1 EVENT
2 EXCITING CHALLENGES
This year’s challenge utilises two intentionally vulnerable applications, Shred Retail – an e-Commerce website and Account All – an HR website. The challenges comprise real websites with simulated traffic, technologies and vulnerabilities that represent actual application behaviours.
Where else can unmatched realism deliver the immediate satisfaction and long-term memory benefits that “learning by doing” provides to teams that protect your enterprise?
And not to mention it’s fun, so no strong-arming is needed.

Shred Retail: e-commerce Website
Includes 35+ Vulnerabilities
Shred is a fully functional e-commerce website where participants can:
- Purchase skateboards and graffiti supplies
- Review products and read other users reviews
- Purchase and redeem gift cards
- Share and comment on photos
- Manage account information
- View past orders
Comprising 35+ vulnerabilities such as SQL injection, password cracking, cross-site scripting (XSS), business logic bypass and others, challenges include (but are not limited to):
- Buying items in an unintended way
- Tampering with other user’s functionality
- Cracking passwords
- Elevating privileges

Account All – HR Website
Includes 40+ Vulnerabilities
Account All HR Website includes employee, manager and HR admin roles with distinct privileges. Functionality includes:
As an employee:
- Fill out, submit time sheets and request time off
- View past pay stubs and manage direct deposit information and superannuation contributions
- View performance reviews and submit goals for review periods
As a manager:
- Approve/reject employee time sheets and time off requests
- Generate reports, view and submit employee performance reviews
As an HR administrator:
- Create users
- View and edit all user information including name, manager and salary
- Generate reports on all users
Vulnerabilities include SQL Injection, Cross-site scripting (XSS), Horizontal authorisation bypass (view/modify other users’ accounts), Vertical authorisation bypass (access HR/manager functionality as a regular employee) and Business logic bypass.