OWASP Global AppSec EU 2026 Vienna

Application security failures often stem from small, everyday oversights that quietly accumulate into serious risk. This Practical On-Demand (POD) activity lets participants explore how those issues surface in real applications by actively engaging with a deliberately vulnerable web app.

Attendees can drop in at any time and participate in a self-paced, Capture the Flag (CTF) style challenge centred on investigation, experimentation, and problem solving. Starting from a minimal application with limited guidance, participants uncover and connect security weaknesses to progressively increase their level of access.

The activity is designed to be accessible to all experience levels. Newcomers can engage with individual challenges and learn core AppSec concepts, while more experienced practitioners can pursue deeper exploration and more complex exploitation paths. All scenarios are inspired by issues commonly encountered in real world development environments.

Facilitators are present throughout the session to support participants, answer questions, and provide short, optional walkthroughs for those without laptops. The emphasis remains on doing, discovery, and practical takeaways, ensuring participants leave with a stronger intuition for identifying risk and concrete guidance they can apply in their own applications.