Hosting a CTF

Back in August, all of Bouvet went on our annual "independence trip" (in celebration of our company being independent, and partially owned by its employees). Here we attended various social activities, as well as presentations and workshops.

In connection with this, I organized a workshop centered on Web Security, along with Knut Gaute Vardenær and Arne Fostvedt. Fist, I held a short presentation that mainly dealt with the motivation for having a focus on security, as well as the OWASP Top 10 list. After this we held a mini-CTF (Capture The Flag) competition, using OWASP Juice Shop – "an intentionally insecure webapp for security trainings".

We basically bootstrapped our infrastructure setup using a script I wrote that creates a few free Heroku-apps and pings every instance at a certain interval to keep the serverside state alive (free instances spin down after a certain amount of time of inactivity). The Juice-Shop instances are then available at URLs like, which can be assigned to corresponding teams. The only thing left is to spin up a CTFd-instance and configure your key.

We also made some hints (courtesy of Josh C. Grossman) available on a shared CTF-Homepage. Here players would also find a few basic rules and some suggested low-hanging fruits from the tasks.

All in all the experience was a positive one, and the contestants all seemed to have a good time. The winners were rewarded with YubiKeys for 2FA.

Newer post
Teaching a React/Redux-workshop
Older post
Lucene Indexes and GDPR