Undergraduate Application Security Challenge
About the Competition
CSAW Application Security Challenge is a cyber attack competition loosely based around the Defcon Pre-quals
Participants are given a series of challenges divided into different categories, each worth a specified number
of points. This year, the competition will focus heavily on web application security, however, other topics will not be left out. Make sure you are a jack of all trades or put together a team with a diverse skill set.
Registration Opens : August 15th 00:00 Hrs
Registration Closes : September 20th 23:59 Hrs
Start of competition: September 26th 00:00 Hrs (challenges, instructions, and rules are put up)
End of competition: September 27th 23:59 Hrs (last chance to submit answers)
Judges for this event will pick a winning team based on the amount of challenges solved and points earned.
Some challenges will be open-ended and allow for variable scoring, to be determined by the judges.
Bonus points are possible for discovering things that are not directly a part of the question.
CSAW 2009 Judges will be announced shortly
Each finalist will receive a travel grant to offset the cost of attending the awards ceremony, where the first-, second-, and third-place place winners will be announced, along with a bonus prize winner.
Finalists must be present at the awards ceremony to redeem their prizes.
Include the team name and the names of all your team members during registration.
This contest can be done remotely, however, finalists are required to attend the awards ceremony at NYU-Poly on November 12th,
where the prize winners will be announced.
Students who need to travel more than 100 miles will be given a lump-sum scholarship to offset their travel costs.
How do I know when I've solved a challenge?
The "answer" to most of the challenges is a string of random numbers, an MD5 sum,
or a SHA1 sum which you will recognize when you get one. A few challenges require you to deface webpages or other tasks.
Those challenges will specify how to know you're done.
How do I redeem my answers for points?
E-mail/IM your team name, answer, and the URL of the challenge you completed to email@example.com with [CSAW-CTF] in the subject line.
Submissions will only be accepted from a single e-mail address per team.
The competition is strictly limited to students up to undergraduate level residing in USA.
Registering for the CTF competition does not force you to participate
Only use your team e-mail (the e-mail you signed up with) for communicating with Ravi
You may submit answers in any order
You may only submit an answer to a given question once
Unless you are the author of the tool, the use of all commercial tools are forbidden (we suggest using OWASP tools)
The entire competition is hosted on the same server for each team.
If you find a hack which can modify the contents of the filesystem or disrupt the challenges in any way,
e-mail Ravi with the details and he will give you bonus points.
DoS attacks are not allowed and will result in disqualification
The only legal play times are between September 26th 00:00 Hrs and September 27th 23:59 Hrs
Finalists must attend the awards ceremony to redeem any prizes they are entitled to.
If you have any questions about the contest, feel free to e-mail
CSAW 2008 CTF Winners
||Rensselaer Polytechnic Institute
||University of Idaho
||Ruhr University Bochum
||Naval Postgraduate School
||Bagsværd Kostskole & Gymnasium
||The Down Ownerz
||University of South Florida
Additionally, a bonus prize is awarded to The Down 0wnerz for being our youngest participants.
CSAW 2008 CTF was Judged by:
CSAW 2007 CTF Winners
Naval Postgraduate School
University of Idaho
SUNY Stony Brook
4th / Best Undergrads
Rensselaer Polytechnic Institute
5th / Best Individual