Capture the Flag

In this version of a "Cyber" Capture The Flag competition, you will work in teams of three to both to defend your system and attack those of others. The target system is a Content Management System (CMS) Web Application with a plug-in architecture. New functionality will be introduced during the competition via plug-ins, so be prepared to adapt to novel situations quickly.

The basic timeline is as follows.
  • A VM containing the Web APP will be available Feb 20.
  • Instruction will begin March 9.
  • CTF is April 2 & 3, 9am to 9pm.
  • Prizes will be awarded in a ceremony on April 4.

Competition VM

An important feature of this CTF is that the competition VM containing base OS and Web App will be distributed over a month prior to the competition proper. This is intended to add realism to the exercise, and it opens up a number of opportunities for extensive defensive and offensive preparation (read more about motivation). Your team might choose to very carefully configure the Operating System to reduce the attack surface your system presents on the network. You might review the CMS for security problems. You might construct attacks. You might choose to modify or correct the code. You might devise host-based monitors and or interpose input filtering modules to protect the CMS from malicious inputs. These are only a few ideas, and you should feel free to implement whatever you think will succeed. You will install your VM mods at the beginning of the CTF of April 2 via scripts.


There are no formal prerequisites. Working knowledge of Linux will probably be necessary, and familiarity with Web Application bits and pieces will be very useful to have obtained by competition time, including HTML, PHP, Javascript, Ajax, and MySQL. Much of this could be acquired along the way, through self-study. We will be giving a 30-40 minute walk-through on the CMS, pulling it apart into its components. But we won't give PHP or MySQL lessons.


We will be providing some instruction in defensive and offensive techniques and tools (see the schedule for more information). Slides will be made available on to registrants. However, self-study is strongly encouraged! In particular, notice that the competition VM will be available on Feb 20, whereas all formal instruction will begin two and half weeks later. See the page of external links for some jumping-off points for self-study. We, the organizers, additionally, will be happy to answer questions via email, within reason.


Participants are not strictly required to work in teams. However, it is encouraged that you do form a team. This CTF involves both offensive and defensive activity which would be tricky to accomplish alone. Team size is limited to five participants.

CTF Competition

CTF will be 9am-9pm April 2 and 3. The scoring system will not be turned on for the first 30 minutes to allow teams to run scripts to install software and apply patches. During the two day competition period, your team will actively defend and attack. At certain points during the competition, you will be asked to support new functionality in the form of plug-ins written by CTF management. The scoring system will provide some situational awareness, subject to random delays and outages. The scoreboard will not be visible for the final 30 minutes of CTF. Scoring will be a function of both defense (including measures of confidentiality, integrity, and availability) and offense. Rules are fairly standard (see more info).


We hope you will be motivated to participate in CTF because of all you will learn about how (and how not) to secure a Web Application (you can read more about motivation). But if not, there will also be prizes! The top team will win up to three iPads (or an equivalent amount of cash, approximately $1500). The second ranked team will win a smaller prize (of the order of an iPod touch per team member, i.e. up to $900). All participants will receive T-shirts unless we run out of money...