6 month of free Pro subscription for the Winner and a unique badge.
3 month of free Pro subscription for the first runner up.
1 month of free Pro subscription for the second runner up.
6 month of free Pro subscription for best challenge contribution and a unique badge.
All participants get a badge for taking part in the contest.
Furthermore, we are making the Game Unrestricted for a Limited Time. This means all pro features such as access to the Cloud Development Environment (CDE), Premium Hints and Source Code Access for the Battle Game will all be available for free for the Holiday Wargame. Go and try it now!
Password resets are a fundamental feature that allow users to securely update their credentials. However, if the reset process does not adhere to secure design principles, adversaries can exploit weaknesses to compromise user accounts or privilege escalation - whether by gaining unauthorized access to another user’s account (horizontal escalation) or by elevating their own permissions (vertical escalation).
In this secure coding challenge, we will examine the vulnerabilities in an improperly implemented password reset mechanism and learn best practices to build a secure reset password .
OWASP:A08:2021 CWE:915 Likelihood: Low Impact: High Severity: High
Class pollution is a new type of vulnerability that is similar to JavaScript Prototype Pollution. it that can be exploited to create or modify properties of an existing object.
Class Pollution arises when an attacker can modify an object’s __class__ attribute, which refers to the class that the object is an instance of. This manipulation can affect the class itself and all its instances.
Exploiting Class Pollution often involves unsafe merge functions that recursively process untrusted user input to set object attributes. Attackers can craft input that targets specific attributes, such as __qualname__, to modify class properties. Moreover, by chaining __base__ attributes, attackers can pollute parent classes in the inheritance hierarchy
Depending on the app, this vulnerability can lead to remote code execution, denial of service, and information leakage.
To learn more about Class pollution, watch the following video and read this blog post.
In this secure coding challenge, we will learn how to exploit this vulnerability in the provided app. Once you understand how the vulnerability is triggered, your goal is to address the vulnerability.
OWASP:A03:2021, LLM01:2025 CWE:94 Likelihood: Medium Impact: Medium Severity: High
AI applications have the potential to expose confidential information or intellectual assets. The root cause is in the combination of AI instructions and data, particularly user input. When a malicious user input is perceived as an instruction, the AI might unintentionally reveal sensitive data. This tactic is referred to as prompt injection. In this challenge, we aim to harden the AI app to prevent a specific type of prompt injection attack.
In this challenge, you are given an AI chatbot. Your chatbot has a secret that should always remain a secret! Your objective is to secure your chatbot to protect its secret while attacking other players’ chatbots and discovering theirs. Chatbot is built using OpenAI API and uses GPT3.5.
This is the king of the hill competition. The earlier you defend your app or hack another player’s, the higher your ranking will be. If a player hacks your app, you will lose the score and kicked out of the battle page. You may try again.
Popular football game FIFA has a competitive mode named Weekend League where the best players are competing for in-game prizes and also for entry to live competitive events. Matchmaking is based on ELO (estimated level of opponent) where opponents with ±5 levels of win/loss difference are matched.
Objective
Some players have found a way to game the system and get matched with players with lower skill level that they should be to increase their chances for a victory and better rewards. Can you find and fix security vulnerability?
Well, there doesnt seem to be a problem with the challenge.
The test is fine and the server side tests are running fine as well.
I can understand frustrations, since the patch was rather interesting.
Security tests are given in hints, and Ill include the patched solution as well for those curious how it works (bearing in mind that will negate all points)
In this secure coding challenge, we simulate a real-world example of an authentication discrepancy. We will learn how these subtle issues can arise and, more importantly, how to remediate them effectively.
OWASP:LLM05:2025 CWE:838 Likelihood: Medium Impact: High Severity: High
For our final challenge, we explore an OWASP Top 10 AI secure coding challenge, i.e. LLM05:2025 Improper Output Handling.
Improper or Insecure Output Handling refers to inadequate validation, sanitisation, and management of outputs generated by large language models (LLM) before they are passed on to other components and systems. Because the content generated by these models can be influenced by prompt inputs, this behaviour is akin to giving users indirect access to additional functionality.
In this challenge, we will learn how to address insecure output handling in LLM apps.
We also have a bonus challenge contributed by @Matt . This Python secure coding challenge contains two real-world security vulnerabilities. I let you explore it on your own .
Last but not least, this year we are giving away prizes for the best contributed challenge. Use SecDim SDK to build AppSec challenges. Submit your challenges no later than 31st January 2025 UTC.
Discord channel:
We also have a bonus challenge contributed by 
.
Last but not least, this year we are giving away prizes for the best contributed challenge. Use 