Hackers attack, coders defend, when you get them together you end up with Web War III.

WW III is a Web Application based ‘Capture The Flag’ contest. It was conducted in SecurityByte and OWASP AppSec Asia 2009 and ClubHack 2009.

Game Format

This is a team participation based game. Each team consists of two players, an attacker and a defender. The attacker would be capable of identifying Web Application Vulnerabilities (OWASP Top 10). The defender would be capable of writing secure Java code.

The game has two stages:

  • Stage 1 – Cover your base
    Each team is given a VM Ware image containing a web server hosting a vulnerable web application. During this stage each team identifies the vulnerabilities in their application.They try to fix the identified vulnerabilities by making code changes.

  • Stage 2 – Launch Attack
    The IP addresses of the Web Server's of all the teams is announced.
    Each team looks for vulnerabilities in the Web Applications of the other teams.
    Vulnerabilities found on the opponents' application get positive points.
    Vulnerabilities found by the opponents on your application get negative points.

Team with the highest points at the end of Stage 2 wins.

Vulnerable Application

The Web Application used for this game has been specially designed and developed by Venky. It is a Java based application. Java was chosen for its familiarity with developers and also because the ESAPI Java version is the most complete. The VM images provided to the participants contains ESAPI to help them secure their application faster.