OWASP Hacking Lab

Solution Grading & Evaluation Guidelines for Teachers

• Always be polite
  • Never ever be unpolite. No matter what comment or question you receive!
  • You are OWASP's interface, behave mature and polite.
• Comment in positive phrasing
  • E.g. if partially scored has been achieved, congratulate them
  • If the solution contains a good write-up, let them know you appreciate!
  • If they thank you for the event, return the favor e.g. thanks for contributing
• Teaching and mentoring
  • If a previous suggestion is not understand, try to rephrase
• No abusive language is permitted
  • If you receive any in a solution, don't 'hit back'
  • See what is causing the frustration, see if you can help is, let Ivan or Martin know

Rating:

• Understanding the vulnerability is essential
  • If a solution describes the vulnerability, this does scores points.

• Mitigation scores higher than hacking:
  • We are training security awareness! If mitigation is asked as part of the solution, this scores higher then exploitation
• Exploiting is essential
  • The exploit has to be proven, but a solution that describes the exploit detailed, this is fine too!
• Give points when possible
  • If not the complete answer has been supplied, give partial points when possible.
  • Only reject if:
    • there is no solution (e.g. a question asked by the student)
    • the solution is answering the wrong challenge
    • the vulnerability / exploit / mitigation has clearly not been understood

• Rating example:
  • If you have 10 points to give this is how to divide them:

    3 Points for vulnerability description

    3 Points for proven exploit

    4 Points for complete mitigation description

Volunteers

OWASP Hacking-Lab is developed by a worldwide team of volunteers. The primary contributors to date have been:

• Ivan Buetler
• Martin Knobloch
• Mateo Martinez

Volunteer Roles

• Challenge developer
• Challenge tester
• LiveCD developer
• Teachers (solution grading)
• University Challenge Organizer

Involvement in the development and promotion of Hack Lab is actively encouraged! You do not have to be a security expert in order to contribute.

Become an OWASP challenge participant/student

• Register to a free OWASP Hands-On Training (see tab "Available Challenges")
• Sign-Up a Hacking-Lab account
• Prepare your client infrastructure (recommended LiveCD from http://media.hacking-lab.com/)
• Setup VPN from within your LiveCD
• Read the challenge description (once registered in the first step)
• Submit your solution into the HL portal
• OWASP volunteers will grade your submission

Become an OWASP teacher

• Solve the challenges as participant/student first
• Make yourself familiar with the OWASP TOP 10, Hackademics and WebGoat challenges
• Ask for becoming a teacher to the project leaders

Become an OWASP challenge developer

• Solve the challenges as participant/student first
• Submit your challenge ideas (using the challenge concept template)
• Create your challenge

Become an OWASP challenge tester

• Solve the challenges as participant/student first
• Submit your feedback and ideas how to improve the challenges

Introduction

The OWASP Hacking-Lab project is the framework used for the OWASP AppSec University Challenges.

This is an on-site university team versus university team competition run during the training days of an AppSec conference. See more here: OWASP University Challenge

The challenges are even more dynamic and realistic now. Instead of just solving different security challenges, teams carry out a virtual online battle against each other in an attack-defense based competition, also known as CTF system. If you are interested to learn more about the CTF system, you will find here more information: CTF System

Previous events:

• AppSec EU 2016 Rome
• AppSec EU 2015 Amsterdam
• AppSec EU 2014 Cambridge
• AppSec-EU 2013 Hamburg
• AppSec-EU 2012 Athens
• AppSec-US 2012 Austin
• AppSec-US 2011 Minneapolis

Questions

Please review UC faq: https://www.owasp.org/index.php/OWASP_University_Challenge#tab=FAQs