[Owasp-hackademic-challenges] Owasp-hackademic-challenges Digest, Vol 13, Issue 1

Nishaanth Gunasekeran nishaanthguna at gmail.com
Wed Feb 4 19:51:00 UTC 2015

And also since we will have our sandbox ready in a month or so,we would be
able to include code execution challenges also in Hackademic.
+We need to separate all the challenges based on category.

On Tue, Feb 3, 2015 at 5:30 PM, <
owasp-hackademic-challenges-request at lists.owasp.org> wrote:

> Send Owasp-hackademic-challenges mailing list submissions to
>         owasp-hackademic-challenges at lists.owasp.org
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.owasp.org/mailman/listinfo/owasp-hackademic-challenges
> or, via email, send a message with subject or body 'help' to
>         owasp-hackademic-challenges-request at lists.owasp.org
> You can reach the person managing the list at
>         owasp-hackademic-challenges-owner at lists.owasp.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-hackademic-challenges digest..."
> Today's Topics:
>    1. GSoC project idea: Defensive      challenges (secure coding)
>       (Anirudh Anand)
> ----------------------------------------------------------------------
> Message: 1
> Date: Mon, 2 Feb 2015 21:36:39 +0530
> From: Anirudh Anand <anirudhanand722 at gmail.com>
> To: owasp-hackademic-challenges at lists.owasp.org
> Subject: [Owasp-hackademic-challenges] GSoC project idea: Defensive
>         challenges (secure coding)
> Message-ID:
>         <
> CAMntfF3Nkn_nvShi3x6pZ1r+ZqVqE06+UC8NaddfSBUjqvfGBg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> Hello everyone,
> My name is Anirudh Anand and I am currently pursuing my 3rd year Bachelors
> degree in computer science. I was going through the OWASP Hackademic
> project recently because I always love to create and crack problems (and
> hence I love CTF's). When I went through the current issues, I came across
> this: https://github.com/Hackademic/hackademic/issues/69
> I have personally gone through so many applications like DVWA, OWASP
> webgoat, google gruyere, pentest lab exercises etc.. to enhance my skills
> in appsec but one thing I have noticed (and sad about it) is that almost
> all of them focus on teaching how to attack a vulnerable application and
> how to exploit them. But none of them teaches the students *why such issues
> exists*, which *part of code results in this attack* and how to *securely
> code* applications so as to overcome such issues. Answers to these
> questions is what I am trying to complete with the project.
> For example:
> How about giving basic SQLi vulnerable code and telling the users to fix
> it? Then we can test it by trying to inject and if the database dumps
> unusual results, that means fix is not correct (I haven't personally tried
> implementing this but I think it's possible. Please correct me if I am
> wrong.).
> If implementing the above idea is difficult, how about a small variety like
> this: http://www.gameofhacks.com ? The basic idea is to give them
> vulnerable code and tell them to identify which kind of issue exists within
> a particular type of code. Once he/she gives the correct answer, we can
> provide a much more detailed explanation on why it happens and how it can
> be tackled by secure coding (imho implementing this in order of difficulty
> will really help students learn the concepts). Similarly we can implement
> defensive challenges to a wide variety(covering entire OWASP top 10).
> The objective I have in mind is that secure coding must be taught to
> students along with techniques on how to attack them. We have too much
> application out there which we can actually try attacking and trying to
> exploit the same. Also we have CTF competitions where we again attack the
> application and exploiting them but not fixing them. I haven't seen any
> good application giving importance to secure coding and teaching students
> on how to code securely so that issues like XSS or sqli can be prevented
> (which I think is a really important task).
> I am thinking of further ideas on how I can improve this so that it could
> be more benefitable for the students who use hackademic for learning the
> concepts of appsec. It would be great to get a feedback on this idea.
> Thanks,
> --
> Anirudh Anand
> bi0s at AMRITA
> www.securethelock.com
> *"Those who Say it cannot be done, should not interrupt the people doing
> it"*
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-hackademic-challenges/attachments/20150202/af474005/attachment-0001.html
> >
> ------------------------------
> _______________________________________________
> Owasp-hackademic-challenges mailing list
> Owasp-hackademic-challenges at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-hackademic-challenges
> End of Owasp-hackademic-challenges Digest, Vol 13, Issue 1
> **********************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-hackademic-challenges/attachments/20150205/45f9e15d/attachment.html>

More information about the Owasp-hackademic-challenges mailing list