GitHub Security Lab

Capture The Flag

Do you want to challenge your vulnerability hunting skills? We created these CTF challenges to allow you to do exactly that, while helping you to quickly learn CodeQL.

Coming soon!

Are you ready for a ... Call to Hacktion??? ... start polishing your hacking boots and stay tuned!

Save the date: March 17 - March 21

Check back on March 17, 2021 for details

Past challenges

You can still enjoy these past challenges, to practice CodeQL, or just for the fun!

• CTF 1: SEGV Hunt - Find a critical buffer overflow bug in glibc. Language: C - Difficulty level:
• CTF 2: U-Boot Challenge - Follow in the footsteps of our security research team and discover 13 vulnerabilities un U-Boot. Language: C - Difficulty level:
• CTF 3: XSS-unsafe jQuery plugins - Find variants of jQuery plugins that expose their clients to undocumented XSS (cross-site scripting) vulnerabilities. Language: JavaScript - Difficulty level:
• CTF 4: CodeQL and chill - Find a pre-auth RCE in Netflix Titus. Language: Java - Difficulty level:

Documentation

If you want to learn more about writing CodeQL queries before getting started with these CTF challenges, you may find the following articles and documents useful:

• Introduction to CodeQL
• CodeQL detective tutorials
• Writing a basic CodeQL query for C/C++
• Python code analysis - Introduction to CodeQL

Getting Help

If you find yourself stuck writing in the QL language or on any part of the CTF and would like some help, email us at ctf@github.com