CMD+CTRL Applications

Runstoppable – Mobile Fitness Tracking Application

Smiley face

Comprising 60+ challenges, users can track runs, challenge friends, make purchases, and share data. Participants can use actual phones or an emulator to solve client- and server-side challenges such as finding secrets in mobile code or stored locally on the phone, exploiting debug functionality, and reverse engineering libraries.



ShadowBank – Banking Website 

Smiley face

Users can create accounts, transfer funds, buy and sell stocks, request a loan, and a lot more. 50+ vulnerabilities subsume OWASP Top 10, ISO 2700x, as well as popular NIST and CWE standards, and tempt users to break into someone else’s account, buy stocks for free, and transfer negative funds.


Gold Standard Bank – Advanced Banking Website

Smiley face

Everything available in ShadowBank plus account holder and administrative functionality like requesting/approving loans and posting official announcements.   60+ vulnerabilities are “protected” by poorly implemented mitigations like blacklisting and client-side validation – challenging players to crack passwords, chain multiple vulnerabilities, and assemble creative attacks.  Gold Standard challenges even the elite.


Shred Retail – eCommerce Website

Smiley face

Users can purchase skateboards and supplies, review products, purchase and redeem gift cards, view past orders, and more. 35+ vulnerabilities allow you to buy a negative quantity, place an order with someone else’s credit card, get a great deal on gift cards, trigger denial of service, and more. 


Account All – HR Website

Smiley face

This Web site includes employee, manager, and HR admin roles with distinct privileges and functionality such as submitting timesheets, managing direct deposit, viewing paystubs, submitting performance reviews, and editing confidential user information. Users can exploit 40+ vulnerabilities to view their boss’ salary, modify another user’s account, set Invalid 401(k) contributions and other devious activity.


InstaFriends – Social Media Website  

Smiley face

This Web site allows users to friend and message other users, post to timelines, manage privacy settings, become group administrators, etc. Comprising 60+ vulnerabilities, users attempt to join private groups, upload unauthorized photos, change another user’s password and more.