Maybe you remember our security team competing in the OWASP AppSec EU University Challenge 2015 as part of the team from Vienna University of Technology in Amsterdam last year. As it was a great experience for all of us, we wanted to prove our skills once again this year at the OWASP AppSec EU University Challenge 2016 in Rome. Like last year, several companies – Cyber Security Austria, Catalysts and SEC Consult – sponsored our trip.
Each team consisted of up to eight people per university. In our case it was like last year Vienna University of Technology. We first tried to keep our team from the previous year, however, two of our members could not make it to the competition and we had to find replacements for them.
Four other teams from the following universities registered for the competition which lasted two days:
- Politecnico di Milano (Italy)
- Anglia Ruskin University (United Kingdom)
- Haute Ecole d’Ingénierie et de Gestion du Canton de Vaud (Switzerland)
- Hasso-Plattner-Institut (Germany)
Especially the team from Hasso-Plattner-Institut we had in good memory, as they were the only team that beat us in 2015.
The first day of the competition was held in jeopardy style. This means all teams solve technical riddles on their own and compete with their score, but the teams do not interact in any way with each other. It was a close race all day long but finally we solved all tasks except one and placed first (124 points), followed by the teams from Switzerland (118), Germany (106), Italy (104) and the United Kingdom (43).
It was already announced in advance that the second day of the competition would be held in the same format as at the European Cyber Security Challenge. This means that in addition to jeopardy style tasks, there was an attack-defense mode. Each team got an identical copy of a set of four virtual machines containing vulnerable services, running on a development as well as a production instance. The goal was to exploit the vulnerabilities in the services to steal flags from other teams while fixing the vulnerabilities of own services. Flags were just character strings hidden somewhere on the server, this could be a file on the file system, an entry in a database or simply a variable inside application logic. Teams had full access to their development servers but no access to their production servers at all. To fix a vulnerability, teams had to patch the source code of a service and push the fix to a Git repository. This triggers an automatic deployment on development and production servers. Several categories contributed to the scoring, most importantly attack, defense and availability.
Additionally, there were also some jeopardy style tasks like on the previous day. However, due to the composition of the scoring we did not put too much effort into these tasks.
Due to our experience and preparation we took a magnificent lead right from the beginning. So after the second competition day we were again ranked first (12.726 points), followed by the teams from Italy (4.974), Germany (4.842), Switzerland (3.924) and UK (1.457).
The ranking of both days was scaled down to 300 points, then the first day accounted for one-third of the total score and the second day accounted for two-thirds. Below the final ranking:
- TU Wien (300)
- Hasso-Plattner-Institut (162)
- Haute Ecole d’Ingénierie et de Gestion du Canton de Vaud (157)
- Politecnico di Milano (149)
- Anglia Ruskin University (58)
This ranking was the result of a team with technical excellence, competition experience and good preparation. Again, we learned a lot during the competition and will surely participate again next year in Belfast.
Thanks a lot to the team, the organizers from OWASP (in person of Martin Knobloch), the Hacking-Lab and our sponsors!
More at: http://2016.appsec.eu/
Photos: All credit goes to their respective owners