Once a year, ICT cooperative SURF organises the HALON competition. Various Dutch educational institutions, including Radboud University, Naturalis Biodiversity Center and Utrecht University, make projects available for vulnerability testing in order to discover where their security can be improved. 'Some hackers focus on critical weaknesses, such as highly confidential data that could be leaked. I cast my net a little wider to see how many minor vulnerabilities I could find.'

Giving away information

Handy, for example, looked for ways to impersonate a website administrator. “On many WordPress websites, you can access the administrator login screen by adding /admin to the URL,” he explains. 'When I tried to log in with the “admin” account, I often received an error message saying that I had entered the wrong password for this account. Then I knew I was one step closer: the admin account apparently existed, so I only had to find the password to get in. This problem can be prevented by not sending that information in the error message.'

Leiden University did not participate as a hacking target this year, but Handy can still put his findings to good use. ‘When researchers have data to process, they can come to me to have it realized in a website or database,’ Handy explains. ‘I use the security vulnerabilities I encounter during these competitions to help me check my own projects for similar issues.’

Back again next year

As far as Handy is concerned, he will definitely be participating in the competition again next year. ‘After this year’s success, I think we should be able to put together one or more teams to do even better.’ He also plans to submit some of his own project sites to the competition next year for vulnerability testing. ‘Everything people find will help me improve security.’

• awards

Share on Facebook Share by Bluesky Share on LinkedIn Share by WhatsApp Share by Mastodon Send the editors an email.