A comprehensive collection of hands-on Application Security exercises designed to sharpen your skills for production environments and security-critical roles. These challenges are grounded in real-world CVEs, industry standards, and best practices from authoritative security references.
This repository provides practical, production-focused security exercises covering common vulnerability classes and secure coding practices. Each exercise is inspired by actual CVEs and references industry-standard security resources including the CERT C Coding Standard, "Effective C", "The Art of Software Security Assessment", and "API Security in Action".
- Application Security Engineers preparing for production work
- Software Engineers looking to strengthen secure coding practices
- Security professionals studying real-world vulnerability patterns
- Developers preparing for AppSec-focused technical interviews
- Students learning offensive and defensive security techniques
Location: integer_overflow/
Focuses on detecting and preventing unsigned integer wraparound vulnerabilities:
- Unsigned integer overflow detection (CERT C INT30-C)
size_tarithmetic overflow prevention- Precondition and postcondition testing techniques
- Real-world CVE scenarios: CVE-2009-1385 (Linux Kernel), CVE-2014-4377 (iOS 7.1)
Difficulty: Beginner to Intermediate
Location: buffer_overflow/
Secure string operations and bounds-checking:
- Safe use of
strncat()and bounds-checking functions - Off-by-one error prevention
- Integer underflow in size calculations
- Proper null termination handling
- Real-world CVE scenarios: CVE-2009-0587, CVE-2009-1252
Difficulty: Beginner to Intermediate Prerequisites: Complete integer overflow exercises first
Location: os_security/
Three progressive exercises on preventing path traversal attacks:
- Unicode sandwich pattern implementation
- Encoding-based attack bypass detection (URL encoding, double encoding)
- Unicode normalization attack prevention
- Allowlist validation techniques
- Real-world CVE scenarios: CVE-2019-11510 (Pulse Secure), CVE-2021-41773 (Apache), CVE-2022-24112 (Atlassian)
Difficulty: Intermediate Time: 2-4 hours per variant
Location: passwords/password_generator/
Cryptographically secure password generation and strength validation:
- CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) usage
- Password entropy calculation
- Character space analysis
- Security-focused password strength assessment
- Common pitfalls in random number generation
Difficulty: Intermediate
Location: session_security/jwt_token_validation/
JWT token validation and session management:
- Token expiration validation
- Secure session handling practices
- Time-based security controls
Difficulty: Intermediate
Location: api_security/api_request_limiter/
Implementing production-grade API rate limiting:
- Request throttling strategies
- Abuse prevention mechanisms
- API security best practices
Difficulty: Intermediate
Location: dynamic_memory_management/
Safe memory allocation and deallocation practices:
- Proper use of malloc/free
- Memory leak prevention
- Use-after-free vulnerability prevention
- Data structure comparisons for memory management
Difficulty: Intermediate to Advanced
AppSec-Exercises/
├── README.md # This file
├── CLAUDE.md # Development guidance for AI assistants
├── integer_overflow/ # Size_t overflow detection
├── buffer_overflow/ # Secure string operations
├── os_security/ # Path traversal prevention exercises
│ ├── os_path_traversal/
│ ├── os_path_traversal_ii/
│ └── os_path_traversal_revised/
├── passwords/ # Password generation and validation
│ └── password_generator/
├── session_security/ # JWT and session management
│ └── jwt_token_validation/
├── api_security/ # API security patterns
│ └── api_request_limiter/
└── dynamic_memory_management/ # Safe memory operations
- Read the exercise markdown file thoroughly
- Understand the CVE context and real-world impact
- Review noncompliant examples to understand what NOT to do
- Implement your solution following the requirements
- Compile with security flags:
gcc -std=c11 -Wall -Wextra -Wpedantic -Werror \ -fsanitize=address,undefined \ -D_FORTIFY_SOURCE=2 -fstack-protector-strong \ -o output source.c - Test against provided test cases
- Verify with AddressSanitizer and Valgrind:
./output valgrind --leak-check=full ./output
- Read the exercise README or markdown file
- Understand the vulnerability class and attack vectors
- Review test cases to understand requirements
- Implement your solution
- Run provided test suites
- Review blog posts for detailed explanations
- Unsigned wraparound is well-defined but dangerous
- Never test overflow after the operation
- Use precondition checks:
b > SIZE_MAX - a - Or postcondition checks:
sum < aindicates wraparound
- Never use unbounded string functions
- Account for null terminators in size calculations
- Check for integer underflow before subtraction
- Validate inputs are null-terminated
- Implement allowlist validation, not blocklist
- Normalize input before validation
- Detect encoding-based bypasses
- Handle Unicode edge cases
- Always use cryptographically secure random sources
- Never use predictable RNGs for security-critical operations
- Calculate and validate entropy requirements
- Understand the difference between randomness and security
All exercises are based on authoritative security references:
- CERT C Coding Standard 2016: Specific rule citations (INT30-C, STR31-C, etc.)
- Effective C, 2nd Edition: Chapter and page references
- The Art of Software Security Assessment: Vulnerability analysis techniques
- API Security in Action: Modern API security patterns
- Effective Python: Language-specific best practices
Exercises simulate vulnerabilities from actual CVEs:
- CVE-2009-1385: Linux Kernel integer underflow
- CVE-2014-4377: iOS multiplication wraparound
- CVE-2009-0587, CVE-2009-1252: String operation vulnerabilities
- CVE-2019-11510: Pulse Secure path traversal
- CVE-2021-41773: Apache HTTP Server path traversal
- CVE-2022-24112: Atlassian Unicode normalization bypass
- Basic C programming knowledge
- Understanding of pointers and memory
- GCC compiler with C11 support
- AddressSanitizer and Valgrind (recommended)
- Python 3.8+
- Basic understanding of file systems and web APIs
- Familiarity with pytest (for running tests)
Recommended progression for maximum learning:
- Start with Integer Overflow - Foundation for size calculations
- Progress to Buffer Overflow - Applies integer overflow concepts
- Move to Path Traversal - Input validation and encoding
- Practice Password Generation - Cryptographic operations
- Explore API Security - Rate limiting and abuse prevention
- Advanced Memory Management - Complex memory safety patterns
These exercises are designed for self-study and skill development. If you find errors or have suggestions for improvements, please open an issue or submit a pull request.
These exercises are provided for educational purposes. Use them to strengthen your security skills and build safer software.
Note: Each exercise directory contains detailed instructions, test cases, hints, and often blog posts with comprehensive explanations. Read all provided materials before starting implementation.