Hacker News new | ask | show | jobs
by saagarjha 1428 days ago
CTF challenges typically do not involve zero days as their intended solution, due to time constraints. Often they will inject a vulnerability into e.g. Chromium by patching it in a way that might approximate a real bug, then hand you the patch so you save the weeks, months it takes to find stuff like this normally. So from there it becomes purely a test of being able to exploit the bug, although still your constraints are a bit different as you can be loud and only really need to succeed once when an actual state-level actor will want something better than that. But again, this is a result of time constraints.
1 comments
gynvael 1428 days ago
This is true, though I need to add the missing phrase - "CTF challenges typically do not involve zero days" in real world software.

They do however strictly involve zero days in software created for the purpose of the CTF - that's basically what CTFs are about.

link
saagarjha 1427 days ago
Fair enough, although I would argue that a zero day in a menu-based heap massaging challenge is not really all that interesting :P
link
gynvael 1426 days ago
Not saying it's interesting (in the terms of a real world application), but it technically is an 0-day ;)
link