Henceforth, All Job Applicants Must Hack Into Our Backend (Dev Challenge)

[+] zg|15 years ago|reply

Would be funny if somebody went overboard and actually rooted the box, deleted the other entries and changed the site so the problem couldn't be solved (or closed the competition).

Then I guess you'd have to give him the job by default :-)

[+] notr00t|15 years ago|reply

Always has to be a "him" right? Myopic macho nonsense, just like this company that wants "hyper-motivated" applicants. Ridiculous, geek-macho, over-caffeinated boys who speak first and (maybe) think later.

[+] kapilkale|15 years ago|reply

This is phenomenal. Makes the application process way more interesting. Hope your quality of applicants goes through the roof.

[+] johnswamps|15 years ago|reply

I just completed it, it shouldn't take more than 15 minutes or so. There's no real hacking involved, it's mostly just using a tool like firebug.

[+] josegonzalez|15 years ago|reply

I'm interested in seeing applications that submit themselves :)

[+] jack7890|15 years ago|reply

Regarding whether or not it's too easy...that's something we wondered about. We decided we wanted a relatively straightforward initial screen rather than an complex brainteaser.

So I would by no means liken this to the Greplin Challenge, but we're trying to accomplish something different. We're hoping to eliminate the crappy applicants so we can spend more time on the good ones.

[+] jayphelps|15 years ago|reply

After I initially overreacted about it's simplicity, I saw the point more clearly. In fact, the more I think about it the more I loved it. (from your business's standpoint)

Whenever I've been apart of interviewing candidates, ≈70% of the time was wasted on applicants who fluffed their resumé, got an interview, and were obviously not what they claimed to be. This would probably significantly reduce that overhead and at the same time attract people who enjoy coding vs. do it just to pay the bills.

[+] temphn|15 years ago|reply

Not a web developer, but a scientist who plays around with it a little bit. Here is what I tried:

1) Viewed source. Didn't see any obvious comments.

2) Looked at .css files. Nothing obvious there, though there are styles for form/etc classes and elements that aren't used in the page.

3) Tried creating some forms with input and label elements in the markup in Firebug to see if CSS labeling on buttons showed anything. Just showed "Submit Query".

4) Looked at session headers in Firebug/Safari and saw something along the lines of

  < HTTP/1.1 403 Forbidden
  < Server: nginx
  < Date: Tue, 26 Oct 2010 09:10:58 GMT
  < Content-Type: text/html; charset=utf-8
  < Connection: keep-alive
  < Status: 403 Forbidden
  < X-Runtime: 0.001014
  < Content-Length: 1552
  < Set-Cookie:   sg.session=%7B%22csrf.token%22%3A%228KSf5VQhEB6DRoS0Z9PWW6ugXnH4e132LzBH8E76dE4%3D%22%7D; path=/

5) Noticed 'csrf.token' and googled to figure out it was a cross site request forgery prevention token, which seems sort of related.

Tried to mess around with this in Python and sort of got somewhere with this

  >>>urllib.unquote("%7B%22csrf.token%22%3A%22R5wuQON8nVfha%2F7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D%22%7D")
  '{"csrf.token":"R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw="}'

Then tried re-encoding:

  >>> urllib.quote(eval(urllib.unquote("%7B%22csrf.token%22%3A%22R5wuQON8nVfha%2F7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D%22%7D")).values()[0])
  'R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D'

and then doing an HTTP POST with curl

  curl -v -d "csrf.token=R5wuQON8nVfha/7WRCXTvVMo7rZzu41dFPOVZ2V0MMw%3D" apply.seatgeek.com

But no dice. Is this totally the wrong direction? Is this puzzle really that obvious to any real web developer worthy of the name, and if so where did you earn your spurs/what books/sites did you read?

[+] dwwoelfel|15 years ago|reply

I think that you may have erred on the side of too easy. I have very little web development experience, but I was able to solve it in a few minutes. I didn't even use any developer tools.

[+] jayphelps|15 years ago|reply

Waaay too easy...honestly, I'm not tooting my own horn.

But I guess it would keep the lazy applicant from applying.

EDIT: on second thought, maybe it is the right level. They aren't likely looking for $100k+ hacker geniuses, just guys who can think outside the box and know how to do basic digging and prevent your typical hack.

I retract my statement. Clever application process.

[+] vinhboy|15 years ago|reply

Damn, you guys are way smarter than me. Took me like 2 hours for the first step. The rest was easier. I am not good at riddles I guess...

[+] sibsibsib|15 years ago|reply

it seems a bit on the easy side (only took me a few mins), but I like the idea. It was a fun challenge.

[+] unknown|15 years ago|reply

[deleted]

[+] atomon|15 years ago|reply

Fun challenge. It took me about 10-15 minutes using curl.

I think it's the right level of difficulty: Difficult enough that you're able to weed out a lot of really low quality applicants, but not so difficult that you run the risk of excluding high quality applicants.

[+] unknown|15 years ago|reply

[deleted]

[+] barrydahlberg|15 years ago|reply

That was fun. Personally I wouldn't make it any harder as it would already weed out a huge portion of the candidates I have interviewed in the past. I would perhaps add something that required a little JavaScript or something written though.

I wonder how many applications you get from people that don't actually want the job.

[+] pennig|15 years ago|reply

Not too shabby. Was pretty trivial to do with Safari's developer tools, actually.

I submitted this as my resume: http://www.russellheimlich.com/blog/wp-content/uploads/2007/...

[+] morganpyne|15 years ago|reply

Ha, I submitted my 'CV' as a (trivially) encrypted PDF. If I have to hack their site to apply, they have to hack my CV to read my application :-)

[+] sovande|15 years ago|reply

Hmm, did you modify the session cookie? Because that is _not_ trivial with Safari developer tools.

Edit: Removed potential spoilers.

[+] morganpyne|15 years ago|reply

I quite enjoyed this :-) Reminds me of an online game that I played through years ago which I'm having trouble digging references to now; hack your way through successive levels, starting with really trivial things like default passwords and working your way up through all the exploitation techniques through to the more interesting ones (buffer overflows, off by 1 errors etc).

I was well hooked on the writings of Aleph1, Mudge and Rain Forest Puppy at the time, and this game was an excellent tool for teaching developers about vulnerabilities and thus how to defend against them. I know that the game spawned a plethora of copy-cats later on of varying qualitites - does anybody happen to know the one I'm referring to?

[+] harisenbon|15 years ago|reply

I wonder if you're thinking of Uplink? http://en.wikipedia.org/wiki/Uplink_(video_game)

I was completely addicted to that game in college. The also apparently have a version on steam now.

[+] seanalltogether|15 years ago|reply

Honestly they should not have made this announcement public, it should be a private message to anyone submitting an application, otherwise random people pick up the challenge and post the answers online.

[+] shyknee|15 years ago|reply

Great idea! I thought I had it figured out last night but the blank screen I got when submitting kept bothering me. This morning I double checked the requirements and saw if I got a blank screen I had not done it right.

I went back and got it figured out - I think the barrier to entry for this is just right.

[+] outsyder|15 years ago|reply

Puzzles are always fun, thanks for sharing.

[+] pseudonym|15 years ago|reply

Interesting, but not difficult. I approve highly of the idea, though; perhaps something with XSS next time?

37 comments