What’s a CTF?

Competitors match wits with a series of application security challenges in order to uncover flags. Challenges range from simple to maddeningly complex. Competitors submit discovered flags to a central scoreboard to score points for their team. Point values vary based on challenge difficulty. At the end of the competition the team and individual players with the most points win prizes.

What makes WaspNest different?

WaspNest is a from-scratch CTF created by the Boulder OWASP chapter (meetup.com/OWASP-Boulder) exclusively for AppSec USA 2014. Departing from the traditional Jeopardy-style format, WaspNest offers both an engaging plot as well an immersive Internet-like sandbox. The biggest difference is delivery format. Each competitor receives a copy of WaspNest as a virtual machine (VM). The VM, as well as all attacks, execute on each competitor’s local system.

I am a {noob | 1337 skiddy | senior pentester}. Is this competition right for me?

Yes! WaspNest is designed to be approachable from all skill levels. Challenges cover a wide spectrum of difficulty, and volunteers are there to help you if you get stuck (or just need help getting started).

What are the participation requirements?

This is a BYOD event. Contestants will be provided with a VM which will run locally on self-provided devices. Your device will need:

  • A virtual machine player with at least 1GB RAM and 2 CPU cores
  • Another 1GB+ RAM and 2+ cores for your host system
  • Appropriate penetration testing tools.

By giving me a VM you are effectively providing physical access. What’s stopping VM attacks?

Competition rules, personal guilt, and public shaming.

What’s this about rules?

In a nutshell:

  • Do not scan, attack, or otherwise abuse the host infrastructure. Period. This is a zero tolerance rule and will result in Very Bad Things.
  • Do not attack the scoreboard. Misuse will result in punitive action.
  • Do not attack other competitor systems.
  • Don’t cheat. Don’t get caught cheating.