OWASP NYC AppSec 2008 Conference/ctf

Capture the Flag @ OWASP 2008 USA, NYC Sept 25th - 26th

Contest Registration
There will be a registration booth at the conference for you to provide your Name/Psuedoname/Team Name/handle and e-mail address. When the contest opens, you will receive an e-mail with instructions and passwords for accessing the contest web site. All questions on gameday can be forwarded to Dan Guido, who will be on-site and will also available by e-mail @ dguido@gmail.com. Registering for the CTF competition does not force you to participate, feel free to register just to have a look at the challenges.

The Contest
The CTF competition is arranged into a series of 30+ mini-challenges that each demonstrate a specific web application security vulnerability. They are grouped into categories of Easy, Medium, and Hard each worth 100, 250, and 500 points, respectively.

How do I know when I've solved a challenge?
The "answer" to most of the challenges is a string of random numbers, an MD5 sum, or a SHA1 sum which you will recognize when you get one. A few challenges require you to deface webpages or other tasks. Those challenges will specify how to know you're done.

How do I redeem my answers for points?
E-mail your Team Name, your answer, and the URL of the challenge you completed to dguido@gmail.com with [OWASP-CTF] somewhere in the subject line. Submissions will only be accepted from the e-mail you signed up with.

Rules

 * 1) Registering for the CTF competition does not force you to participate
 * 2) Only use your team e-mail (the e-mail you signed up with) for communicating with Dan
 * 3) You may submit answers in any order
 * 4) You may only submit an answer to a given question once
 * 5) Unless you are the author of the tool, the use of all commercial tools are forbidden (we suggest using OWASP tools)
 * 6) The entire competition is hosted on the same server for each team. If you find a hack which can modify the contents of the filesystem or disrupt the challenges in any way, e-mail Dan Guido with the details and he will give you bonus points.
 * 7) DoS attacks are not allowed and will result in disqualification
 * 8) The only legal play times are between September 24th X:XXam and September 25th X:XXpm

Communications
There will be an IRC channel set up for various taunts, hints, and communication between players. Please check back here later for details.

Awards
Awards for the top competitors and others will be given out at the end of the conference. Don't ask me what the prizes are, I have no idea. Also note, there will be more categories than just "top 3 best overall."

About the Developers
Dan is an undergraduate Computer Science student at the university formerly known as Polytechnic University. He made this series of challenges with the help of a few people in the lab including Aleksey Fateev, Yu Pok Chan, and Michael Aiello.

Project Committee
Leads Project Primary: Mahi Dontamsetti mdontamsetti(at)gmail.com - OWASP NY/NJ Board Member Technical Primary: Dan Guido - dguido(at)gmail.com - Polytechnic University

Technical Contributors & Advisors Nasir Memon - Polytechnic University Brian Peister - Deloitte & OWASP NY/NJ Board Member Martin Knobloch - Sogeti Ashish Popli - Microsoft, ACE Team Anthony Paladino - Airtight Tom Brennan - OWASP Foundation