Vicnum –Description
OWASP
Mordecai Kraushar
CipherTechs
[email protected]
Auditor, Trainer
Education Project
The OWASP Foundation
http://www.owasp.org
Vicnum the basics
 A vulnerable web app using LAMP
 Perl
 PHP
 Packaged as a Ubuntu VMWare guest or as a zip
 Open Source code released in 2009
 An OWASP project
http://www.owasp.org/index.php/Category:OWASP_Vicn
um_Project
 Available for download at
https://sourceforge.net/projects/vicnum/
 Online ‘playing’ possible at
http://vicnum.ciphertechs.com
OWASP
2
Vicnum – the game
– Based on a game played to kill time
You enter your name to start playing the game
The computer picks a three digit number with unique
digits
Player tries to guess the computer’s number
Computer remembers its number and the player’s
guesses
For each guess the computer will tell the player:
“How many right and how many in the right
position” and the number of guesses so far
Eventually number is guessed and the player is
prompted to store their results in a database
OWASP
3
Vicnum’s real goal
 Have fun and generate interest in the field
 A flexible lightweight vulnerable web application useful
to auditor’s honing their web app security skills
 Easy to install, easy to grasp
 Easy to modify
 Can be used to test out new hacks and new defenses
 Can be used to test whether a Web VA can detect a vulnerability
 Or whether a Web firewall can protect a vulnerability
 Can be tailored to address different auditor skill sets
 Can be tailored to accommodate different levels of ‘capture the
flag’ exercises
OWASP
4