Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
OWASP Challenge X: Build an Enterprise Java Rootkit
Posted by: ManJIT
Date: March 21, 2010 02:19PM

<drumroll> The 10th OWASP AppSec Research 2010 Challenge is here! Only three chances left to win tickets. </drumroll>

It's time to write an Enterprise Java rootkit. Your assignment is to be the evil developer who implements and hides a backdoor in a Java servlet. We've implemented a very simple login web application and exported it as an Eclipse project that you can download. It's a simple servlet/jsp project that we deployed on Tomcat 6.0. It even contains an evil output of user credentials to a temp file (not yet hidden though) to get you started.

The organization committee will evaluate who has been able to hide the most evil stuff while complying to the rules. The more malicious functionality and the more clever disguise -- the more "points".

Rules:
* You must explain what your changes do (we need to evaluate your rootkit!)
* The original features + look and feel must be preserved
* Your additions should preferably look like security features such as IP whitelisting, logging, anti-CSRF, frequency blocking etc.
* You're only allowed to change the servlet (Login.java), and the gif image (appsec_research_challenge_X.gif)
* You do not have to use the jsps
* The original size of Login.java is 1,856 bytes and it mustn't grow to more than 4,000 bytes
* The gif image mustn't grow in size and should look close enough to the original to fool the committee
* Code should "look" readable, i e not minimized too heavily

Submissions should be posted here (links or pasted code). Don't forget to explain what your code does :).

[Edit] Send an email to john.wilander@owasp.org when you post code or need attention.

All info and some pictures here: http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges

Good luck!



Edited 1 time(s). Last edit at 03/21/2010 02:21PM by ManJIT.

Options: ReplyQuote
Re: OWASP Challenge X: Build an Enterprise Java Rootkit
Posted by: ManJIT
Date: April 12, 2010 02:49PM

Just because this thread is quiet doesn't mean we have no competing rootkits. But people seem to prefer submitting the last minute (they've emailed me). Let's hope we get some nice submissions April 20.

BTW: The full conference program including abstracts is published. Check it out: http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden

The winner of this compo get free entrance.

Options: ReplyQuote
Re: OWASP Challenge X: Build an Enterprise Java Rootkit
Posted by: Albus
Date: April 20, 2010 04:43PM

Hi!

I coded some stuff which will hopefully work. :)
Further details in the following link: http://romich.ro.funpic.de/description.html

Greeting,
Albus

Options: ReplyQuote
Re: OWASP Challenge X: Build an Enterprise Java Rootkit
Posted by: Reiners
Date: April 26, 2010 12:45PM

nice work, I like the 5sec time slot thingy =)
who won? or was this the only submission ?

Options: ReplyQuote


Sorry, only registered users may post in this forum.