[Owasp-leaders] OWASP Projects - Short update - OWASP Vicnum Project has a new release!

Marcin Wielgoszewski marcin at owasp.org
Thu Oct 22 11:07:16 EDT 2009


Can I ask what are the vulnerable parts to this application?  I see multiple
SQL injection vulnerabilities in the admin/ section of the site, which I
presume would need to be "secure", given that it is the CTF scoring admin
page and all...

For example:

admin/view.php:


11: $table = $_GET["table"];
15: $connection = mysql_connect("localhost","root","vicnum");
19: $result = mysql_query ("SELECT name,guess,count,tod FROM
20:                          $table where count > 0 order by count,tod asc",
$connection);
23: print "<H2>Below please find all $cnt Vicnum players in table
$table\n<hr>" ;

Is this code for real?


On Thu, Oct 22, 2009 at 11:03 AM, Mordecai Kraushar <
mordecai at ciphertechs.com> wrote:

> Hi
>
> Yes, similarities do exist and it is more game focused than training
> focused.
>
> It's much smaller than webgoat and written in php and perl.  I have a few
> suggestions in there to modify the game to make it harder or easier to play
> depending on the sophistication of the audience, for example do you show
> some revealing fields in plain text or do you base64 encode them?  Either
> way is disclosure but one is more stealthy.
>
> So the app is supposed to be flexible and modifiable to challenge the web
> assessment vendors, web auditors or just game players.
>
>
> See it at http://vicnum.ciphertechs.com
>
> Mordecai
>
>
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
> Sent: Thursday, October 22, 2009 10:53 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] OWASP Projects - Short update - OWASP Vicnum
> Project has a new release!
>
> While they are both very similar, Vicnum is more geared at setting up a
> capture the flag and other web app sec 'games' as opposed to be focused
> on teaching app sec.  Learning happens either way, just a different
> approach to get that done.
>
> -
> -- Matt Tesauro
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
>
>
> On Thu, 2009-10-22 at 15:45 +0100, Eoin wrote:
> > Whats the difference between this and webgoat?
> >
> >
> >
> > 2009/10/22 Paulo Coimbra <paulo.coimbra at owasp.org>
> >         Leaders,
> >
> >
> >
> >         I’ve just updated OWASP Vicnum project’s details page with its
> >         latest release – version 1.3. Please glance at it
> >         http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project
> >         and having feedback send it over!
> >
> >
> >
> >         Many thanks,
> >
> >
> >
> >         Paulo Coimbra,
> >
> >         OWASP Project Manager
> >
> >
> >
> >
> >
> >         _______________________________________________
> >         OWASP-Leaders mailing list
> >         OWASP-Leaders at lists.owasp.org
> >         https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> >
> > --
> > Eoin Keary
> >
> > OWASP Code Review Guide Lead Author
> > OWASP Ireland Chapter Lead
> > OWASP Global Committee Member (Industry)
> >
> > http://asg.ie/
> > https://twitter.com/EoinKeary
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091022/f07e686a/attachment.html 


More information about the OWASP-Leaders mailing list