OWASP NYC AppSec 2008 Conference/ctf

Jump to: navigation, search

Capture the Flag @ OWASP 2008 USA, NYC Sept 25th - 26th

Contest Registration

There will be a registration booth at the conference for you to provide your Name/Psuedoname/Team Name/handle and e-mail address. When the contest opens, you will receive an e-mail with instructions and passwords for accessing the contest web site. All questions on gameday can be forwarded to Dan Guido, who will be on-site and will also available by e-mail @ dguido@gmail.com. Registering for the CTF competition does not force you to participate, feel free to register just to have a look at the challenges.

The Contest

The CTF competition is arranged into a series of 30+ mini-challenges that each demonstrate a specific web application security vulnerability. They are grouped into categories of Easy, Medium, and Hard each worth 100, 250, and 500 points, respectively.

How do I know when I've solved a challenge?

The "answer" to most of the challenges are a string of random numbers, an MD5 sum, or a SHA1 sum that you will recognize when you find. A few challenges require you to deface webpages or other tasks. Those challenges will specify how to know you're done.

How do I redeem my answers for points?

E-mail your Team Name, your answer, and the URL of the challenge you completed to dguido@gmail.com with [OWASP-CTF] somewhere in the subject line. Submissions will only be accepted from the e-mail you signed up with.


  1. Registering for the CTF competition does not force you to participate
  2. Only use your team e-mail (the e-mail you signed up with) for communicating with Dan
  3. You may submit answers in any order
  4. You may only submit an answer to a given question once
  5. The use of commercial tools is forbidden (we suggest using OWASP tools)
  6. The entire competition is hosted on the same server for each team. If you find a hack that can modify the contents of the filesystem or disrupt the challenges in any way, e-mail Dan Guido with the details and he will give you bonus points.
  7. DoS attacks are not allowed and will result in disqualification


There will be an IRC channel set up for various taunts, hints, and communication between players. Please check back here later for details.


Awards for the top competitors and others will be given out at the end of the conference. Don't ask me what the prizes are, I have no idea. Also note, there will be more categories than just "top 3 best overall."

About the Developers

Dan is an undergraduate Computer Science student at the university formerly known as Polytechnic University. He made this series of challenges with the help of a few people in the lab including Aleksey Fateev, Yu Pok Chan, and Michael Aiello.

Project Committee

 Project Primary: Mahi Dontamsetti mdontamsetti(at)gmail.com - OWASP NY/NJ Board Member
 Technical Primary: Dan Guido - dguido(at)gmail.com - Polytechnic University
 Technical Contributors & Advisors
 Nasir Memon - Polytechnic University
 Brian Peister - Deloitte & OWASP NY/NJ Board Member
 Martin Knobloch - Sogeti
 Ashish Popli - Microsoft, ACE Team
 Anthony Paladino - Airtight
 Tom Brennan - OWASP Foundation