An insecure web app for the ISU Spring 2014 National Cyber Defense Competition
C CSS Shell Objective-C
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 84 commits ahead of danielwaterworth:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
webapp
.gitignore
10-fastcgi.conf
AUTHORS
CMakeLists.txt
COPYING
COPYING.lesser
NCDC 2014 Web Debrief.pdf
NCDC 2014 Web Debrief.pptx
RAPHT
README.md
backtrace.c
backtrace.h
deploy
dispatcher.c
dispatcher.h
error.h
log.h
raphters.c
raphters.h
request.c
request.h
response.c
response.h
run-local

README.md

ISU NCDC 2014 WebApp

Coverity Scan Build Status

This is the web app for the Spring 2014 ISU National Cyber Defense Competition. It is designed to be intentionally insecure and should not be used in any production system.

Spoilers

A non-exhaustive set of spoilers can be found in the NCDC 2014 Web Debrief.pdf.

Some additional spoilers were made public to both the Red and Blue teams simultaneously during the competition to present a incident-response opportunity. The Software Security Audit anomaly and other competition anomalies can be found in the ISU_Spring_2014_NCDC_Anomalies repository.

Prereqs

  • Developed and tested on Ubuntu 12.04 LTS
  • sudo apt-get update
  • sudo apt-get install cmake
  • sudo apt-get install gcc
  • sudo apt-get install build-essential
  • sudo apt-get install libfcgi-dev
  • sudo apt-get install libunwind7-dev
  • sudo apt-get install liburiparser-dev
  • sudo apt-get install mysql-server
  • sudo apt-get install libmysqlclient-dev
  • sudo apt-get install lighttpd
  • http://www.infodrom.org/projects/cgilib (Note: Ubuntu repo install for cgilib appears to be broken)
  •     wget http://www.infodrom.org/projects/cgilib/download/cgilib-0.7.tar.gz
  •     tar -xvf cgilib-0.7.tar.gz
  •     cd cgilib-0.7
  •     ./configure
  •     make
  •     sudo make install

Setup

  • sudo ln -s /etc/lighttpd/conf-available/10-fastcgi.conf /etc/lighttpd/conf-enabled/10-fastcgi.conf

Development

Recommended IDE is Eclipse for C/C++

http://www.eclipse.org/downloads/packages/eclipse-ide-cc-developers/keplersr1

http://www.cmake.org/Wiki/Eclipse_CDT4_Generator

Requires Java JRE:

  • sudo apt-get install openjdk-7-jre

To generate Eclipse project files run:

  • cd NCDC2014
  • mkdir -p build
  • cd build
  • cmake -G"Eclipse CDT4 - Unix Makefiles" -D CMAKE_BUILD_TYPE=Debug ../
  • Inside Eclipse, File->Import->General->Existing Projects into Workspace

Deployment

Framework Background

This project is built on Raphters, a web framework for C based on the rapht architectural pattern (see RAPHT).

Q: Why would you want to build a web application in C? Didn't that idea die out with CGI?

A: Good question. C is fast and fun, when you use well-tested code it can be secure too. It also has a low memory foot-print. The aim of the project is that all of the usual functionality that you have in other frameworks (cookie handling, session management, templating etc) will be implemented via loosly coupled components with clean APIs.

Attributions

This project uses some works from the Noun Project that require attributions.

  • Shield designed by Nate Eul from the Noun Project
  • Conversation designed by Gregory Radek from the Noun Project
  • Network designed by iconoci from the Noun Project
  • Virus designed by Anu Prasadh Raja from the Noun Project
  • Meeting designed by Slava Strizh from the Noun Project
  • Cloud designed by Jan-Christoph Borchardt from the Noun Project

The project also makes use of Twitter Bootstrap