After you answer a question, there should be an explanation of the right answer. I was able to guess through some that I had no idea what they actually were, and an explanation of why I did/didn't get it right will help a lot and actually help me identify vulnerable code.

Yeah. I have no CS background so I was hoping to learn something here. Nope.

Same here, I was able to guess through an answer which was "resource injection" by finding code 'PATH INFO' just made sense.

Yes! This is the first idea that occurred to me, show me why after each answer.

A little coloration and indentation would be great. Going through a chunk of 20 lines of unknown language in a couple seconds is already enough of a challenge especially for beginners, no need to add unreadability to it :P.

Fixing the indentation would also make the Python code readable. (For those who aren't aware, whitespace is significant in Python.)

Play it on an iPhone. You can pause the timer by holding your finger on the iPhone's screen.

Yeah, it's cheating, but isn't that what it's all about?

Hacking the hack!

The best part of this game is the leaderboard:

7e+177 - maplesyrupguy

1e+73 - Game itself was harder than to hack it

1.3999999999999998e+26 - I learned at least one thing...

1.555555682012021e+24 - Tries to teach security, fails at security.

1.4e+22 - jon

1e+22 - idiots

123456789212345710000 - Ironically it's easy to hack a game about finding security bugs!

100100000000000000000 - did i do

70000000000000130000 - alex

2800000000000251000 - frankwins

Maybe that was the meta game.

alex here. After getting a question correct, you can submit the same POST request with the same answer, and a very large negative number for the time. I imagine they're just adding your newly calculated score (30?-time) to your session's previous score. A lesson in sanitising inputs!

Always been a huge fan of maplesyrupguy.

You should aways have the answer "Non-exploitable code" for every question. For some questions, the lack of this answer makes it clear that there is a vulnerability, and the structure of the question makes it obvious which one of the answers is most likely (e.g., no SQL or methods dealing with SQL exclude all SQL based answers, a question with "sleep" is highly likely to be a DOS by Sleep, etc.)

I'm not a CS guy, but I was able to deduce a lot of the answers just from how the question was structured.

EDIT: The actual response in the app is "Non-exploitable code". Updated my comment to reflect this

Just ran through 4 of the "beginner" tests and almost none of the answers I ran across was "none exist." Not trying to prove or disprove your point but did find it odd.

I liked the one that was a C program that used argv[0] (or argv[1] - cant remember) as the connection string for an SQL database. Then the answer was SQL injection. I mean, sure, you can argue that's a flaw with the program, but it's also THE ONLY POSSIBLE USE for the program.

I got 5/5 on advanced, but I don't think that proves anything. For most of the questions my response would be "decomp your code better and use comments."

Timer really put me off. I can solve these, I just need more time, having not used some of these languages in a while.

I'd rather the time counted up, losing points, instead of counting down until I'm told I fail.

Very cool, but why doesn't it tell you what the correct answer is when you get it wrong?

I was wondering that too... With some sort of insight into the correct response, one might be able to learn rather than just be tested. A lot of fun regardless.

It is good as a game, not so good as a learning tool. There should be an option to go back and analyze things with time for some research

I like the idea. I feel like a few seconds are spent trying to figure out what language it's in, but maybe I'm just a dummy.

Here's how to hack the hacking game. Pretty simple (in your console):

app.sendAnswer({answer: 1,time: -999999999999})

(I added the instructions on the leaderboard itself)

There's a big difference between having to select between four different kinds of vulnerabilities when given a piece of that you're told is insecure, and identifying them in the wild. This is more putting the square peg in the square hole than it is measuring the angles and being able to accurately identify the shape.

One of the questions that I got had an option that said "No vulnerabilities". I think having that option for every question with some solid code will let you find vulnerabilities more accurately.

I had hoped from the description this would be more like the latter, with vulnerabilities you had to exploit to advance to the next level. As a format, multiple choice quizzes are not that interesting.

1. This is a vocabulary and syntax quiz, mostly.

2. The code is unreadable (formatting) on a phone after 1.5 Manhattans.

3. Anybody else read the title in Robert Pollard's voice?

> The code is unreadable (formatting) on a phone after 1.5 Manhattans.

I presume you mean http://en.wikipedia.org/wiki/Manhattan_(cocktail) ?

I have no idea what most of those terms mean, no point in playing the quiz then

Like the idea (and infact I've submitted some code loosely based on an example I actually found in an application!), but yeah, the comments about needing more time because of having not used some of the languages applies here also. And yeah, an explanation of the right answer would help - especially if you haven't used the language (at all, or in a while).

This was mostly an exercise in ready grey on grey unindented code. It's a nice idea, but you need to make sure you're measuring the right thing.

Somewhat ironic that the high scores have already been hacked, though a little inevitable since the game is client side I guess.

Pretty easy, you can ace without knowing all the languages/APIs used, just follow the usual code smells.

How can I see the correct answers?

When you beat the advanced levels, and are looking for a real challenge, give http://escape.alf.nu a try. I didn't make it but it's the most difficult but still educational hacking challenge I've seen. Also, since it validates answers server-side these days, it isn't, itself, hackable.

Cool game. Would be great if it gave a quick summary of why it was a right answer and maybe some additional resources to learn more.

Very cool. would be better if it says the correct answer when i get it wrong?

On a related note, anyone else remembers http://try2hack.nl/? It was one of the first sites that got me into programming/hacking.

Heh, the ticking clock makes it feel like that scene from the movie "Swordfish".

(Also I found the advanced questions much easier than the beginner ones.)

On beginner difficulty single player, I got the same question again and again. After the game ended, new game, still the same question.

IE11 FWIW.

Nice idea, but I don't like the timer. Actually, I should hack the page to disable it...

Cool game ! Are there any beginner friendly resources out there to learn more about this?

Selfish plug: www.hackthis.co.uk

Had to wonder if the "root" guy on the leaderboard actually hacked the game :)

I dare anyone to respond faster than my -1.7976931348623157e+308.

(Or is it -9007199254740991?)

I wish they wouldn't have called it Game of _Hacks_.

Reminds me a little of CloudAcademy.com and their tests.

This is similar to www.codebashing.com/sql_demo

The funny stuff was the totally hacked leader board :)

Hmm, I saw duplicate questions in a single session.

explanation and correct answers needed for most questions and there was one such a lengthy question ...toooo long , dint read !!!

The leaderboards are the best.

why is this not called game of pwns?