Overview
AppSec TAP is a fast arcade defense game with a sprinkle of AppSec learning.
Each wave spawns software vulnerabilities (“bugs”). Tap to squash them before they drain Codebase Integrity. Every 3 waves you face a Boss and pick a reward that carries into the next wave.
- Lives: 3 per run
- Integrity: drops while bugs live; hits 0 → you lose a life
- Streak & Multiplier: consecutive hits = more points (×2/×3/×4)
- Timer: clear all bugs before it expires for a time bonus
How to Play
- Tap / Click a bug to deal damage. Tougher bugs need multiple hits.
- Misses reset your streak.
- Pause any time; between waves, choose rewards after bosses.
- Mobile: the game enters an immersive full-screen mode automatically.
Bosses & Rewards
- Wave 3 / 6 / 9… Bosses:
- APT — phases a shield on/off and blinks toward your keep
- DDoS — bursts swarms that drift at your keep
- RCE — periodically spawns XSS minis
- Rewards (draft one): score ×2 for a wave, integrity regen, bigger taps, etc.
Vulnerability Bestiary (What it is → How it behaves → How to counter)
| Vulnerability | Real-world idea | In-game behavior | Quick mitigation idea |
|---|---|---|---|
| XSS | Injected script runs in the browser. | Small, quick; can split into mini-XSS (capped & cooldown). | Output encoding; CSP; input validation. |
| SQLi / NoSQLi | Untrusted input changes queries. | Medium HP; steady DPS. | Parameterized queries / query builders. |
| CSRF / XSRF | Cross-site request with victim creds. | Low HP; appears near keep (“leech”). | SameSite cookies; CSRF tokens. |
| SSRF | Server fetches attacker’s URL. | Blink toward keep in steps. | Denylist/allowlist egress; metadata proxy. |
| JWT (token vulns) | None/weak signature, bad claims. | Shield cycles on/off — only hit when open. | alg pinning, exp/aud, rotate keys. |
| CORS (misconfig) | Overbroad origins/credentials. | Shielded like JWT but timing differs. | Explicit origins; no * with creds. |
| MITM / CSWSH | Traffic hijack / WebSocket hijack. | Linker aura buffs nearby bugs’ DPS. | HSTS, cert pinning; ws auth & origin checks. |
| XXE / LFI / RFI | File/DTD tricks. | Short blink hops toward keep. | Disable external entities; strict file IO. |
| SSTI | Templating eval injection. | Medium HP; slightly higher DPS. | Sandboxed engines; strict template context. |
| RCE | Remote code execution. | Spawns XSS minis over time. | Least privilege; egress control; WAF. |
| DoS / DDoS | Resource exhaustion. | Swarm packets from edges. | Rate-limit; autoscale; caching/CDN. |
| ReDoS | Catastrophic regex backtracking. | Triggers brief global slow-mo. | Timeouts; safe regexes; library regex. |
| IDOR / BOLA / BFLA | Access-control logic flaws. | Regular bugs; higher score. | Object-level authZ; business rules. |
| CRLF Injection | Header split / log injection. | Light HP; steady DPS. | Sanitize CR/LF; strict header APIs. |
| HPP | Multiple params collide. | Leech near keep. | Parse strictly; reject dup keys. |
| SIC / SCA | Secrets in code / vulnerable deps. | Leech near keep; constant DPS. | Secret scanners; pin & audit deps. |
| BEC / ATO / APT | Social+auth abuse / takeover / advanced threat. | APT is a Boss with shield+blink. | MFA; anomaly detection; least privilege. |
Tip: When a bug has a shield, watch for the bright ring: that’s the open window.
Scoring & Multipliers
- Base points per hit depend on bug kind and HP.
- Streak thresholds: 8 → ×2, 15 → ×3, 25 → ×4.
- Time Bonus: remaining seconds ×5 when you clear a wave early.
Accessibility & Mobile
- Large tap targets, no double-tap zoom, fullscreen with safe-area insets.
- Color+text labels (e.g., “XSS”, “SQLi”) avoid pure color reliance.
- Pause is always available.
Credits
Built with HTML5 Canvas + Hugo. Game design: tap-defense meets AppSec practice.