WebApp Sec mailing list archives
Re: Requesting help with WebAppSec Game Development
From: Joe McCray <joe () rootwars org>
Date: Thu, 2 Oct 2003 17:30:47 -0400
Yes I know - I've done a lot of reading about webgoat. The draw backs that I can foresee would be that I want to restrict the playing of the games to rootwars members, and I don't really want to run it in java (don't want to load Tomcat, and don't want to open port 8080 on the box so anyone could get to it either). I'd actually like to have each level be a seperate java applet that can be embedded into webpages that are located in the members section of the site. My other issue is that although I do know C, and Perl I don't know java, and I don't really feel comfortable developing something on webappsec as I'm very new to the subject myself (I'm an IDS guy). I'm hoping that a level based game like this would be a good precursor to actually having web application security courses at rootwars in a year or so. I've had a lot of discussions with people on the subject of teaching webappsec and I'm finding that without strong fundamentals in programming it's almost impossible to teach. Most of the people that come to my site are very new to security. That's another reason that I really liked the level based games. It would force people to read more, and communicate with other people in the forums on the site about the levels in the game because they'd be challenging while at the same time allowing people to progress at their own pace. I think you'd loose way too many people in a course on webappsec (especially with the current rootwars.org audience). I'd love to get more feedback from you guys on this subject. Joe McCray joe () rootwars org http://www.rootwars.org Hacking Games Hands-on Courses HackLab Access Quoting "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>:
Joe, What are you thinking of exactly? You could easily customize WebGoat to be more like a game. It's extremely easy to implement new lessons (the hard part is thinking them through). To make a new lesson, you just fill a few methods into a single java class. It's all dynamically loaded, so you don't have to change anything else. If you wanted to make a game of it, just remove the existing lessons and drop in the ones you want. --Jeff Jeff Williams Aspect Security Securing your applications at the source http://www.aspectsecurity.com Do your developers know the top ten web application security mistakes? ----- Original Message ----- From: Joe McCray To: webappsec () securityfocus com Sent: Thursday, October 02, 2003 2:45 PM Subject: Requesting help with WebAppSec Game Development Hey guys, I've been a service exploitation kinda guy for a while now and I compete in a lot of hacking competitions, and this year at Def Con's capture the flag competition we had to complete the first 10 levels of ngsec.com's web authentication game just to qualify for the game. The game was almost completely web app based, and it was a lot of fun. Basically what I'm emailing the list for is because I'd like to have something like the Webgoat server on www.rootwars.org so people can use it as a tool for learning webappsec. It's an area of computer security that we don't focus on yet, and I can see that it is important and will only become more critical as time goes on. This is just one of the many things that we would like to work toward having at rootwars.org, and would love to have more people help out. Please contact me at: joe () rootwars org if you are interested Joe McCray joe () rootwars org http://www.rootwars.org Hacking Games Hands-on Courses HackLab Access
Current thread:
- Requesting help with WebAppSec Game Development Joe McCray (Oct 02)
- Re: Requesting help with WebAppSec Game Development Jeff Williams @ Aspect (Oct 02)
- Re: Requesting help with WebAppSec Game Development Joe McCray (Oct 02)
- <Possible follow-ups>
- RE: Requesting help with WebAppSec Game Development Scovetta, Michael V (Oct 03)
- Re: Requesting help with WebAppSec Game Development Jeff Williams @ Aspect (Oct 02)