Update: The CTF has now ended. Thanks for playing! We'll have another follow-up post here soon.

The hardest part of writing secure code is learning to think like an attacker. For example, every programmer is told to watch out for SQL injections, but it's hard to appreciate just how exploitable they are until you've written a SQL injection of your own.

We built Stripe Capture the Flag, a security wargame inspired by SmashTheStack's IO, to help the community (as well our team!) practice identifying and exploiting common security problems.

After completing our CTF, you should have a greatly improved understanding of how attackers will try to break your code (and hopefully will have fun in the process!).

You can begin Stripe's CTF challenge by running ssh level01@ctf.stri.pe from your shell and entering the password e9gx26YEb2.

Your goal is to read the contents of /home/level02/.password. In /levels/level01, you'll find a setuid binary owned by level02 (as well as its source code) — you will probably find it useful.

Once you have the password, you can ssh in as level02. There are six levels in all; once you've logged in as level06 your goal is to read the password from /home/the-flag/.password.

If you've successfully captured the flag, let us know at ctf@stripe.com! We'll send a special-edition Stripe CTF T-shirt to anyone who successfully captures the flag. Include the following information in your email:

I'll be hanging out with Patrick at Zum Schneider tomorrow night. Come say hello for a drink on us.

We’ve known for a while that Stripe should have a status page. After joining Stripe a few weeks ago, I decided to fix this. The page is now live at https://status.stripe.com.

The vast majority of the time, everything is working happily, and a status page that simply shows an almost constant green light isn’t very useful. However, historical performance is also critical, especially for infrastructure that powers your payments.

Taking inspiration from things like the Amazon Web Services and Google App Engine status pages, we decided to make historical availability a central focus of the page.

We built color-coded charts that show 90-day availability in Stripe’s three core services: the site, the API, and Stripe.js. We also show the raw uptime figures, calculated over the same three-month period. To calculate the figures, we use Pingdom to monitor each service, effectively performing a complete API request in the case of the API.

The page is hosted entirely separately from Stripe’s primary infrastructure to ensure that status.stripe.com is available even if the rest of Stripe isn’t. And in the spirit of making what you measure, we’ll likely add performance data and error rates.

Check out the result! If you use Stripe, you may also want to follow the @StripeStatus Twitter account, which we update when we’re having problems.

After I launched my first paid product, the first thing I wanted to add was a feature that would play a cash register sound on our computer every time we got a sale. I was also terrified of adding any code to our production server so I never got around to it. Of course, the way fun but unimportant features like that should be written is by keeping the code as far away from your production server as possible. And with our new webhook system, that can be as far as you want.

Cash registers are fun, but there are far more practical reasons to use webhooks. Most commonly, users of our subscription billing features use webhooks to get notified when a customer's credit card gets charged for a subscription renewal. Webhooks make it easy to send the customer an email receipt (here's a simple sinatra example that does just that). This same system also lets you watch for customers who haven't paid their bill so you can take whatever action you need to, like reaching out to the customer or canceling their service.

Events and Webhooks

The webhook system is built on top of another new feature we just released, our events API. Events are now first class API objects in Stripe, and can be retrieved like our other API resources. Whenever something interesting happens (like a new charge succeeding or failing, a customer changing their subscription, or an invoice being created), Stripe creates an event. That event contains a type property, which tells you what kind of thing happened, and a data property that contains the specifics of what happened. The events API can be useful for more than just webhooks; you can use it to build your own internal news feed of Stripe activity, or to build and monitor your own analytics.

If events are the actual things that are happening, webhooks are us telling you that something happened. When you add a new URL to your webhook settings, Stripe will start sending an HTTP POST request to that URL on every event. And we now support having as many live and test URLs as you want, which means you can mix and match multiple different services to respond to Stripe events, which is a truly enabling tool. You can see a list of events in your dashboard, and each event's detail page shows a history of the related webhooks.

Out with the old and in with the new

Our old webhook system, which we're now calling legacy webhooks, had a few significant flaws that have now been resolved. Unlike before, webhooks are now retried once an hour for up to 3 days or until a 200 status code is returned. And now you can verify the authenticity of a webhook by retrieving the associated event object securely over our API.

Another important way that we've improved webhooks is by eliminating responses. Previously, Stripe would try to take some actions based on the response to invoice_ready webhooks. Unfortunately, this meant not having an opportunity for receiving any errors Stripe may generate when validating that response. Now, rather than listening for responses, Stripe explicitly waits for one hour after you receive all your invoice.created webhooks to give you an opportunity to make any needed changes before the invoice gets paid. Since updates are done with standard API calls, errors and request logs are easy to track.

Getting started

So, now that we've built it, you should start using it! You'll find a short tutorial on webhooks in our docs, and we've also prepared an upgrade guide for users migrating off legacy webhooks. (But don't worry, the old system will keep working until you do migrate.) The documentation includes all the available API methods and a complete list of event types.

Oh, I also cooked up a quick node.js example app to get you started on building your own cash register. Have fun!