Take the GitHub Security Lab 'Capture The Flag' challenges!

Do you want to challenge your vulnerability hunting skills? We created these CTF challenges to allow you to do exactly that, while helping you to quickly learn CodeQL.

Currently playing

Participate to this challenge before December 31st, and get a chance to win the grand prize: a Nintendo Switch!

  • CTF 3: XSS-unsafe jQuery plugins - Find variants of jQuery plugins that expose their clients to undocumented XSS (cross-site scripting) vulnerabilities. Language: Javascript - Difficulty level: ***

Past challenges

You can still enjoy these past challenges, to practice CodeQL, or just for the fun!

  • CTF 1: SEGV Hunt - Find a critical buffer overflow bug in glibc. Language: C - Difficulty level: ***
  • CTF 2: U-Boot Challenge - Follow in the footsteps of our security research team and discover 13 vulnerabilities un U-Boot. Language: C - Difficulty level: **


If you want to learn more about writing CodeQL queries before getting started with these CTF challenges, you may find the following articles and documents useful:

Getting Help

If you find yourself stuck writing in the QL language or on any part of the CTF and would like some help, email us at ctf@github.com