Capture the Flag Application Security Challenge

HomeConnectionsCSAWCTF: Application Security

Capture the Flag Application Security Challenge

Open to: undergraduates located in the continental U.S. can compete for prizes (see special note for graduate and international participants); this is an online competition that can be done remotely; limit 4 team members per team
Registration: deadline TBA | Register
Event dates: TBA
Team captain/contact for questions: Julian Cohen and Luis E. Garcia II

The CSAW Application Security Challenge is a cyber attack competition loosely based on the DefCon Capture the Flag Prequals. Participants will be given a series of challenges divided into different categories, each worth a specified number of points. This year, the competition will focus equally on Web Application security, Reversing and Exploitation. Make sure you are a jack-of-all-trades or put together a team with a diverse skill set.

Prizes

Master of Science scholarships for students who attend NYU-Poly:
  • 1st place: $5,000
  • 2nd place: $3,000
  • 3rd place: $3,000
Cash prizes for winners: 
  • 1st place: $500
  • 2nd place: $250
  • 3rd place: $100

Non-Under Graduate Teams will be given a NYU-Poly certificate with relevant details.

 

Travel Grants

Each finalist from the continental US will receive a travel grant to offset the cost of attending the awards ceremony, where the first-, second-, and third-place place winners will be announced, along with a bonus prize winner. Finalists must be present at the awards ceremony to obtain their prizes.

Rules

  • Registering for the CTF competition does not force you to participate
  • Teams are limited to 4 team members; there can be an unlimited number of teams per university
  • Only use your team e-mail (the e-mail you signed up with) for communicating with the team captain
  • You may submit answers in any order 
  • You may only submit an answer to a given question once 
  • Unless you are the author of the tool, the use of all commercial tools are forbidden (we suggest using OWASP tools) 
  • The entire competition is hosted on the same server for each team. If you write an exploit that can modify the contents of the filesystem or disrupt the challenges in any way, e-mail the team captain with the details and he will give you bonus points.
  • DoS attacks are not allowed and will result in disqualification
  • The only legal play times are: TBA

Registration/Participation Logistics

  • Include the team name and the names of all your team members during registration

Note for Graduate/International Students

We are glad to announce that graduate and international students can participate. Complete details will be posted soon. Interested students may register using the regular registration form.

We wish to thank all our previous participants and graduate students for their support and interest and hope you'll find this year's CTF equally engaging and fun.

Frequently Asked Questions

How do I know when I've solved a challenge?

The "answer" to most of the challenges is a string of random numbers, an MD5 sum, or a SHA1 sum, which you will recognize when you get one. A few challenges require you to deface webpages or other tasks. Those challenges will specify how to know you're done.

How do I redeem my answers for points?

A scoreboard will be hosted during the competition where solutions can be submitted for points and live score of all teams can be tracked

2009 Judges

Erik Cabetas, Director of Information Security @ an NYC e-commerce startup | erik.cabetas.com



Dino Dai Zovi, Co-Author, The Mac Hacker's Handbook and The Art of Software Security Testing | trailofbits.wordpress.com

Dean De Beer, Principal, zero(day)solutions | zerodaysolutions.com

Stephen Ridley, Matasano Security | twitter.com/s7ephen


Keith O'Brien, Distinguished Systems Engineer, Cisco Systems | Bio