When I was thinking about a new topic which I could post in my blog, I remembered an old idea of mine. Perhaps you know some of the so called “Hacker-Games” like Infon or Capture the Flag (CtF) Tournaments. Ok, these are fun but where’s the game for us, the web hackers? There’s nothing 
So now my idea was to create a funny game for web hackers and I’ve now three scenarios/games which you can play:
1.) Capture the Web Flag (CtWF)
This is not so easy to prepare because it’s something like the normal CtF. The difference between a CtF and a CtWF is that normally, you or your team has to attack the servers of the other teams and defend you own server. In a CtWF every team has a server with some vulnerable webapplications running on it. Now, the teams are not allowed to attack the opponents server directly. The goal is now to break into their webapps and for example steal data out of a database, delete something, deface the main page and so on and also to defend your own webapps (of course for having fun, you should disallow WAFs and stuff like that).
2.) XSS Contest
This game idea is very simple, needs only very small preparation (defining the exact rules) and it’s fun (even if it could be that it’s too boring for the good people in the webapplication security field). There’s only one goal: Find as much XSS vulnerabilities as you can in pages with a Google Pagerank which is as high as possible (if you find one in a PR 10 send it to me 
). Of course you also have to define how long the contest will be, for example one or two hours. That’s nearly everything of it. For make it more interesting, you can give a search string to the participants which they can put into a predefined search engine and then only the pages are allowed which where found with exactly this search string. At the end of the contest, every participant have to give his findings in form of a list to a jury and they can then check if the XSS really work and also which Pagerank the pages have (of course you can also use other ranking methods). Then you need a predefined calculation table which contains the points you’ll get for a finding in a page which has Pagerank X.
For example:
PR 0: 5
PR 1: 10
PR 2: 20
PR 3: 50
PR 4: 80
PR 5: 120
PR 6: 160
PR 7: 200
PR 8: 240
PR 9: 270
PR 10: 300
(Of course you can define that only Pagerank 4 and up gives some points.)
Then the jury have to add each finding of a participant to the others of him/her and then you get a summary which is the final result of this participant.
As I wrote at the start of this idea I think it’s more for new people in the webapplication security field which want to get into it and have some kind of training but it could also be funny for professionals to have such contests or they can also do things like “How many XSS holes can we find together in the next 2 hours in pages with Pagerank 5 or higher”.
Important:
- You have to define where your source is, to get the Google Pagerank of a site because not all sources have always the same ranks. I’m normally using the “SEO for Firefox”-Plugin.
- You really should only make temporary Cross Site Scriptings because permanent XSSing could be disallowed by your local law.
3.) Web-Hacking Contest
This is something which you can compare to the Capture the Web Flag idea because most of it is identical. The only big point which’s different is, that there’s only one server which have some vulnerable webapps on it and every one or every team have to attack the webapps on the same server. So there have to be one or more people which defines the goals at the beginning and give them to the participants (the same goals for everyone). These goals are related to some points, for example “Find a temporary XSS vulnerability in the wordpress blog” gives the first finder 5 points but for example “Read out the /etc/passwd file” gives about 25 points to the first finder. I think/hope you should now understand how it works.
Looking forward to see some contests in the near future.
Having fun with it and all your web 2.0 are belong to us 
Great idea!! There is a scenario based web game up and running right now http://www.hackthissite.org/. The XSS contest would be relatively easy to get together too.
I think idea number 1 would be heaps of fun; you could include obscure and interesting bugs in them, so that even if people don’t win they learn something, etc.
On #2; Its an interesting idea, but crawling over sites just to input
"><b>test</b>everywhere isn’t exactly my idea of fun. Frankly that would bore me to tears honestly.#3 is half way in between, in that sure you *can* put interesting vulns in there, but this is probably a black box approach, and so any interesting vulns there
So personally I’d probably only participate in #1, because I can see it being much more interesting than the other two where the vulns are just going to be the standard run of the mill attacks we deal with every day – either that or they’ll be almost impossible to find, and in #2, they might not even exist.
Hi kuza55,
first I have to say that just as I wrote, these are just ideas so everyone can create something new out of it and this aren’t complete concept of web hacking games
I fully agree with you that the XSS Contest isn’t that interesting for people which are already working or just having fun in the webapplication security field but for example I’ll do something like this in a course for students because in this way, the get the point of finding XSS vulnerabilities, where they can find them and directly have some hands on training. This I think will be fun for them and it takes only about one hour and nearly no preparation.
About #3 you’re absolutely right, of course this have to be a blackbox testing because else the people can just compare the original sourcecode with the modified one and find all vulnerabilities very easy. The coolest way here of course would be if someone wrote a complete new application and then you can also offer the source to the participants which makes it much more interesting but I don’t think that there are so many webapp developers out there which would do that.
So #2 and #3 from my point of view can be interesting but you have to do it in a specific way with the right people and we don’t have to discuss about idea #1, of course it’s the most interesting and if someone is going to set up something like this, let me know