAY i. Update for latest and greatest FF version ii. Bug fixes as per reviews on Add-ons page

f. Perspectives https://addons.mozilla.org/en-US/firefox/addon/perspectives/

Securely bypasses Firefox HTTPS security errors by verifying certificates using a collection of Network Notaries. See http://www.cs.cmu.edu/~perspectives/

Tasks / Problems to be solved for HackWEEKDAY i. Killing bugs in https://github.com/danwent/Perspectives/issues

g. Xpnd.it! short URL expander https://addons.mozilla.org/en-US/firefox/addon/xpndit-short-url-expander/

Automagicallly expand and analyze any tiny URL so to avoid clicking on potentially harmful, malicious links! It supports more than 500 services and it is very fast, thanks to local caching plus three layers of remote caching on the server-side.

Tasks / Problems to be solved for HackWEEKDAY i. Update for latest and greatest FF version ii. Bug fixes as per reviews on Add-ons page

h. POW — Plain Old Webserver https://addons.mozilla.org/en-US/firefox/addon/pow-plain-old-webserver/

Turn the web on its head with the Plain Old Webserver (POW), which adds a server to your browser.

Tasks / Problems to be solved for HackWEEKDAY i. Update for latest and greatest FF version

i. Google Site Indexer https://addons.mozilla.org/en-US/firefox/addon/google-site-indexer/

A Windows search program turned Firefox Extension, GSI Creates Site Maps based on Google queries. Useful for both Penetration Testing and Search Engine Optimization. GSI sends zero packets to the host making it anonymous.

Tasks / Problems to be solved for HackWEEKDAY i. Update for latest and greatest FF version

Basic Requirements for all Firefox Add-ons Development Language: i. JavaScript – a MUST know language ii. XUL – optional iii. Chrome API – optional

Additional apps i. Firefox + Greasemonkey + Firebug ii. Chrome (dev release) + Firebug iii. Firefox Addon SDK – optional iv. Any code editor with syntax highlighting v. Laptop with any OS that can run Firefox and Chrome

MEGATOOL

Got a great idea about a GUI-based security tool that could run on Linux, OSX and Windows? Show off your cross-platform GUI dev skillz at the HackWeekDay challenge.

Requirement Language: The cross-platform toolkit of your choice (Gecko, QT, WxWidgets but… not Java)

Purpose: Security tools should be visually appealing in order to be easily understood by clueless CISSP managers and modern-day security analysts. Bring us closer to hacking like in the movies and do the security community a favor by lowering the skills level required to work in the industry. Focus less on functionality and actual security value and more on visual effects, intuitive controls, coolness factor and attractiveness of the UI. Old school hackers complain that good security looks the same as bad security – prove them wrong by showing that lousy security can have great looks!

Maltego – Your Data, Your World

Maltego is a fantastic resource for intelligence, link analysis and looking at different relationships between data. It is currently used with a number of open sources of information (DNS, Websites, etc) to offer this functionality to penetration-testers, law enforcement and your average stalker joes. However Maltego can be extended to not only include the information sources that we provide, but *any* sources of information, from your internal databases to that paid-for image to geo-location web service or even an application such as Nmap that runs on your PC. For HackWEEKDAY we encourage people to come and learn/dev/hack with Maltego in order to extend it with their own sources of information. We will give a basic overview of how local transforms and TDS transforms work as well as be around to help with any questions. So bring your favourite coding language (yes, you can code in anything), a good idea and something you want to see in Maltego. We are hoping some great transforms come out of this and are definitely keen to give away some licenses for fantastic transforms. We’d also love to be able to add some of your transforms to the public repo’s (free and paid for Maltego clients will get them).

Requirements: a. Tools i. Maltego Commercial (we will give you a temporary license for HackWEEKDAY or you can use the free community edition) ii. Good ideas (if you don’t have any, leech/steal/ask – we have a few as well) b. Skills . Coding Skillz (any language will do, but preferably something that can run as a webapp/cgi)

Dilligence – Analytic DNS Engine

Dilligence is a project to develop domain name reputation system. The end goal of dilligence is to provide dynamic reputation score for domain names based on whether they are malicious or not. Several reputation functions are still being developed. They include generic classification based on DNS properties, and some machine learning algorithms. For HackWeekDay, this reputation function is available for the participants to solve: The author has semi-automatically classify various domains into several categories, such as domain names belonging to Facebook, Yahoo, Google, Amazon, Akamai, popular domains, malicious domains (based on public blacklist), and others. Based on the current classification, participants are expected to develop rules and codes to automatically classify new domains into the currently available groups. This code, once completed, will be part of the reputation functions for diligence. If anyone else is interested to develop the other reputation functions, we can discuss that during HackWeekDay.

Requirements: a. Skills i. Python ii. Pymongo iii. MongoDB – good to have, but not essential

Xandora.net Project

Xandora (http://xandora.net) is a sandbox and targeting for high volume suspicious file processing. xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. Problems to be solved for HackWEEKDAY After process Windows PE file (exe and dll), there will be around 20,000 till 30,000 URL dump from xandora. The problem to solve is to write script to process all the URLs from xandora. Code name: Will be announced during HackWEEKDAY 1. Usage of the code must be as simple as $ ./xandoraurlproject http://www.iwantthisurl.com/best.html

Script functionality

i. Random URL agent ii. Proxy enabled. (Autosearch for free proxy, update 2 times a day ?) iii. Follow redirect, eg. HTTP 302 iv. Extract all the link from the URL v. Download all the files from the link

File Analysis

Extract Windows PE, PDF, SWF and Javascript from URL Check for possible exploit from PDF, SWF & Javascript (Free & Public analysis tools)

Output result should include analysis of

i. Links from processed URL ii. Files downloaded from URL iii. Downloaded file preliminary analysis

Data Storage i. Store information into somewhere (Preferably MongoDB)

Requirement

1. Skillz

i. Ruby ii. Ruby Library net/http.rb iii. bash iv. SQL or NoSQL v. Adobe stuff/Javascript analysis tools

2. Notebook installed with *nix (VMs are fine)

Disclaimer 1. We do not promise code will be include/use in xandora project 2. Code might be an branch of xandora open source project

Questions? Email us: hackweekday@hackinthebox.org