One of the jobs currently posted at Bandcamp is a “Senior Fraud/Risk Engineer”. To apply, you have to finish a small puzzle, to demonstrate your infosec basics. Note that if you have to read a blog post to figure it out, you almost certainly are not qualified for the job. (I’m not qualified for the job either, but I like puzzles.)

Spoilers abound, obviously…

The first hint is:

To apply, gather the crumbs (starting with your cookies).

You need to look at the cookies being sent to your browser. There’s a cookie, scoped to the /jobs/ page only, that contains the URL to the next page.

That page has a limerick, and a dozen or so entries from a Web request log. Some of the requests point to real pages, and tell you something about the musical tastes of Bandcamp’s infosec staff. Others point to pages that don’t make as much sense. Part of the limerick is in a foreign language (assuming English is your native language). WHOIS’ing the IPs shown will help you figure out which request is the suspicious one, and thus which page to visit next.

That page is the artist page of an avant-garde electronic artist, whose albums sound a lot like JavaScript. (Fortunately the album covers show the code.) This was the most annoying part of the puzzle for me, because I kept making little subtle errors re-typing the code. Anyway, put it in your browser’s JavaScript console, and it’ll tell you where to go next.

The next page urges you to collect your crumbs. There’s a bare HTTP POST request, missing several elements (all replaced with question marks). Put the pieces together, then POST it (I just used the bare openssl CLI tool, I suppose httpie would work too but I’m new to that). The response you get tells you the last URL to visit. Go there, log in, and they reveal the email address to which you should send your resume and cover letter.