Mercari Participates in SECCON 2023

Hello everyone! I am @Kahla from the Security Engineering Team.

Last year, Mercari joined SECCON as a silver sponsor to get more involved in and show our support for the local and global cybersecurity community. SECCON, with its focus on information security, hosts a variety of competitions, conferences, and workshops, including its renowned CTF (Capture the Flag) international hacking contest. This event serves as an incredible opportunity to connect with brilliant hackers from Japan and around the world.

The Mercari booth during SECCON 2023

During the two-day event, my colleagues @iso, @fedorov, and I had a blast engaging with fellow CTF players, students, and professionals eager to explore Mercari’s security projects. Our booth became a lively space where we not only shared our ongoing security initiatives, but had fun chatting with the vibrant cybersecurity community.

Typically, booths at cybersecurity events are held by vendors looking to bring awareness to and find new customers for their products. So why did we, as a C2C-focused company, choose to set up a booth at SECCON?

Our Goal

Our goal at SECCON was to get more involved in the cybersecurity community and promote our internal initiatives! This year, we organized a beginner-friendly CTF, titled MerCTF, that drew in 35 participants. The challenges, featuring five easy web tasks and one more challenging endeavor, were designed to be more of a learning experience. Kudos to the winners who tackled all the challenges during the event, showcasing their skills and earning well-deserved recognition.

MerCTF platform home page

Despite the year-end rush with internal evaluations and daily work commitments, we managed to build out our MerCTF platform in just four days. For technical readers, we utilized the CTFd open source platform with a fun, custom theme and concentrated on creating web security challenges. Each challenge provided participants with access to source code, eliminating guesswork and ensuring a comprehensive learning experience. From server-side to client-side challenges, the hardest one involved prototype pollution escalated to XSS, with the second part featuring an XSLeak, requiring participants to leak the flag by abusing hop-by-hop headers. Despite the time constraints, we were thrilled that the CTF ran seamlessly, leaving all participants satisfied and entertained.

MerCTF hard challenge description

The MerCTF winner’s post on X

In between engaging conversations with attendees and hard work our hacking endeavors, our teammate @fedorov picked up the demo badge from the reception and used CircuitPython to proudly display a “JOIN MERCARI” message and link to our careers website. It was noticed by one of the SECCON CTF authors and organizers, @ptr-yudai, who posted it on social media.

@ptr-yudai’s post on X

SECCON ‘23 was a fun and fulfilling experience for Mercari, and hopefully for all the participants and visitors, too. We are looking forward to meeting more talented people at future cybersecurity events.

Don’t forget to check our careers website if you are interested in joining our security team!