06-28, 15:30–15:50 (America/Los_Angeles), Prime Dome
At Nautilus Institute, we built a system for running "Raw Water," a web-based SQL injection challenge for DEF CON Capture The Flag qualifiers in 2023. This challenge allowed teams to attack a private, isolated, and persistent SQL instance through a web application that wasn't solvable with the very generic "sqlmap" tool.
This talk touches on Vito's experience with web-based challenges as both a player and challenge author, SQL sandboxing techniques and how they affect game operations, mitigations for sqlmap, and potential future work.
As a member of Nautilus Institute, Legitimate Business Syndicate, and the Hack-A-Sat organizing teams, Vito has helped organize Capture The Flag contests enjoyed by thousands of players all over the world. Vito's work included building infrastructure for distributed software development, designing and building both cloud-based and on-site scoring systems for CTF, visual design and branding of competition materials, picking fonts, sourcing coffee and other beverages, and challenge development. Vito's favorite software weakness is CWE-666 and he literally unironically enjoys long walks on the beach.