Hack.me – House of the rising Sandbox
Yesterday we’ve announced our craziest project ever. We’ll release it on October 9th.
(Why crazy? Subscribe to our RSS)
If you still don’t know about it, please check it out here.
Ever since the first time I envisioned a platform where vulnerable web applications could be created and shared much like you do with a Mobile App on the Apple Store, me and Domenico Quaranta (@domequaranta), creator of Coliseum, would relentlessly put down notes and ideas on how this platform should have looked like.
Putting vuln apps in a virtual machine was easy: we could do it in days.
With Rackspace and Amazon, spawning a new virtual machine is just a matter of seconds, however this was not the solution we were looking for.
We just can’t be happy with something good enough. It’s the curse of engineers. We seek for optimum.
We knew we needed a powerful yet reliable way to run code on the fly in a secure manner.
Scalable was also a key word: we wanted to create new case studies (vuln apps) easily and fast in order to provide our students with always new scenarios to play with.
You won’t do that with a virtual machine hosting your code.
It was early 2010 when we started working on the Coliseum Framework architecture.
Coliseum was born. Coliseum is responsible for the spawning of sandboxes at OS/filesystem, web server and database level. It’s a number of libraries that take care of the isolation of every vulnerable web app that runs on the platform.
There’s no virtual machines involved. Coliseum takes care of taking a web application source code, instanciating a sanbox and run it under a new subdomain on coliseumlab.net. In few seconds. Not minutes or hours.
This means that what you do against an instance will not affect other instances.
On top of this framework we had created our most advanced web application security labs (Coliseum Lab WAS 360) that trained thousands students worldwide.
Squaring the circle was to use the Coliseum core to allow EVERYBODY to create a vulnerable app and share it with others.
This was Hack.me.
First thought of as the “Community edition” of the coliseum, changed name when me and the Hack.me developer Giuseppe Trotta (@giutro) stumbled upon the domain name for sale “hack.me”. It’s love at first sight.
We acquired the domain name and decided to just call the project after its domain name: HACK.ME.
What better name in the end?
Project had to be social, open to anybody and meant to be the place where web application security researchers, instructors and students can hit to play web application security in practice.
I think we managed to do it. On October 9th you will appreciate the results of our hard (1 year) work.
In the meantime you can follow the project on Twitter @hackmeproject and subscribe to our RSS where I will disclose more details about the project soon.