That sounds like a really fun gamification of an aspect of security research that maybe doesn't get much practical exploration.
I'm not sure, though, how the game would distinguish between vulnerable code pinging the endpoint, as opposed to a player simulating a successful attack by performing the ping themselves.
I feel like the attacker should be able to provide a link to a package on a software repo somewhere and the game should download the package and check for some unique "Player 123456 attacked this package" string.
This reminds me of a similar game someone created where they challenged people to add a certain string to any repo that the challenge creator maintained. An ingenious social engineer then pointed out that the rules of this game weren't in an easy to find place, so the challenge creator added a page to their blog, which was under version control... Game over. Unfortunately I can't remember any detail that would allow me to find a citation for this story.
> I'm not sure, though, how the game would distinguish between vulnerable code pinging the endpoint, as opposed to a player simulating a successful attack by performing the ping themselves.
Yup, you're definitely right. Every time it's pinged I have it download the github repo and then search for the string but your suggestion makes way more sense. If someone managed to get their ID into a popular package the repo would be downloaded & searched again and again and again. I was also playing around with it only using one repo so I hadn't really given any thought as to how it would know which repo to download if there were more than participating.
I'll dust it off, make some changes you've suggested and then put it on GitHub so @9dev (and anyone else) can take a look and tell me what else needs improvement.
I'm not sure, though, how the game would distinguish between vulnerable code pinging the endpoint, as opposed to a player simulating a successful attack by performing the ping themselves.
I feel like the attacker should be able to provide a link to a package on a software repo somewhere and the game should download the package and check for some unique "Player 123456 attacked this package" string.
This reminds me of a similar game someone created where they challenged people to add a certain string to any repo that the challenge creator maintained. An ingenious social engineer then pointed out that the rules of this game weren't in an easy to find place, so the challenge creator added a page to their blog, which was under version control... Game over. Unfortunately I can't remember any detail that would allow me to find a citation for this story.