In the beginning of the summer the Belgian company PHPro held a cool hacking contest. The persons the could hack a special site that they had set up could win a prize. Yesterday they published an interesting article on how that site could be hacked. The site was also hacked in ways that the developers of the company did not anticipate.
Since this contest started out as an internal project, we've put a lot of focus on the flow on how to hack the website. It was just a little side project to inform our colleagues that some small mistakes can end up in a big catastrophe. By focussing on the flow of the hackme contest, we forgot to secure the application for malicious contestants. Off course, this was something that fired back to us on the first days of the competition. Here is a little write-up of the problems we've encountered and how we fixed them.