Brought to you by
@Sketrik & @l4wke
Find and Fix vulnerabilities, it’s our biggest challenge.
Do you have what it takes to find and fix vulnerabilities in source code? Compete against other attendees to be the first to fix all vulnerabilities in a web application. Clone the repo, find vulnerabilities, fix them, and submit your code to get a score. Not sure how to get started? Visit the AppSec community and learn how to use tools that will do the dirty work of finding vulnerabilities for you.
Had trouble with Python last year? Don’t worry, it’s written in your favorite language this year. Or at least some part of it is….
Everything you need to know…
Your job is to:
– clone the repo
– find vulnerabilities
– fix vulnerabilities
– make sure unit tests pass locally
– submit your code to the scoring engine
– score more points than everyone else
– repeat as needed
Vulnerabilities are scored based on the difficulty to find and fix.
This year’s twist is that the application you will be working with is composed of several different microservices, each written in a different language. Start with something familiar, and work your way towards a language you’ve never touched before.
As always, you are welcome to use free automated tooling (such as DAST and SAST) to assist you.
Prizes are awarded to the highest scorers, and a full contest rundown will be given after the contest closes.
How to play
Visit https://appsec.saintcon.community/ to get started.
A basic understanding of programming is necessary to compete in this challenge. If you would like help getting started, come visit the AppSec community – they will help you find and fix one easy vulnerability.
Rules:
-
Hacking this site, the submission mechanism, or anything to do with this challenge is strictly forbidden. You are welcome to run the code on your own host and hack it there.
-
Your submission will not work if you try to make changes to more than what is packaged with the make-package.py file. Limit your changes to the files (and directories) listed there.
-
File uploads must be less than 4MB in size (you won’t need anything close to that large).
-
Submissions can be made once per user per 5 minutes (and duplicate submissions will not be scored).
-
Prizes will be awarded to the winners at the awards ceremony.
-
The contest starts at 12pm on Tuesday and ends at 9am on Friday.
-
Tiebreaks go to the first submission.
-
Don’t try to hardcode your way past the functionality tests.
-
If something doesn’t seem to be working, please visit the AppSec Community, use the #appsec challenge in Discord, or message @sketrik directly.
Contest Hours
- Contest Start
Tuesday – Noon - Contest End
Friday – 9:00a
Booth Hours
- Tuesday
10:30a – 5:00p - Wednesday
10:30a – 5:00p - Thursday
9:00a – 5:00p - Friday
9:00a – 10:00a
Desktop Wallpaper
Our challenge has desktop wallpaper available for download.