Contest – AppSec Carnival Games

Your only real enemy is your own curiosity, skill, and time.

The AppSec Carnival is a security challenge disguised as a shady carnival booth—complete with questionable games, misleading odds, and gloriously stupid prizes.

Where Is It

Find us next to the AppSec Community. You can’t miss the carnival themed games.

How to Play

You’ll play the games right at our booth, using a provided laptop.

Each game may look simple on the surface, but hidden within each game is a subtle vulnerability. Exploit it to win big.

What to Bring

Just yourself! The booth setup includes everything you need to play.

For more points you’ll want to submit a fix, and you’ll need a device to code that up.

Important Times

The AppSec Carnival runs from Tuesday afternoon to Friday morning.

Each game may look simple on the surface, but hidden within each game is a subtle vulnerability. Your mission: exploit it to win big.

You’ll play right at the booth, using a provided laptop. The source code for each game is open and available on GitHub, so your only real enemy is your own curiosity, skill, and time. Get lucky or clever and you might walk away with a few points and a trinket. But if you dig deeper and find the exploit? That’s where the real points are.

Once you’ve broken the game, you’ll also get the chance to submit a fix through our testing harness for even more points. Your exploits and fixes will earn you a spot on the leaderboard—and the top three contestants will win actual prizes.

How to Play Our Contest

You’ll need a ticket to play. These may be handed out during the con or earned by engaging with various other SAINTCON communities.

Redeem your ticket at the booth to take a crack at a game.

You can return and play again if you earn more tickets—each game is standalone and has its own challenge.

Notes

This contest is designed to be fun, welcoming, and hands-on—no gatekeeping here. Whether you’re a first-time player or a seasoned security pro, there’s a game (and probably a janky plush prize) with your name on it.

Come try your luck. Cheat the system. And leave it better than you found it.

Scoring

Partial wins
small points + small prize

Exploit the game
big points + bigger prize

Submit a working fix
even more points and leaderboard climb

Helpful Skills

-Are familiar with OWASP Top 10-style vulnerabilities
(XSS, IDOR, SQLi, etc.)

-Can read and understand code
(games will be in various different languages)

-Can use an LLM

-Aren’t afraid to try weird things and fail gloriously

Frequently Asked Questions:

Is this for individuals or teams?

A: It’s an individual contest—just you and the game.

Do I need to bring a laptop?

A: Nope! It is best to use your own for submitting code fixes, but devices will be provided in case you need one.

How do I get a ticket?

A: Tickets will be floating around the con—keep an eye out at various community booths or events.

What if I’ve never hacked anything before?

A: That’s okay! You can try using ChatGPT or learning about vulnerabilities at the AppSec community. Some games can be partially beaten with a little luck and intuition. Come give it a shot and have fun.

Can I view the game code?

A: Yes! All game source code is open and available on GitHub.

How are winners decided?

A: The top three individuals with the most combined points from successful exploits and submitted fixes will win final prizes.