DEV Community: Hamza

Win Prizes at DEF CON 34 | Submit a Challenge Now!

Hamza — Thu, 18 Jun 2026 06:38:40 +0000

The Prizes for the SecDim AppSec Village Wargame CtF at DEF CON 34 has been announced!

Build and submit a challenge and get a chance to Win a ROG Xbox Ally if your challenge submission wins 1st Place!

Challenge submissions close on 31 July.

https://sessionize.com/appsec-village-wargame

New GCP Challenges Released

Hamza — Wed, 17 Jun 2026 07:34:47 +0000

We’ve expanded our Google Cloud Platform (GCP) challenge catalogue with a new set of hands-on cloud security scenarios covering common services and configurations.

These challenges focus on security issues and misconfigurations commonly encountered in cloud environments, giving practitioners practical experience identifying and remediating them.

Try them now on SecDim Play!

👉 https://secdim.com/news/new-gcp-security-challenges-19187/

NDC Sydney 2026 AI Wargame Winners

Hamza — Tue, 16 Jun 2026 02:19:03 +0000

We held an AI Wargame at NDC Sydney 2026.

Congratulations to the Winners: zakazai, Brendon Atkins and wicksipedia

They finished at the top of the leaderboard after tackling challenges covering exploitation, secure coding, and vulnerability remediation in AI applications.

Thanks to everyone who participated. We look forward to the next one.

50 days Left! - Submit a challenge for AppSec Village at DEF CON 34.

Hamza — Thu, 11 Jun 2026 08:02:17 +0000

There are 50 days remaining to submit a challenge for the SecDim "Fix the Flag" competition at AppSec Village™, DEF CON 34.

Build a vulnerable application, define the intended fix, and put defenders to the test.

If you've ever looked at a security vulnerability and thought "this might be a challenge to patch", now is your chance.

Submissions will be featured in the Wargame competition, with prizes for the best ones provided by XBOW.

👉 https://sessionize.com/appsec-village-wargame

Why you should not use JavaScript sandbox

Hamza — Wed, 10 Jun 2026 04:39:39 +0000

We previously highlighted comments from the vm2 maintainers acknowledging that future sandbox escapes are likely and that vm2 should not be relied upon as a sole security control.

We promised a write-up. Here it is.

Using the recent vm2 escape (CVE-2026-22709) as a case study, we ask:

Can an in-process JavaScript sandbox ever be treated as a security boundary?

We examine why sandbox escapes continue to occur, the architectural challenges behind them, and why stronger isolation models are often a better investment when executing untrusted code.

The core flaw is that vm2 attempts to enforce isolation inside the same language runtime, which has no concept of privilege separation.

The approach taken to patch the vulnerability is to wrap a finite set of intrinsics and methods (e.g. Promise) that could lead to a sandbox escape. This design decision has the same failure mode as a blacklist. We disallow a finite set of items that we know can cause harm. If we miss an item, type, path, or introduce a new object, a sandbox bypass can emerge.

If application security is implemented merely by chasing exploitable scenarios, it shows a deep insecure design flaw. This approach does not guarantee safety and it remains open for future exploitation.

Read the entire article here:

👉 https://secdim.com/blog/post/why-you-should-not-use-javascript-sandbox-19165/

CtF Submissions for DEF CON 34 are now open.

Hamza — Wed, 03 Jun 2026 07:41:07 +0000

Challenge submissions for the AppSec Village Wargame Contest at DEF CON 34 are now open.

Think you have what it takes to make the most interesting AppSec challenge? Now is a good time to get started.

Build challenges with the Open Source SecDim Play SDK and win prizes at DEF CON 34.

👉 https://secdim.com/defcon/

Coming Soon: vm2 and JS Sandboxes

Hamza — Tue, 02 Jun 2026 03:31:08 +0000

The maintainers of vm2 have been honest about its limitations.

They have been explicit that new sandbox bypasses are likely to occur and that vm2 should not be relied on as a sole security control.

It is a welcome trend to see maintainers openly discuss the limitations and security assumptions of their projects.

Later this month, we'll be publishing a write-up on vm2 and the security implications of JavaScript sandboxes. Stay tuned.

New Frontend Security Course Released

Hamza — Thu, 21 May 2026 04:14:53 +0000

The 2018 British Airways "Magecart" breach injected malicious JavaScript into payment pages, capturing credit card details for hundreds of thousands of customers and resulting in a proposed £183.39 million GDPR fine — a landmark moment for frontend security risk and regulatory exposure.

Modern frontends now run a huge share of application logic. They parse untrusted data, execute third-party scripts, and handle authentication tokens — all inside the user's browser. When that surface goes wrong, the blast radius is enormous.

Browsers and frameworks have added strong guardrails such as Content Security Policy (CSP), Trusted Types, SameSite cookies, and Subresource Integrity (SRI). Our new Frontend Security course covers how modern frontend attacks work and how to properly apply these defenses in real-world applications using layered security approaches.

👉 Check it out now: https://learn.secdim.com/course/frontend-security

React2Shell (CVE-2025-55182): Exploitation Flow and Secure Coding Lessons

Hamza — Tue, 19 May 2026 02:55:29 +0000

CVE-2025-55182 demonstrates, once more, the danger of unsafe deserialization and input validation. When untrusted input is allowed to influence object traversal or dispatch without strict validation, exploitation is only a matter of finding the right gadget.

Deserialization vulnerabilities have been around for many years and will continue to be. The vulnerable code resides in framework-bundled runtime logic rather than application code.

Developers and platform maintainers must not assume that framework-level abstractions inherently enforce safe behavior.

Read more in our comprehensive write-up for the React2Shell vulnerability.

👉 Check it out: https://secdim.com/blog/post/react2shell-cve-2025-55182-exploitation-flow-and-secure-coding-lessons-19100/

Coming Soon: React2Shell

Hamza — Wed, 13 May 2026 07:31:49 +0000

In the React2Shell exploitation, we can abuse a deserialization vulnerability in React Server Components to smuggle attacker-controlled strings into React’s internal module loader.

We will be releasing a comprehensive write-up about the lessons in secure programming that can be learnt from this.

Coming soon!

DEVWorld is only a few days away!

Hamza — Wed, 06 May 2026 02:33:16 +0000

The wargame contest with a Luxury Weekend stay on the line will be reaching its zenith by Friday.

👉 Check it out now: https://secdim.com/devworld/

💎 Win a Luxury Weekend Away in a 4-star Hotel!

Hamza — Thu, 30 Apr 2026 04:01:32 +0000

Think you and your team have what it takes to win the DEVWorld 2026 AI Wargame?

This year's winners will walk away with a weekend escape designed to celebrate your victory in style.

🏆 The Grand Prize Includes:

• A luxurious stay in a 4-star hotel

• Curated dinners and premium experiences

• Activities designed to relax, recharge, and reward your team

• Zero planning — everything handled for you

From the first exploit to the final patch, this is your chance to turn technical skill into something unforgettable.

Bring your team (or just yourself).

Take the challenge.

Win the weekend.

🎯 Enter the DEVWorld 2026 AI Wargame and claim your shot at the ultimate team reward.

👉 https://secdim.com/devworld/