Welcome to CTF^2! The Application Security Village is proud to present our official DEF CON CTF Contest. This competition's goal is to reward the best CTF Developers in the community. This is a competition where the winners are not the players, but the creators of the challenges!
We will ask you to submit your task in an appropriate format for CTFd deployment, under one of the 4 CTF categories (web, reversing, secure coding practices, crypto). All approved challenges are played in the AppSec Village DEF CON CTF for Judging.
Winners are selected by judges and players, find the rubric here!
All finalist's tasks will win a DEFCON 2022 badge, and a chance to compete for the Best Overall Level. The finalist that wins the Best Overall Level will win a cash prize! 1st place prize of 2k, 2nd place prize of 1k, and 3rd place prize of 500 USD!
CFL Conditions:
Each CTF submission must be under one of the four categories (see below) and must be completely new, which means they cannot have been used in other competitions, or have any writeup presently available on the internet. This will be verified by the volunteers. It must fit other specifications also mentioned below, including the uniform flag format, in a CTFd format and have a write-up present in English.
Categories:
WEB:
This category should consist of web (HTTP) vulnerabilities (CSRF, XSS, SQLi, SSRF, etc.). The players should NOT be able to find the vulnerability through the use of scanners. If a vulnerability could be found by a scanner, it should be provided in the challenge description. Challenges should be self-contained by infrastructure.
SECURE CODING PRACTICES:
This category should be based on either teaching or implementing secure coding practices. Developers should create insecure pieces of code for players to either correct, or learn about a specific secure coding practice, and then best select an answer that best fits that definition. This can be done in many ways, and this new category will leave the creative freedom of that up to the developers.CTFd allows for users to submit code in a language of the CTF designer’s choice OR select multiple-choice options. This allows this new category the freedom to have users implement a CTF that can either
CRYPTO:
This category should consist of either a file or of one or more online services (TCP or HTTP) implementing a crypto protocol or weakness that players must exploit by solving a cryptographic challenge. If players just need to reverse engineer the protocol or algorithm used, the challenge must be submitted to reversing instead.
REVERSING:
This category should consist of either a file or one or more online services on which players must reverse engineer a system or binary to discover a flag. This category is not steganography related and does not exploit a vulnerability. Players should be able to extract or deduce the flag without depending on luck. Challenges must test skills related to application security.
Reverse Engineering is a crucial component of most vulnerability research, and tasks in this category should test skills that could be useful in application security. Examples of this include, but are not limited to the type of deobfuscation needed when looking for vulnerabilities in closed-source code, working on top of niche or old architectures when doing security research, hardware security research, or even debugging the communication protocol between a JavaScript web application and the server. Note that challenges in this category should not exploit a vulnerability themselves, and are just meant to test the skills of the reverse engineering stage of vulnerability research.
Challenge Submission
Flag format is ASV{ }. The format within should be strong, often including a mix of letters, numbers and special characters. An example could be: ASV{Fr0m_3D3N} or ASV{4PP_53C_1s_fun!}, however, the strings can also be random. ASV{452qdT5f^j80pG6}, what is absolutely mandatory is the prefix ASV and the curly brackets { } at the beginning and end.
Must be submitted before the HARD DEADLINE of JULY 5th 2022!