Bugfix for PM / general note on defenses/exploits

Written on 08.11.2019 18:54 by Ben Stock

We have deployed a seemingly working fix today for the functionality checkers on the postMessage task. This was a race condition which only occured in about 4/100 attempts which made it incredibly hard to debug. Marius was nevertheless brave enough to slay that particular dragon. Should you still encounter an issue, please let us know via the Askbot. More generally speaking, please use the askbot as much as possibly. Otherwise, if three students have the same question, we (mostly Marius) has to reply to three individual requests. Hence, only use that channel if you are sure that your question would leak parts of the answer.

Apart from that, based on the questions we have received, I wanted to provide a couple of hints regarding the exercises. Before reaching out to use about your fixes breaking your application, please use your instance of Screecher yourself. This is best achieved with the developer tools open, as you'll see both JavaScript errors and failed requests in the console. Virtually all questions thus far could have been answered by yourselves by following these steps.

Additionally, there seemed to be a bit of confusion about what the crawler does when you submit a URL. This is specific on the task at hand, yet follows an easy pattern: set up the state correctly in the browser and then visit your link. That is, e.g., when the task is related to Screecher, our crawler will log in with the appropriate account to team0 and then visit your attacker URL. Hence, you can assume that the browser visiting your attacker page has valid authorization cookies for Your task in then to conduct the necessary attack and leak the secret to the feedback URL at the gameserver.

Furthermore, if you are receiving this email, yet plan to not do the exercises / drop the course, please let us know. This allows us to disable the VMs and conserve some resources.

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.