Your job is to:

– clone the repo
– find vulnerabilities
– fix vulnerabilities
– make sure unit tests pass locally
– submit your code to the scoring engine
– score more points than everyone else
– repeat as needed

Vulnerabilities are scored based on the difficulty to find and fix. 

This year’s twist is that the application you will be working with is composed of several different microservices, each written in a different language. Start with something familiar, and work your way towards a language you’ve never touched before.

As always, you are welcome to use free automated tooling (such as DAST and SAST) to assist you.

Prizes are awarded to the highest scorers, and a full contest rundown will be given after the contest closes.

How to play

Visit https://appsec.saintcon.community/ to get started.

A basic understanding of programming is necessary to compete in this challenge. If you would like help getting started, come visit the AppSec community – they will help you find and fix one easy vulnerability.

Rules:

• Hacking this site, the submission mechanism, or anything to do with this challenge is strictly forbidden. You are welcome to run the code on your own host and hack it there.

• Your submission will not work if you try to make changes to more than what is packaged with the make-package.py file. Limit your changes to the files (and directories) listed there.

• File uploads must be less than 4MB in size (you won’t need anything close to that large).

• Submissions can be made once per user per 5 minutes (and duplicate submissions will not be scored).

• Prizes will be awarded to the winners at the awards ceremony.

• The contest starts at 12pm on Tuesday and ends at 9am on Friday.

• Tiebreaks go to the first submission.

• Don’t try to hardcode your way past the functionality tests.

• If something doesn’t seem to be working, please visit the AppSec Community, use the #appsec challenge in Discord, or message @sketrik directly.