QuoccaBank Security Hall of Fame

This page is dedicated to students who found vulnerabilities in QuoccaBank infrastructure.

Information Leak by Evan (25/07/2020)

Evan found that some CTFProxy debug headers (containing an internal IP address and some non-sensitive infra auth information for his own account) are returned to regular users in favicon.ico responses. This was introduced yesterday in 74dbac when we added a "defaultfiles" feature to CTFProxy, which is used for adding a favicon to most of the QuoccaBank sites.

Specifically, this is because in the "defaultfiles" routine, it calls Write method on our own ResponseWriter struct without calling WriteHeader first, which can bypass our WriteHeader logic, directly calling the net/http WriteHeader implementation. In all other places, we called WriteHeader first. To prevent similar issues from occuring again, instead of adding a WriteHeader call to "defaultfiles" routine, we've updated our own ResponseWriter's Write method to check if it needs to call our own WriteHeader first.

This is fixed in f6d576.

Information Leak by Le Pham (24/06/2020)

Le Pham found an information leakage vulnerability in IsoDb, our in-house Database Proxy Layer for db replica isolation. Specifically, one of the backends IsoDb connects to is a MySQL instance that uses InnoDb with one metadata file per table. Even though db permissions are already limited, by querying INFORMATION_SCHEMA.FILES, Le is able to dump the name of all database and table names (no actual table data is leaked). This is fixed by moving all InnoDB metadata to a shared tablespace.

Information Leak by @todo (10/06/2020)

@todo found an information leakage vulnerability in CTFProxy that results in leakage of internal stack trace for some of the QuoccaBank services (e.g., www, accounts, cookies) on a specific 404 error page. This was caused by a legacy function in CTFProxy going down a different code path in error handling. We fixed this by disabling that legacy function. No sensitive information is leaked.