Boulder OWASP January 2025 Meetup: A Web CTF for Everyone

Boulder OWASP is back for 2025 and looking forward to welcoming everyone! We’ll be changing our format this month to a more hands-on approach to Application Security with a Capture the Flag event. Whether you’re an experienced Application Penetration Tester or brand new for the AppSec world, there will be something for everyone.

OWASP Boulder’s own Mark Hoopes has found a truly insecure CRM application ready to be exploited. Entry level participants can explore a poorly designed authorization system and mid-level hackers will have plenty of opportunities to run SQL and JavaScript Injection attacks. For the experts, there is even a pathway to shell, but it will take some real dedication to get there.

To ensure everyone has a good time, we'll be encouraging experienced participants to team up with those who are new to web exploitation. On top of that, a walkthrough document will be available and exploit demos will be given gradually throughout the evening.

Bring your own laptop with an intercepting proxy (Burp, ZAP, etc.) installed to participate as an attacker, but if you’re not comfortable at that level, feel free to just bring yourself and plan to shadow, watch, and learn.

Installation instructions can be found here:
https://www.meristeminfosec.com/resources/boulder-ctf

To make sure everyone comes prepared, a Q&A session will be held on the Monday before the event at 7pm: https://meet.google.com/ddn-zozh-ysv

Special thanks to the Rule4 Team for hosting and sponsoring, we couldn't do these events without our sponsors. If you're interested in sponsoring the #1 AppSec organization and our Boulder Chapter meetings, please reach out to alex.brown@owasp.org.

Please follow us on LinkedIn: https://www.linkedin.com/company/owasp-boulder

And join our Slack: https://join.slack.com/t/boulder-owasp/shared_invite/zt-2qnxnmmts-IQDaobNC1rcUbpaH1ip8Lg

AGENDA
6:00 - 6:30 Food, Drinks, Networking
6:30 - 7:30ish CTF Time
7:30 - 8:00 More Networking