Technical Description Web Security Contest



Similar documents
Security for a Smarter Planet IBM Corporation All Rights Reserved.

External Supplier Control Requirements

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

WEB APPLICATION VULNERABILITY STATISTICS (2013)

Web attacks and security: SQL injection and cross-site scripting (XSS)

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Protecting Your Organisation from Targeted Cyber Intrusion

Using Nessus In Web Application Vulnerability Assessments

Firewall and UTM Solutions Guide

HTExploit: Bypassing htaccess Restrictions

Passing PCI Compliance How to Address the Application Security Mandates

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Magento Security and Vulnerabilities. Roman Stepanov

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

SAST, DAST and Vulnerability Assessments, = 4

Web Application Security: Exercise Development Approaches

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

OWASP Top Ten Tools and Tactics

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Web Vulnerability Scanner by Using HTTP Method

Terms and Conditions. Acceptable Use Policy Introduction. Compliance with UK Law. Compliance with foreign law

St. Paul University Philippines Tuguegarao City 3500 CONTESTS MECHANICS

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Penetration Testing in Romania

State of Web Application Security

External Supplier Control Requirements

SQuAD: Application Security Testing

Adobe Systems Incorporated

Professional Penetration Testing Techniques and Vulnerability Assessment ...

FISMA / NIST REVISION 3 COMPLIANCE

OFFICIAL RULES FOR 2016 LAS VEGAS BIKINI TEAM MODEL SEARCH

How to Build a Trusted Application. John Dickson, CISSP

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Early Vulnerability Detection for Supporting Secure Programming

Introduction: 1. Daily 360 Website Scanning for Malware

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

A Decision Maker s Guide to Securing an IT Infrastructure

Table of Contents. Page 2/13

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Metasploit The Elixir of Network Security

Web App Security Audit Services

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

What is Web Security? Motivation

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

(WAPT) Web Application Penetration Testing

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

The Advantages of Plant-wide Historians vs. Relational Databases

CIS 4204 Ethical Hacking Fall, 2014

The Top Web Application Attacks: Are you vulnerable?

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Ethical Hacking Penetrating Web 2.0 Security

Functional vs. Load Testing

Application Security Testing

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

CYBERTRON NETWORK SOLUTIONS

The Advantages of Enterprise Historians vs. Relational Databases

SPECIFIC TERMS AND CONDITIONS ON THE RENTAL OF A DEDICATED SERVER

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Payment Card Industry (PCI) Data Security Standard

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

ZNetLive Malware Monitoring

Ethical Hacking & Cyber Security Workshop

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

ICTN Enterprise Database Security Issues and Solutions

Random Walk Shoes. Setting Up a Web Server

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

Application Intrusion Detection

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Competition 4. Web Competitions

Topic 1 Lesson 1: Importance of network security

David Rook. The Principles of Secure Development. OWASP Ireland Conference, Dublin

Defending Against Attacks by Modeling Threat Behaviors

Web application security

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

90% of data breaches are caused by software vulnerabilities.

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Reducing Application Vulnerabilities by Security Engineering

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

TOWN OF INNISFIL OUR PLACE GOOSECHASE CONTEST (The Contest )

Transcription:

Technical Description Web Security Contest 1 P a g e

Table of Contents 1. INTRODUCTION... 3 2. COMPETENCY SPECIFICATION... 3 3. OBJECTIVES... 4 4. RULES & REGULATIONS... 4 4.1. Teams... 4 4.2. Competition... 5 4.3. General Rules... 6 5. CONTEST ENVIROMENT... 6 6. TRAINING... 7 7. WebGoat Training... 8 2 P a g e

1. INTRODUCTION This contest is a great opportunity for students that would like to major in or currently majoring in computer science, computer engineering, information technology, or any IT security related subjects to measure their skills in web security, and to acquire valuable experience. Furthermore, this contest prepares students to work as groups where each participant has a dedicated task such as analyzing the website s structure, assessing the website s vulnerabilities, and finally planning and performing attacks. The competition will allow students to interact with other students from different institutes where they will have the opportunity to test their security skills and knowledge by detecting different security flaws. The competition is designed as a multilevel game to cope up with various levels of skills. The main objective of the students is to detect security flaws in different problems and to exploit them. The contest goal is to attract companies and universities attention to new generation of skilled security students. 2. COMPETENCY SPECIFICATION The contest will run on two days where the first day will last for five hours and the second will last for three hours. Students compete in teams against other teams from the same or other institutions. Each team has to perform a series of attacks on a website where the attacks get harder on the next day. This will be done using one computer per team. Solutions involve performing different attacks such as SQL Injections, Cross-Site Scripting, etc. Denial of service attack is not allowed and teams who performed them are not qualified anymore to continue the contest. Each team will attack a given web server where the attacks can be related (i.e. performing attack1 will allow for attack2 to be performed) or unrelated. Judges can monitor the performance of the system and the progress of the teams through their own judging system. Teams are ranked based on the level of infiltration that they perform (i.e. the level of successful attacks), and the time needed to do that. The contestants can have three assistant questions per 3 P a g e

team where each one has its own penalty in terms of marks. The use of internet is not allowed; however, hard copy reference materials such as books and manuals are allowed. 3. OBJECTIVES For the Participants: To measure their skills against those of their peers from other institutes. To acquire valuable experience. To compete for valuable prizes. To be seen by potential employers. To attend, free of charge, trainings on information security delivered by experts. For Institutes: To promote their IT programs and particularly those in information security. To gain visibility. For IT related Companies: To recognize and recruit potential employees. For Emirates skills: To contribute on enhancing the community s knowledge about information security and its importance. To facilitate the networking and collaboration among institutes and companies. 4. RULES & REGULATIONS 4.1. Teams 1. Teams must register before the deadline. 2. Each team can register for four members where only three members are allowed to participate and the fourth is considered as a backup where the replacement can be done at the beginning of the contest day and not during. 4 P a g e

3. Only school, college, and undergraduate students are allowed to participate in the contest (16 and 21 years). A team will be disqualified if the judging committee discovers that one of its members have already violated the rules. 4. Each institute may have one or two teams. 5. Each team must adopt a name and appoint a representative (Coach). 4.2. Competition 1. The main language of the contest is English and all the provided systems and materials are in English 2. The contest lasts for two days where the first day last for five hours and the second day for three hours. Contestants should not leave the competition during the contest time. Otherwise the team will be considered withdrawing from the competition. 3. Students are asked to detect vulnerabilities in the provided systems and not to inject viruses. 4. Vulnerabilities are considered as detected once they have been exploited. 5. Denial of service attack and DDOS attack are not allowed. Such attacks can lead groups to be evaluated as disqualified. 6. Contestants may bring published reference books only, except for e-books in either paper or electronic format; Manuals, listings and any hand written material are not allowed in the contest room. 7. The use of Internet is not allowed. 8. Machine-readable versions/devices (computers, pocket calculators, mobile phones, CDs, flash memories, floppy disks ) are not allowed in the contest hall. 9. Rebooting the computers under any special circumstances during the contest must be done with the presence of an invigilator. 10. The contestants are free to choose the attacks that they want to achieve the breach. However, no tools or software codes can be used other than the provided (if any). 11. The contestants are not to inject viruses into the server. 12. The source code is not to be changed by any way. 5 P a g e

13. No Denial of Service attack will be tolerated. Such an attack could result in the team s disqualification by judges. 14. Solutions are judged by reviewing the level of attacks performed from the judges server. 15. Judges are solely responsible for determining the correctness of the submitted solutions; their decision is final. 16. Teams are ranked according to the level of the security infiltration level achieved, minus any penalties acquired by asking for hints. Ties are broken by comparing the time needed to perform the attacks. 17. Contestants requiring any kind of help should remain seated while being assisted by an invigilator. 4.3. General Rules 1. The organizing committee has the right to update these regulations as it sees suitable. The participants are not to complain about these regulations. It is the contestant responsibility to check the contest s website for any updates regarding the competition. 2. Any team attempting to communicate with another team, to tamper with the machines, or disrupt the contest environment in any way will be disqualified. 3. The participants shall agree to allow the organisers to publish their names as well as photos and videos in which they appear. 4. Smoking is not allowed in the competition room. 5. No visitors will be allowed in the competition room. 5. CONTEST ENVIROMENT The contest operating system environment is Microsoft Windows 7 The website will be developed using php, the database will be ran by MySQL on Apache Server. No wireless connection will be allowed. 6 P a g e

For judging and clarifications, a judges server will be used to monitor the level of security breaches that the contestants achieve. No development tools will be provided since no coding is involved. 6. TRAINING The paper titled Top Ten Hacks adapted from Black Hat conference gives examples of different attacks. To be trained you have to practice performing some attacks. An excellent site for security attacks is OWASP WebGoat project. Samples are provided below. 7 P a g e

7. WebGoat Training Figure 1 - WebGoat Sample 1 8 P a g e

Figure 2 - WebGoat Sample 2 9 P a g e

Figure 3 - WebGoat Sample 3 10 P a g e

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information