Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Requesting help with WebAppSec Game Development

RE: Requesting help with WebAppSec Game Development

From: Scovetta, Michael V <Michael.Scovetta_at_ca.com>
Date: Fri, 3 Oct 2003 09:16:28 -0400

As far as your Tomcat concern, you can secure Tomcat and have requests proxied from
IIS/Apache over to it invisibly. Furthermore, you can use IIS/Apache authentication
before the request gets proxied, so unless you can logon successfully, you won't be
eating up the app-server. Of course, that's true for JBoss and really any other app
server that speaks AJP13 (the protocol used between IIS/Apache and the app server.

Mike Scovetta

-----Original Message-----
From: Joe McCray [mailto:joe_at_rootwars.org]
Sent: Thursday, October 02, 2003 5:31 PM
To: Jeff Williams @ Aspect
Cc: webappsec_at_securityfocus.com
Subject: Re: Requesting help with WebAppSec Game Development

Yes I know - I've done a lot of reading about webgoat. The draw backs that I
can foresee would be that I want to restrict the playing of the games to
rootwars members, and I don't really want to run it in java (don't want to load
Tomcat, and don't want to open port 8080 on the box so anyone could get to it
either). I'd actually like to have each level be a seperate java applet that
can be embedded into webpages that are located in the members section of the
site. My other issue is that although I do know C, and Perl I don't know java,
and I don't really feel comfortable developing something on webappsec as I'm
very new to the subject myself (I'm an IDS guy). I'm hoping that a level based
game like this would be a good precursor to actually having web application
security courses at rootwars in a year or so.

I've had a lot of discussions with people on the subject of teaching webappsec
and I'm finding that without strong fundamentals in programming it's almost
impossible to teach. Most of the people that come to my site are very new to
security. That's another reason that I really liked the level based games. It
would force people to read more, and communicate with other people in the
forums on the site about the levels in the game because they'd be challenging
while at the same time allowing people to progress at their own pace. I think
you'd loose way too many people in a course on webappsec (especially with the
current rootwars.org audience).

I'd love to get more feedback from you guys on this subject.

Joe McCray
joe_at_rootwars.org
http://www.rootwars.org
Hacking Games Hands-on Courses HackLab Access

Quoting "Jeff Williams @ Aspect" <jeff.williams_at_aspectsecurity.com>:

> Joe,
>
> What are you thinking of exactly? You could easily customize WebGoat to be
> more like a game. It's extremely easy to implement new lessons (the hard
> part is thinking them through). To make a new lesson, you just fill a few
> methods into a single java class. It's all dynamically loaded, so you don't
> have to change anything else. If you wanted to make a game of it, just
> remove the existing lessons and drop in the ones you want.
>
> --Jeff
>
> Jeff Williams
> Aspect Security
> Securing your applications at the source
> http://www.aspectsecurity.com
>
> Do your developers know the top ten web application security mistakes?
>
>
>
>
> ----- Original Message -----
> From: Joe McCray
> To: webappsec_at_securityfocus.com
> Sent: Thursday, October 02, 2003 2:45 PM
> Subject: Requesting help with WebAppSec Game Development
>
>
> Hey guys,
>
> I've been a service exploitation kinda guy for a while now and I compete in
> a
> lot of hacking competitions, and this year at Def Con's capture the flag
> competition we had to complete the first 10 levels of ngsec.com's web
> authentication game just to qualify for the game. The game was almost
> completely web app based, and it was a lot of fun.
>
> Basically what I'm emailing the list for is because I'd like to have
> something
> like the Webgoat server on www.rootwars.org so people can use it as a tool
> for
> learning webappsec. It's an area of computer security that we don't focus on
> yet, and I can see that it is important and will only become more critical
> as
> time goes on.
>
> This is just one of the many things that we would like to work toward having
> at
> rootwars.org, and would love to have more people help out. Please contact me
> at: joe_at_rootwars.org if you are interested
>
> Joe McCray
> joe_at_rootwars.org
> http://www.rootwars.org
> Hacking Games Hands-on Courses HackLab Access
>
>
Received on Oct 03 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]