7 Full-Stack Security Audit Challenges: Can You Find All the Bugs?

7 Full-Stack Security Audit Challenges: Can You Find All the Bugs? Time: Self-paced Difficulty: Intermediate to Advanced Skills: Web AppSec, Secure Code Review, Python, JavaScript The Breach That Changed Everything In July 2019, a lone attacker compromised over 100 million Capital One customer records — credit card applications, Social Security numbers, bank account data — all from a single misconfigured AWS WAF. The root cause? A Server-Side Request Forgery vulnerability. The WAF's URL-fetching feature made an outbound HTTP request to the AWS metadata endpoint at http://169.254.169.254/ , handed back temporary IAM credentials, and the attacker walked straight into an S3 bucket containing a decade of customer data. Capital One paid $190 million in settlements. The attacker was a former AWS engineer who understood exactly which endpoint to hit. The vulnerability wasn't exotic. It wasn't a zero-day. It was a feature — a URL fetcher — that trusted user input without validation. A develope