At Zomato, our tech teams are always working towards creating innovative solutions and ensuring we have adequate security measures in place that uphold them. This commitment led us to recently organize an event, ‘Capture The Flag’ (CTF), that was aimed at teaching security concepts to our developers in a practical and fun way. Taking learnings from our internal security audits and our active bug bounty program, it became evident that for building robust applications, developers required a thorough grasp of frequently encountered security weaknesses and that is why we created Hackoween – a security hackathon.

Let’s take you on a journey of how we achieved making security learning all this practical and fun!

Crafting challenges for all

We had a lineup of 16 challenges with various sub-challenges that aimed to cater to different skill levels. Our goal was to make sure everyone, from beginners to CTF experts, had something valuable and challenging to tackle. Through this, we educated them on critical security concepts in an engaging, competitive manner, making learning interactive for all participants.

Let’s go through a few challenges that stood out in the entire 48 hour event, each inspired by security vulnerabilities found in our internal application security audits.

Race 2 Finale: The race condition

Objective: This challenge shed light on a common oversight — the reliance on rate limiting without the implementation of locks to prevent the execution of concurrent requests. Here, we invited participants to exploit the OTP rate limit via a race condition attack.

Vaccine good or bad: SQL injection challenge

Objective: The task was to exploit SQL injection vulnerability to extract the CTF flag. This challenge was a stark reminder of the persistent threat posed by SQL injection attacks, emphasizing the critical need for implementing secure coding practices via parameterized queries and thorough validation of all user inputs.

No such thing as free lunch: Price manipulation challenge

This challenge was about a common bug – parameter tampering within shopping carts.  Participants had to identify and manipulate payment amounts to pay only ₹1 for a ₹500 product, demonstrating the importance of server-side validation and not solely relying on the user input.

Also, to further enrich the CTF experience, we introduced a dedicated section for Open Source Intelligence (OSINT) challenges. These puzzles were focussed on the art of gathering information from publicly available sources and were designed to be engaging and fun. By balancing the technical challenges with the investigative nature of OSINT puzzles, we aimed to provide a holistic cybersecurity experience.

Let’s explore some of the challenges that were part of the CTF.

OSINT Aircraft Surveillance: This challenge required participants to use their detective skills to gather information from public sources. Similar challenges were inspired by a common OSINT technique for aircraft surveillance, wherein flight data is publicly accessible, allowing one to track metadata for a specific aircraft.

GEOINT: Under the OSINT category, geolocation challenges are like playing a strategic game  of “GeoGuessr”. The task at hand utilizes a prevalent GEOINT technique, requiring participants to deduce the geographic location from visual cues in an image. In the illustration below, The display of “HOSTINEC” and “SARIS” signs indicates a central european linguistic region. Further translating the word HOSTINEC would yield that it is the Czech word for hotel, guesthouse etc, narrowing the result down to Czech Republic. This technique is commonly used in various government agencies to track location.

How can you build your CTF challenge platform like ours?

To host this event, we built a Ruby on Rails web application, specifically tailored for managing the CTF challenges and flags. Inspired by the open-source platform CTFd, our system provided a seamless experience for participants, with features like score visibility control, user-team management and Single Sign-On (SSO) login.

In order to safely replicate SQL injection attacks, we used a read-only SQLite database to prevent accidental writes and confine injection vulnerabilities within a sandbox. Demonstrating the credential leak scenario securely, we leveraged canary tokens instead of real credentials. This mitigated the risk of actual token abuse while still providing a realistic and educational experience. We used separate infrastructure isolated from the production environment for provisioning resources and to safeguard against potential unknown exploitation.

Let’s take you through the exciting D-Day

As teams gathered at the venue, the event kicked off with a briefing about Hackoween – what it was, highlighting the significance of security and setting the stage for 48 hours of intensive learning. The initial session was important, aligning the entire tech team’s focus on seeing this event as a learning opportunity rather than just a hackathon to be won.

As the competition commenced, the atmosphere shifted to one of intense determination. The initial tasks were designed to introduce participants into the CTF mindset, teaching them to recognize and submit flags, a crucial skill in accumulating game points and advancing in the competition.

True to Zomato’s spirit of creating memorable experiences, participants were treated to a range of refreshments like red bulls and pizzas, to keep their energy levels high for the thrilling hacking sessions ahead.

Watch the excitement unfold with us

48 hours flew by as tech teams burned the midnight oil to tackle these challenges. With all 245 participants forming 65 dynamic teams, the event was nothing short of spectacular.

While several teams were racing closely towards the finish line, two teams surged ahead in the final stretch, tackling the toughest set of challenges to emerge victorious.

1st Place: Ginyu Force 🥇

• Team Members: Deepak Verma, Saurabh Sabharwal, Sameer Saxena, Girish Kumar, Ayush Chauhan
• Prize: Each member received an iPad Air

2nd Place: Mishra ji ki team 🥈

• Team Members: Aniket Suri, Aniket Verma, Ram Singla, Rajat Taya, Arpit Mishra
• Prize: Each member received a Kindle reader

All the teams that persevered until the end demonstrated an unwavering fighting spirit and a resolve to win. These teams were rewarded with Zomato credits, recognizing their dedication and contribution to the event’s success.

All the participating teams gained valuable learning, collaboration and experiences from the event. Here are some testimonials that capture the spirit and essence of this event.

“At Hackoween, I tackled puzzles, uncovered vulnerabilities, and pushed my limits. It wasn’t just an event; it was like a cybersecurity masterclass”

by Akshit Sehgal – Platform Services Team

“Participating in the Hackoween was an exciting journey from individual challenges to working together as a team, ultimately leading us to overnight leaderboard triumph. It felt like a thrilling night filled with learning and camaraderie.”

by Rajat Taya – Data Platform Team

“Participating in the Hackoween was an exciting and challenging journey, giving me a much needed break from my routine work. It provided an incredible opportunity to enhance my technical skills, which will undoubtedly benefit me in the future. The sense of accomplishment at the end was unparalleled, making this a valuable learning experience.”by  Deepak Verma – SRE Team 

What is next for us and for you?

Emerging Security Champions in the Industry: Our success with Hackoween has motivated us to continuously find innovative ways to educate our engineering team about security practices. Our goal is to empower developers with essential knowledge and skills, emphasizing that security is an integral part of our product ecosystem, and not just an add on.

Join us in our journey to becoming security champions

We are thrilled to invite everyone to participate in this challenge. You’ll have the opportunity to tackle the same challenges that our developers tackled and learn about practical security concepts in a fun and interactive way. Ready to take on the challenge?

Visit our CTF portal to register.

The team behind this all!

Events like Hackoween are just one of the many initiatives we pursue to ensure our team remains well informed, skilled, and passionate about security. It’s a continuous journey towards creating a safer digital environment for our customers and ourselves.

This philosophy is evident in the way we scout for talent, focusing on skill set and passion for security. We value the diversity of experiences and the fresh perspectives that individuals from different backgrounds can bring to the table.  If solving security problems at scale excites you, we would love to hear from you at infosechiring@zomato.com.

To learn more about our work in the cybersecurity space at Zomato, check out this blog.

Until then keep hacking 😊