Security Day: Rules

That's what poker's all about. People…and the strategy you use against them. More than any other game, poker depends on your understanding of your opponent. You've got to know what makes him tick. More importantly, you've got to know what makes him tick at the moment you're involved in a pot with him. What's his mood…his feeling? What's his apparent psychological frame of mind right now?

Doyle Brunson in Super System

These are the rules for the war game. Please read them carefully, assemble in your teams, and elect a team captain before beginning.

Start

Each team will be granted a site under the team's control. They will then have 30 minutes to familiarize themselves with the code base. During this phase, the team may explore the PHP code and mySQL database, but NO CODE MAY BE COMMITTED, PUSHED, OR DEPLOYED DURING THIS PHASE!

Attack & Defend

Each team will simultaneously attack the other team while defending themselves against the other team's attacks. Each attack is launched clandestinely and at will. Each team can only have one attack at a time. The ongoing attack must be displayed to the War Game Master in a text editor or a pen and paper at all times. Take care to make sure the attacked team can't see which attack is being launched.

Each defense is code that counteracts an attack. Defense code can be written at any time after the start phase.

Social Engineering

Be wary of social engineering attempts. Various scenarios will occur at random and may or may not be executed by opposing teams. If your team falls victim to a social engineering attack, then you lose 4,000 chips. If your team successfully executes a social engineering attack, then you gain 4,000 chips. Unlike the other attacks, social engineering may not be repeated for lower stakes.

Scoring

Each team starts with 10,000 chips. The attack value of each attack is:

  • Cross Site Request Forgery (CSRF/XSRF) 2,500
  • SQL Injection: 3,000
  • Persistent XSS: 3,000
  • Non persistent XSS: 3,000

Each attack has a diminishing return of ½ the amount of chips per retry. That is, a third SQL Injection attack is 750 chips. If the attack is successful, the attacking team takes the chips from the opposing team. If the opposing team defends successfully, the opposing team steals the attack's value from the attacking team. When one team runs out of chips, the other team wins.

Non Persistent XSS Attack

Since the non persistent attack requires an incompetent user, when a team launches this attack, the defending team will roll two dice to determine whether their users were “stupid” enough to fall for it. If the dice is even, the team was “stupid” and the attack is successful. If the dice is odd, the attack fails and defending chips are awarded.