Hackathons, who these days hasn’t heard of them? Although originating in the 90s, hackathons have quickly gained popularity and are now used by both developers and organizations to discover new opportunities for their software. For enterprises, these sorts of events can also lead to new insights and business opportunities. For developers, taking part in a hackathon also helps stimulate creativity as they are challenged to work together and learn new skills. Recently, our Senior Mendix Consultant Tom Sweegers and Chief Architect and Certified Mendix Expert Developer Rom van Arendonk took part in the annual Mendix Capture The Flag Event. Here are their learnings from this year’s event.
First things first, here is a laydown of everything you need to know about the Mendix Capture The Flag Event. To take part, you have to register as part of a team consisting of max. 5 developers. For the actual event, the organizers have developed four Mendix applications, deliberately making mistakes within the apps’ security.
The goal of a Capture The Flag Event is to find as many errors as possible. To do this, developers use back doors to sneak into the application and do things they normally wouldn’t be allowed to do, such as changing user accounts, looking at sensitive data, or for example, requesting larger funds than the billed amount (which was an actual example used in this years’ event). If you succeed you will be shown different codes, also known as ‘flags’, that were built into the application. These codes can then be entered into the scoreboard and you will be rewarded with points. If more people find and enter the same code, this code will be worth fewer points. The team with the most points, not necessarily the most codes, wins the event.
Tom: “Being the first person in this hackathon to find the first flag was a nice bonus.”
For Tom, this year was his third year in a row taking part in the Mendix Capture The Flag Hackathon where the specific theme was trying to break code. In the previous years, he mainly focused on using some, as he calls it, ‘simple commands’ in the browser console. This year he decided to take a different approach. “During the previous years other developers often mentioned how tools like Burp (application security testing software) help when discovering security leaks, so for this hackathon, I wanted to delve into how it works”, Tom explains.
He further elaborates on how, at first, he didn’t understand the advantages of using a tool like Burp because he would still execute commands through the browser console, just like he did before. But soon Tom discovered why other developers recommended using tools. “Later on it became evident that it’s indeed a lot faster to use Burp once you are used to how it works. It becomes easier to adapt, resend, intercept, and change XAS requests while you are clicking a button and that’s very convenient.”
These Capture The Flag Events are not just a fun and competitive opportunity for Tom, he also sees them as a chance for professional growth. “With my knowledge of Burp and my hacking knowledge and skills that keep growing every year, this year marks the first time where I am actually very happy with the results of how many flags I found. And being the first person to find the first flag was a great bonus. It’s a reputation I am hoping to keep living up to next year!”
What does XAS do?
XAS handles the communication between the Mendix client and the runtime. It is a special API endpoint that Mendix uses to handle various actions like retrieving data or running microflows. When interacting with an application (like clicking a button), the client sends an XAS request to the server telling what action to perform and which data to include.
Rom: “Trying to exploit the vulnerabilities in an application makes them a lot more concrete.”
Rom actually took part in the Mendix Capture The Flag hackathon for the first time this year. He joined the Enexis team, where he has been an architect and knows the ins and outs of their applications. “For our preparation, we made some minor changes to a free pen-test tool designed for Mendix applications, so we could use them for any application. This is a true blessing when you’re trying to hack a Mendix application: finding the first five flags was child’s play”, Rom elaborates.
Although this was his first Capture The Flag Event, Rom decided to focus on some more difficult challenges. For starters, he set his sights on cracking the One Time Password (OTP). And he succeeded after finding the vulnerability in the Java code. Exploiting this vulnerability was a bit more complicated but by adapting the Java code, Rom managed to generate a valid OTP. His second challenge revolved around an authentication mechanism using the JSON Web Tokens (JWT). However, after figuring out its vulnerabilities it didn’t take a lot of time for Rom to generate a valid JWT either.
Overall, the Capture The Flag hackathon provided Rom with quite a few new insights. “The good thing about this event was that even though I know as an architect that some constructions are vulnerable, I didn’t necessarily know how to exploit them. Now having had the chance to do exactly that has made these vulnerabilities a lot more concrete.”