The document describes the OWASP A&D Project, which aims to help web application developers acquire skills in finding and fixing vulnerabilities through a deliberately vulnerable web application platform. The platform has two modes: standalone for self-study, and competition for events. In competition mode, an operator's server automatically attacks participants' web applications and checks for vulnerabilities on a schedule. Participants earn points for passing checks and lose points for failures. Their scores and rankings are viewable through a web interface. The project aims to improve security skills through repeat practice on a shared environment.

1. OWASP A&D Project
Competition Mode
OWASP A&D Project Leaders
Takaharu Ogasa
Yuichi Hattori
Shota Sato
Apr 17, 2018

2. What’s OWASP A&D Project?
• A&D stands for Attack and Defense.
• OWASP A&D Project is a
Deliberately Vulnerable Web-application
Interactive Platform focuses on web application
developers to fix its vulnerabilities through the
real world like environment.
– We call this platform A&D platform.
• The project aim is participants to acquire skills of
find and fix web application vulnerabilities.

3. A&D Platform
• The platform will include
– standalone mode for self-study
–Competition mode mode for event
• The platform will support
– automatic attack to the web application
– Status check for web application vulnerabilities

4. Competition Mode
• Competition mode is for multi users event.
• We will provide
– Auto Scoring
– Ranking and Score Graph
– Match system like Tennis

5. A&D Platform
A&D Platform Overview(Competition Mode)
Operator’s
Server
Participant’s
servers
Status Check
Attack
Fix And Search
(SSH)
View Status
and Ranking
(HTTP)

6. Automatic Attack
• Operator’s server
provides various attack.
• First attack is by X min
after at competition start.
• Next attack is every Y min
after first attack.
– Each attack can set
different time.
A&D Platform
Operator’s
Server
Participant’s
servers
Attack

7. Status Check
• Operator’s server
checks web app
vulnerabilities every X
min.
A&D Platform
Operator’s
Server
Participant’s
servers
Status Check

8. Auto Scoring
• If status checks are success participant get 100
points * number of successes.
• If status checks are failed participant’s total
points reduce X% * number of failed.
– Normally we use 3%. We tried some percentiles.
As the result we think 3% is the best parameter.

9. Ranking and Score Graph
• We provide score
graph and ranking on
the http.
• Participants can see
latest ranking, score
graph of time series,
and status check
results of time series.
A&D Platform
Operator’s
Server
Participant’s
servers
View Status
and Ranking
(HTTP)

10. Match System
• We think participants repeat same
environment is important.
– They can fix vulnerabilities more quickly and
choices order of fix from effect of vulnerabilities.
• We can provide X times match.

11. Connection to Participants Server
• Participant can login
the server by SSH.
• Participant fix and
search web app on
the server.
• Web app is set up in
user dir.
A&D Platform
Operator’s
Server
Participant’s
servers
Fix And Search
(SSH)

12. Future work
• Use something instead of SSH about
connection to participants server.
– We think participants use usual development
environment is important.
– We will provide auto deploy using CI tools or
something.