Re: Requesting help with WebAppSec Game Development

[Joe McCray <joe () rootwars org>]

Yes I know - I've done a lot of reading about webgoat. The draw backs that I 
can foresee would be that I want to restrict the playing of the games to 
rootwars members, and I don't really want to run it in java (don't want to load 
Tomcat, and don't want to open port 8080 on the box so anyone could get to it 
either). I'd actually like to have each level be a seperate java applet that 
can be embedded into webpages that are located in the members section of the 
site. My other issue is that although I do know C, and Perl I don't know java, 
and I don't really feel comfortable developing something on webappsec as I'm 
very new to the subject myself (I'm an IDS guy). I'm hoping that a level based 
game like this would be a good precursor to actually having web application 
security courses at rootwars in a year or so.

I've had a lot of discussions with people on the subject of teaching webappsec 
and I'm finding that without strong fundamentals in programming it's almost 
impossible to teach. Most of the people that come to my site are very new to 
security. That's another reason that I really liked the level based games. It 
would force people to read more, and communicate with other people in the 
forums on the site about the levels in the game because they'd be challenging 
while at the same time allowing people to progress at their own pace. I think 
you'd loose way too many people in a course on webappsec (especially with the 
current rootwars.org audience).

I'd love to get more feedback from you guys on this subject.

Joe McCray
joe () rootwars org
http://www.rootwars.org
Hacking Games   Hands-on Courses   HackLab Access



Quoting "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>:

> Joe,
>
> What are you thinking of exactly? You could easily customize WebGoat to be
> more like a game.  It's extremely easy to implement new lessons (the hard
> part is thinking them through).  To make a new lesson, you just fill a few
> methods into a single java class.  It's all dynamically loaded, so you don't
> have to change anything else.  If you wanted to make a game of it, just
> remove the existing lessons and drop in the ones you want.
>
> --Jeff
>
> Jeff Williams
> Aspect Security
> Securing your applications at the source
> http://www.aspectsecurity.com
>
> Do your developers know the top ten web application security mistakes?
>
>
>
>
> ----- Original Message ----- 
> From: Joe McCray
> To: webappsec () securityfocus com
> Sent: Thursday, October 02, 2003 2:45 PM
> Subject: Requesting help with WebAppSec Game Development
>
>
> Hey guys,
>
> I've been a service exploitation kinda guy for a while now and I compete in
> a
> lot of hacking competitions, and this year at Def Con's capture the flag
> competition we had to complete the first 10 levels of ngsec.com's web
> authentication game just to qualify for the game. The game was almost
> completely web app based, and it was a lot of fun.
>
> Basically what I'm emailing the list for is because I'd like to have
> something
> like the Webgoat server on www.rootwars.org so people can use it as a tool
> for
> learning webappsec. It's an area of computer security that we don't focus on
> yet, and I can see that it is important and will only become more critical
> as
> time goes on.
>
> This is just one of the many things that we would like to work toward having
> at
> rootwars.org, and would love to have more people help out. Please contact me
> at: joe () rootwars org if you are interested
>
> Joe McCray
> joe () rootwars org
> http://www.rootwars.org
> Hacking Games   Hands-on Courses   HackLab Access