Saxo Bank OpenAPI HackMe Contest
Who Are We
Saxo Bank is a Danish investment bank specializing in online trading and investment founded in 1992, and functioning as an online broker with a bank license, without offering traditional banking products.
We offer trading through our online platforms in Forex, stocks, CFDs, futures, funds, bonds and futures spreads.
Why Are We at Bornhack
Being a global player in the financial markets, we are naturally always looking for highly talented co-workers. Having a presence at BornHack, we believe we can showcase some of the cool technology we use, as well as let the classic hacker types play with an API having a more material impact, to either build something cool or surface flaws in our setup.
Contest Intro
The contest will run from Tuesday at 13:00 and will close twenty-four hours later. We will be in one of the workshop rooms for a couple of hours when the contest starts in case you need help registering for an account etc. If you need help during the contest, catch us on IRC: graffen, pewpie or Otto_Str0m.
To enter the contest, you must sign up on the participant roster, so we know who's in. Please reach out to one of the Saxo Bank people in person or on IRC to get your name on the list. When the contest starts, you need to create an access token for yourself through our developer portal:
- Navigate to https://developer.saxo and go through the following steps to sign up for a developer account
- Click on the burger menu top right and then select "Get 24 Hour Token"
- You should now be presented with a login dialog. On the right you will see a button with the text "Simulation account signup"
- Fill out the form. You do not need to provide any identifying information (unless you want to be war-dialled by our sales people) but you will need to at least provide an email address that can receive your initial password. You can use a disposable email address like guerrillamail.com or lortemail.dk for this purpose
- Check your email and use the provided password to log in to your new Saxo Bank Simulation account
You now have full access for 24 hours to the development portal and can start poking around. Have fun! If you're curious to try out our trading application you can use the information you have received to log in to SaxoTraderGO to try some trading, and to see how the application interacts with our API.
Tracks
There will be two "tracks":
- Security findings & API flaws
- Cool POCs using our API
During the contest, you must submit your entries/findings to one of the Saxo Bank representatives who will take a note of your name/handle and validate what you have found/built.
Winners of the contest in the two categories will be elected by the team of Saxo Bank representatives.
Points and Prizes
Points will be awarded for the following:
- Creativity: 25%
- Impact: 25%
- Design: 25%
- Simplicity: 25%
We will not award points for:
- 500-type error codes returned by the API. There are many places where the API could behave better by returning proper response codes - this is already known and being worked on. What we're looking for is for places where the API returns something unexpected and not just an error code.
- (D)DOS-type attacks - don't do this, please.
There will be great prizes for the winner of each of the two categories.
Rules of Engagement / Code of Conduct
TLDR; Be excellent to each other.
Before entering your name (or handle) on the contest roster, please familarise yourself with our interim Vulnerability Disclosure Policy.
The following are the general rules for the competition
- Fresh code
To level the playing field, each participant must start out fresh. Please don't build on top of previous projects. It's OK to use open-source frameworks and tools, though. - Code review
We might want to do a proper code review to validate your hack/project, either just before we judge, or immediately after. - Team Size
Single-human or teams of up to 3-4 humans are allowed. You may also add one cyborg, Furby, drone or Sphero. - Submissions
We're doing this relatively ad-hoc. You may submit your hack/project in any way, shape or form of your choosing as long as we have a way of validating it. - Demo your hack
Before judging, we will ask all participants to demo their hack. We won't accept slide decks (Powerpoint). Also, a partially complete hack is just fine, as long as you can prove your concept. - Have fun
It's a HackMe contest! Use whatever languages, tools and hacks you have in your arsenal. Show us hardware, show us new concepts. Show us anything you'd like.
Examples of things that are OK:
- Signing up for a demo account and playing with the API through the developer portal
- Intercepting requests and responses from the developer portal or SaxoTraderGO using a debugging proxy like BurpSuite
- Fiddling with requests and responses using BurpSuite or the like, to see if you can provoke the API to do weird stuff
- Building an Arduino/ESP-based gadget that can talk to the API and do something fun based on market events
Examples of things that are NOT OK:
- DOS/DDOS attacks against our API. You will be playing around in our Simulation environment and this does not have a lot of protection or massive hardware specs.
- Deliberately breaking stuff "just for fun".
Hosts for Saxo Bank HackMe!:
Metadata for Saxo Bank HackMe!
To be recorded: NoURLs for Saxo Bank HackMe!
No URLs found.
Schedule for Saxo Bank HackMe!
- Tuesday, Aug 21st, 2018, 13:00 (CEST) - Tuesday, Aug 21st, 2018, 15:00 (CEST) at Workshop Rooms