11-22, 13:40–13:55 (Europe/Vienna), Second Room
Secure coding challenges in CTFs typically ask participants to patch vulnerabilities in (web-) application code. But what happens when the validation system itself is vulnerable and not so ... secure?
This talk examines the irony of breaking security challenges by attacking the infrastructure and demonstrates the exploitation techniques against os.popen().
The Amazon AppSec CTF 2025 featured three secure coding challenges where 30 finalists were tasked with patching vulnerabilities like path traversal and command injections in different systems. A backend validation system would test submitted fixes and award flags for properly secured code. This presentation will walk through the Capture The Flag structure, demonstrate the specific exploitation techniques which were used, and discuss the broader implications. We'll examine why validation systems in security competitions need the same scrutiny as the challenges themselves, explore the ethical boundaries of exploiting competition infrastructure, and reveal why Amazon paused the finals mid-competition (oops).
Lead Penetration Tester & Cybercrime Podcast Host.