Instructions

1. Clone this repo
2. Figure out how to beat the games by hacking them
3. Demonstrate your exploit at the AppSec Carnvial Games booth to win prizes and unlock the next step
4. Fix the vulnerability you exploited
5. Submit your fixed code below to compete for the ultimate prizes

You must successfully exploit each game at the AppSec Carnival Games to unlock it here. Once unlocked, you can submit your fixed code for additional points.

Instructions for running the games are in the main README in the repo. Once you are ready to submit your code, run the create_submission.py script (included in the repo) to create a zip file containing only the necessary files, select the appropriate challenge, and upload this zip to the appropriate challenge below. It can take up to 15 minutes for your code to be scored, depending on submission volume. You can view your submissions on your profile page. Only your highest-scoring submission will be displayed on the scoreboard.

The max score is 100.

Each game must still be playable (must pass the provided unit tests). These are the same kind of unit tests that will be run upon submission (although input may vary)

Your fixes should handle malicious input gracefully rather than blocking it outright. For example, you should parameterize SQL queries instead of blocking all input that contains an apostrophe. Blocking requests with or throwing exceptions on suspicious input may result in failed tests.

Vulnerability tests will not be run on code that doesn't pass all of the unit tests.

Rules

• Hacking this site, the submission mechanism, or anything outside the provided games is strictly forbidden. You are encouraged to hack the games on your host (docker configuration provided) and at the AppSec Carnival Games booth.
• The use of paid tools, such as your organization's subscription to Claude, to solve challenges is not permitted. You may use free tools, including free/trial LLMs, SAST, and DAST. We don't want the challenge to be pay-to-win.
• Your submission will not work if you try to make changes to more than what is packaged with the create-submission.py script. Limit your changes to the files (and directories) listed in the allowed_files.txt in each game.
• Don't add new third party dependencies. All vulnerabilities can be fixed without additional dependencies.
• Submissions must be less than 4MB in size (you won't need anything close to that large).
• Submissions can be made once per challenge per user per 5 minutes (and duplicate submissions will not be scored).
• Prizes will be awarded to the winners at the awards ceremony.
• The contest starts at 12pm on Tuesday and ends at 9am on Friday.
• Tiebreaks go to the first person to reach the tied score.
• Don't try to hardcode your way past the functionality tests.
• If something doesn't seem to be working, please visit the AppSec Carnvial Games booth, message the #appsec channel in Discord, or message @sketrik or @thvl3 directly.