Hackathon on avatao - Beyond OWASP Top Ten


Go to the owasp path at avatao and start solving the challenges. If you are afraid of registering, we created some test accounts for you. However, if you register you can save your own score.

user1: owaspsummit1@avatao.com password: OWASP_2017_IS_COOL

user2: owaspsummit2@avatao.com password: OWASP_2017_IS_COOL

user3: owaspsummit3@avatao.com password: OWASP_2017_IS_COOL


In this hackathon, Participants can experience many security challenges ranging from web security to DevSecOps. The session is run on the avatao platform, an online tool that offers a wide variety of hands-on ITsec challenges. We demonstrate how deep the rabbit hole goes in terms of architecture, programming languages, or design. Avatao contains more than 400 challenges to achieve this. The session is useful for anyone who would like to get hands-on experience with cutting edge technologies (e.g., Unicorn Engine, Kaitai Struct) that shape our security today, or for anyone interested in solving more traditional challenges in web security or Java.

The primary goal is to have fun and gather feedback from the participants on the platform and ideas for new challenges for AppSec professionals.


Planned topics for the hackathon:

  • Web security,
  • API security,
  • Testing (BDD),
  • Security misconfigurations,
  • Docker security,
  • Secure coding in C,
  • Secure coding in Java,
  • Security tools tutorials (Wireshark, Unicorn Engine),
  • Crypto and protocol security,
  • Hacker stuff (pwn, RE) on demand


  • Having fun
  • Learn new vulnerabilities and past epic failures (Yahoo Mail stored XSS)
  • Hands-on experience with cutting edge ITSec technologies (e.g., Kaitai Struct, Unicorn Engine)
  • Collect new ideas for security challenges (secure coding in X, GDPR)

See Synopsis and Takeaways below


The target audience for this Working Session is:

  • Developers (anyone interested in web and low-level languages)
  • Security professionals
  • CTF participants (and those who would like to become one)
  • CISOs

Synopsis and Takeaways


The OWASP 2017 Summit path

avatao owasp

Kaitai Struct in avatao

avatao kaitai

Live Wireshark from your browser

avatao wireshark

Some statistics

avatao statistics

Remote Participants

All the challenges will be available online so people can participate remotely.

General Rules to Participate

The hackathon will be organised on the avatao platform, which is a commercial product to teach people how to build secure products. In accordance with the general rules of the OWASP Summit 2017, a dedicated learning path will be set up for all the on-site and remote conference participants free of charge. The organisers of the Hackathon will help the participants on-site, but the Hackathon will continue to be available after the conference.


We are more than happy to announce that our challenge-engine is now open source under the very permissive Apache 2 License. Huge thank goes to Dinis Cruz for pushing us to do that. This is the very first public version that anyone can use to build and run avatao challenges locally. We are going to update the descriptions and scripts continuously so that anyone can easily share challenges with all the folks on avatao.

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here