[Owasp-board] Fwd: New idea: Web CTF

Dinis Cruz dinis at ddplus.net
Sun Jan 28 22:08:02 UTC 2007


Fyi, we might have a warm up WCF here in London

---------- Forwarded message ----------
From: Dinis Cruz <dinis at ddplus.net>
Date: Jan 28, 2007 10:06 PM
Subject: Re: New idea: Web CTF
To: Sam Pickles <sam.pickles at gmail.com>

Great this could be very interresting indeed.

On 1/28/07, Sam Pickles <sam.pickles at gmail.com> wrote:
>
> Dinis,
>
> That sounds really cool; count us in!
>
> Apparently there's a dinner function on the 25th, so maybe the
> afternoon/evening of the 24th April might be suitable?


Yes that is a good date

Between myself and Ed Barlow, who presented last time, we can participate in
> the event and present any content as required.


ok, but this time around we do have some time to prepare this so I really
want to do it well. The only issue is that I am so over worked at the
moment, that I really need some help with the logistics.

For example, can you get a list of public emails from all major vendors of
Web Scanners, Web Firewalls and Code Scaners? I will want to CC them on the
first email invitation. Actually if you (F5) have a good relationship with a
couple of them It might be good to contact them directly just to make sure
that we have at least one full set of tests.

We also will need to make sure SiteGenerator is working 100% for this (and I
will want to add a couple more vulnerabilities) so can you get somebody from
your team to have a look at it?

(I know that I could do all this, but I am really busy at the moment)

We could also look to do some marketing for the event, maybe an email to our
> security contacts - from your perspective, would we be allowed to use the
> OWASP name in a marketing email?


Sure (I would like to see that email before it was sent (just in case)) and
I will also send it to all owasp mailing list subscribers since it it quite
an interresting event

As far as I know F5 is a corporate OWASP member so hopefully this wouldn't
> be a problem.
>
> regards, Sam


Finally, one more request, based on the idea described in my email can you
start to think on how we are going to make it work (from an operational
point of view)

Dinis

On 26/01/07, Dinis Cruz < dinis at ddplus.net> wrote:
> >
> > Hi Sam,
> >
> > Interrested in organizing a warm-up event in London similar to the one
> > we will do for the OWASP conference in Italy?
> >
> > See below the email I just sent to the italian guys about it, we could
> > organize a similar event in London for the InfoSec (which is in April and
> > the OWASP conference will be in May). The idea could be to get all pieces of
> > the puzzle working together:
> >
> >   - Site Generator provinding the websites
> >   - WAF(s) protecting it
> >   - WSS (Web Security Scanners) attacking it
> >   - The SCS (Source Code Sanners) finding vulnerabilities
> >
> > you could even show your XSS capabilities :)
> >
> > Dinis Cruz
> > Chief OWASP Evangelist
> > http://www.owasp.org
> >
> > ---------- Forwarded message ----------
> > From: Dinis Cruz <dinis at ddplus.net>
> > Date: Jan 26, 2007 5:44 PM
> > Subject: Re: New idea: Web CTF
> > To: Matteo Meucci < matteo.meucci at gmail.com >
> > Cc: Jeff Williams <jeff.williams at owasp.org>, Andrew van Der Stock <vanderaj at greebo.net>,
> > Dave Wichers < dave.wichers at owasp.org>, Eoin <eoinkeary at gmail.com>
> >
> > Hi Matteo
> >
> > I really think that CTF is a great concept, and one that has tremendous
> > educational value.
> >
> > My main idea is based on using the OWASP Site Generator tool to build
> > the dynamic websites that will be tested (we can also add some code to
> > monitor what is going on)
> >
> > So the event that I would like to propose is the 'Human, WAF, WSS and
> > SCS vs SiteGenerator event"
> >
> >     - The idea is to allow the humans and vendors to show how they are
> > able to detect, mitigate and exploit web application vulnerabilities
> >
> >     - The way it would work is that we (Owasp community) would create a
> > series of SiteGenerator websites which:
> >
> >         - The Humans need to attack or defend
> >         - The WAF (Web Application Firewalls) would need to protect
> > (with a valid exploit being the bypassing a WAF protection)
> >         - The WSS (Web Security Scanners) would have to exploit/detect
> > (using only the capabilities in their tools)
> >         - The SCS (Source Code Sanners) would have to identify
> >
> >     - All vulnerabilities would be documented through ORG (Owasp Site
> > Generator)
> >
> >     - We will define what is worth a point, and the team with more
> > points wins
> >
> >     - For practical reasons, everybody would receive the websites to
> > protect & attack 2 weeks before the event (although we would not disclose
> > where all the vulnerabilites are :)  )
> >
> > If we can pull this off, this will be a great experience for everybody
> > (except maybe for the vendor whose product flops).
> >
> > The way I would view this first event in italy is that it will be the
> > warm-up for the big event in San Francisco (can you image how big it can be
> > if Google promites and supports it?)
> >
> > Dinis
> >
> >
> > On 1/26/07, Matteo Meucci < matteo.meucci at gmail.com> wrote:
> > >
> > > Hi,
> > > here in Italy we are thinking about a new project called: "Web Capture
> > > The Flag".
> > > We really like the idea to create a new version of the classical ctf
> > > challenge based only on web application vulnerabilities.
> > > The idea is to add this challenge to the OWASP Conference so we could
> > > have Speeches, Training and "Challenge" sessions.
> > >
> > > Questions:
> > > * Dave, do you think we can set up this idea for the next Conference
> > > here in Italy? This make
> > >   sense in an OWASP Conference?
> > > * We can create a new OWASP project about that, but the problem is
> > > that it cann't be open.
> > >   Maybe we can release the project after the conference and begin the
> > > developing of a new
> > >   release.
> > >
> > > What do you think about that?
> > >
> > > Thanks,
> > > Mat
> > >
> >
> >
> > --
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070128/55c3a4d9/attachment-0002.html>


More information about the Owasp-board mailing list