Shearwater Logo White


Find the vulnerabilities – exploit them – score points – WIN and most importantly learn and improve your skills every step of the way


This year’s challenge utilises two intentionally vulnerable applications, Shred Retail – an e-Commerce website and Account All – an HR website. The challenges comprise real websites with simulated traffic, technologies and vulnerabilities that represent actual application behaviours.

Where else can unmatched realism deliver the immediate satisfaction and long-term memory benefits that “learning by doing” provides to teams that protect your enterprise?

And not to mention it’s fun, so no strong-arming is needed.

Shred Retail

Shred Retail: e-commerce Website

Includes 35+ Vulnerabilities

Shred is a fully functional e-commerce website where participants can:

  • Purchase skateboards and graffiti supplies
  • Review products and read other users reviews
  • Purchase and redeem gift cards
  • Share and comment on photos
  • Manage account information
  • View past orders

Comprising 35+ vulnerabilities such as SQL injection, password cracking, cross-site scripting (XSS), business logic bypass and others, challenges include (but are not limited to):

  • Buying items in an unintended way
  • Tampering with other user’s functionality
  • Cracking passwords
  • Elevating privileges
Account All

Account All – HR Website

Includes 40+ Vulnerabilities

Account All HR Website includes employee, manager and HR admin roles with distinct privileges. Functionality includes:

As an employee:

  • Fill out, submit time sheets and request time off
  • View past pay stubs and manage direct deposit information and superannuation contributions
  • View performance reviews and submit goals for review periods

As a manager:

  • Approve/reject employee time sheets and time off requests
  • Generate reports, view and submit employee performance reviews

As an HR administrator:

  • Create users
  • View and edit all user information including name, manager and salary
  • Generate reports on all users

Vulnerabilities include SQL Injection, Cross-site scripting (XSS),  Horizontal authorisation bypass (view/modify other users’ accounts), Vertical authorisation bypass (access HR/manager functionality as a regular employee) and Business logic bypass.