At the Mozilla Marketplace work week in Portland last week, we did a security capture the flag. The idea was modeled on last years Stripe CTF which was done online. In each round a web application was stood up with a security hole and developers had to hack their win, getting the "flag". Often this is done competitively, but being Mozilla we didn't do that.
My goal was to focus on things that could be found and hacked within about 10 mins. In the Stripe case, many were designed to be much longer. That meant a few interesting challenges I wanted to get into, like MITM and replay attacks weren't really possible. So those got binned.
As it turns out we ended up starting this at 4pm and had less time than planned, so it was good the challenges weren't too hard as everyones brains were already fried by a full day.
The code and presentation is on github.
The first one was pretty easy and pretty much everyone got it, but things started to drop off a bit after that. Some were cracked in a matter of seconds. I did think it was awesome that our operations team got a bunch of them.
I'd like to do this again, but next time focusing on harder challenges and doing them over a longer time period. Maybe one day or so would give more time for complex problems.
Thanks to Rob Hudson for thinking of ideas and checking my answers. And thank you to everyone who participated, I learnt a lot writing it and I hope it was helpful and fun.