Web Challenge

1st OWASP-TP Web Challenge Competition

This year’s Web Challenge is jointly hosted by OWASP (Open Web Application Security Project) and Temasek Polytechnic.

The details of the game are stated below:

Type of Game: Capture-the-Flag

Objective: In order to win, you have to attain all 6 flags that are found inside an internal corporate network.

Game Flow: Players start off from the Competition network (via plugging their laptops to the cables that are available). The players will have only one possible route to gain access to the Internal Corporate network, which is through the DMZ network itself.

In the DMZ network itself, there will be certain vulnerabilities that will reveal important information to gain access to the corporate network. However, as this is a Capture-the-Flag competition, players will have to find the flags that are in the corporate network.

For each flag that has been found, the player will have to notify the Game Master. The Game Master will have to take note of the validity of the flag and the time the flag was validated.

Rules & Regulations:

1)  All players will have to register their name and laptop MAC addresses (for monitoring usage and traffic filtering).

2) Participants are strongly advised to bring their own laptops.

3) Penetration testing tools for web vulnerabilities are allowed during the Competition.

PLEASE DO DOWNLOAD THEM EARLIER AS INTERNET CONNECTION WILL NOT BE PROVIDED ON THE DAY OF THE COMPETITION. AN EXAMPLE OF A TOOL WILL BE THE BACKTRACK 4 OPERATING SYSTEM (http://www.backtrack-linux.org/downloads/)

4) Attacking anything other than the attacking/defending node will result in disqualification.

5) Attacking or hindering other competitors in any way results in disqualification. This includes ARP spoofing of the attacking node or any other form of attack that suggests denial of service on the attacking/defending node, the router, or the network itself.

6) Any IP Address seen inside the ARP table that has no link with any registered MAC address will be disqualified.

7) IP Addresses will be assigned to competitors by DHCP.

8) Players are not allowed to have any form of communication with others.

Eg: competitors, friends, members of the public.

9) Players are required to report for the Briefing for all Competitors 15 minutes before the start of the OWASP-TP Web Challenge Competition.

10) Players are only allowed to bring in one laptop.

11) Results will be announced at the end of ABS Seminar 2011.

12) No form of collaboration will be allowed during the Competition.

Thank you for your cooperation !

Enjoy the Challenge !