APEX-CTF : Learn by doing..
balloon_head
balloon_head
balloon_head
balloon_head

Status

Build out of compute layer is in progress… Details on BSky.

What is APEX-CTF?

This is a game. A test of skills and knowledge if you will. Oracle APEX is a very robust platform by default. As with most software, secure or insecure is often in how it is used. Security has a lot with setup normally done by humans. APEX is no different.

Why?

This game is to highlight some classic, technology specific, and common mistakes when writing applications with Oracle APEX. In a lot of cases, protections for APEX have been disabled. The exercises are developed to be solvable and bad practices are implemented knowingly.

The goal is to reinforce the reason why specific protections are in place in APEX and how some features, if misconfigured, can be a real risk to a product security.

How It Works

APEX-CTF is a game of surgical information gathering. You will follow the journey of a junior developer filling requirements and making mistakes. With proper coaching and guidance, the developer improves their skills and expands the application capabilities.

To Play:

  1. Sign up for Scoring. At this time, scoring is authenticated with Google accounts for simplicity.

** Your account is for keeping track of your progress and flag captures. Your email and information will not be shared outside of APEX-CTF. **

  1. You will get an link to the current arena on the scoring site as well as a list of current flags. Some flags are specific to your account.

  2. When you locate a flag, come back to the scoring site to turn it in and take credit for the find.

Etiquette

The APEX-CTF team understands that inviting people to hack a site is a lot like playing with a bear in the woods. It sounds like fun until it decides to wreck your life. There are a lot of hacking techniques and games for integrated system stressing.

This is not one of those.

This is a lightweight infrastructure that is intending to expose very specific technical techniques and knowledge.

Not allowed:

  • Brute force password attacks
  • Denial of service (request flooding)
  • Destructive hacks

Although valid, none of the information flags are captured by brute force methods. The exercises are designed to demonstrate a knowledge of security features and inner workings of APEX.

Hints are provided to give clues for specific flags.