Cloud Challenge CTF

Cyberpunk-Themed Cloud Security Capture The Flag Platform

8. Security Considerations

Frontend Security

Static Assets:

No Server-Side Code: Static HTML, CSS, JavaScript—no server-side execution (eliminates RCE, SQLi, XXE vulnerabilities)
No Sensitive Data: No API keys, secrets, or credentials in client-side code (all environment variables prefixed with NEXT_PUBLIC_)
Content Security Policy: Can add CSP headers via CloudFront (restrict script sources, prevent XSS)

Authentication:

OAuth Tokens: Stored in localStorage (XSS risk, but acceptable for CTF platform with no financial data)
No Passwords: Google OAuth handles authentication (no password storage, no password reset flows)
Guest Sessions: Expire when browser closes (sessionStorage cleared automatically)
Token Validation: Backend Lambda functions validate all critical operations (can't modify score by editing localStorage)

API Communication:

HTTPS Only: All API calls over TLS 1.2+ (encrypted in transit)
CORS Enabled: API Gateway allows cross-origin requests (required for static frontend)
No Sensitive Data in Requests: Only email addresses sent in API requests (no passwords, no tokens in URL parameters)

Backend Security

Lambda Functions:

Isolated Execution: Each invocation runs in isolated container (no shared state between requests)
IAM Roles: Least-privilege permissions (each function has only necessary DynamoDB/KMS permissions)
No Hardcoded Secrets: Environment variables for configuration (DynamoDB table names, KMS key ARNs)
Input Validation: All user inputs validated (email format, answer length, SQL injection prevention)

DynamoDB:

IAM-Based Access: Only Lambda functions with specific IAM roles can access tables (no public access)
Encryption at Rest: DynamoDB encryption enabled (AWS-managed keys)
Encryption in Transit: All connections over TLS (boto3 uses HTTPS by default)
No Public Endpoints: DynamoDB tables not accessible from internet (only via Lambda)

Data Privacy & Threat Model

User Data:

Email Addresses: Stored in DynamoDB for authentication (required for Google OAuth)
No Passwords: Google OAuth handles authentication (no password storage, no password hashing needed)
Guest Users: Use fake email addresses (guest-ABC1234@localhost.local)—no PII collected
Challenge Progress: Stored in DynamoDB (linked to user email, not publicly accessible)

Threat Model:

XSS (Cross-Site Scripting): Mitigated by React's automatic escaping (dangerouslySetInnerHTML not used)
CSRF (Cross-Site Request Forgery): Not applicable (no cookies, no session tokens—all requests include email in body)
SQL Injection: Not applicable (DynamoDB NoSQL, no SQL queries)
Brute Force: Mitigated by attempt tracking and 30-minute lockout
Credential Stuffing: Not applicable (no passwords, Google OAuth handles authentication)

9. Operational Considerations

9.1 Monitoring & Observability

CloudWatch Logs:

Lambda functions automatically log to CloudWatch Logs (one log group per function)
Log retention: 7 days default (can increase to 1 month, 3 months, 1 year, etc.)
Can create CloudWatch alarms for errors (trigger SNS notification on >10 errors in 5 minutes)

API Gateway & DynamoDB Metrics:

Request count, latency (average, p50, p95, p99), error rate (4XX, 5XX) automatically tracked
Read/write capacity units consumed, throttled requests, latency automatically tracked
Metrics available in CloudWatch dashboards (can create custom dashboards)

9.2 Error Handling & Recovery

Client-Side Error Handling:

Try-catch blocks around all API calls (graceful degradation if API fails)
User-friendly error messages displayed in UI (not raw error stack traces)
Fallback UI for missing images (display placeholder icon)
Loading states for async operations (spinner during API calls)

Server-Side Error Handling:

Lambda functions return appropriate HTTP status codes (400 for validation errors, 404 for not found, 500 for internal errors)
Error messages included in response body (user-friendly, not technical stack traces)
DynamoDB errors caught and returned as user-friendly messages
AWS service errors (KMS, STS) handled gracefully (retry with exponential backoff)

State Recovery:

User session persists in localStorage/sessionStorage (no data loss if browser crashes)
Challenge progress stored in DynamoDB (players can resume from any stage)
No ephemeral state (all state persists in browser or database)

9.3 Deployment & Rollback

Frontend Deployment:

Build static files: npm run export
Sync to S3: aws s3 sync out/ s3://ccchallange-prod --delete
Invalidate CloudFront: aws cloudfront create-invalidation --distribution-id E3O8J8O00C9XL9 --paths "/*"
Verify: Test in production environment

Frontend Rollback:

Revert code changes in Git: git revert <commit-hash>
Rebuild: npm run export
Redeploy: aws s3 sync out/ s3://ccchallange-prod --delete
Invalidate cache and verify rollback success

9.4 Cost Optimization

Frontend Costs (Monthly Estimates):

S3 Storage: ~$0.50 for 20 GB of static assets
S3 Requests: ~$0.01 for 2,000 GET requests (most traffic served from CloudFront cache)
CloudFront Data Transfer: ~$8.50 for 100 GB data transfer (out to internet)
CloudFront Requests: ~$0.75 for 1 million requests
Total Frontend: ~$10/month for moderate traffic

Backend Costs (Monthly Estimates):

Lambda Invocations: ~$0.20 for 1 million requests
Lambda Compute: ~$1.67 for 1 million requests × 500ms × 512 MB memory
DynamoDB On-Demand: ~$1.25 for 1 million write units, ~$0.25 for 1 million read units
API Gateway: ~$3.50 for 1 million requests
Total Backend: ~$7/month for moderate traffic

Total Monthly Cost: ~$17/month for 1 million requests

10. Player Experience & Journey

Typical Player Journey (Complete Flow)

Understanding the end-to-end player experience demonstrates how all system components work together to create an engaging, educational CTF platform.

┌─────────────────────────────────────────────────────────────────┐
│                    COMPLETE PLAYER JOURNEY                       │
│                                                                 │
│  1. ARRIVAL                                                     │
│     Player → https://cloudchallenge.cirrusly-clever.com →       │
│     CloudFront → S3 → Home Page                                 │
│     • Cyberpunk-themed landing page                             │
│     • "Would you like to play a game?" prompt                   │
│     • Hex rain animation, terminal typing effect                │
│                                                                 │
│  2. LOGIN DECISION (/login)                                     │
│     Player → Choose authentication path:                        │
│     Option A: "Initialize New Agent Protocol" (Google OAuth)    │
│     Option B: "Play as Guest" (Anonymous)                       │
│                                                                 │
│  3. PROFILE SETUP (New Users Only - /setup)                     │
│     Player → Select skill levels:                               │
│     • AWS: Beginner / Intermediate / Advanced                   │
│     • Security: Beginner / Intermediate / Advanced              │
│     • Puzzle: Beginner / Intermediate / Advanced                │
│     Submit → API: POST /users → DynamoDB → Redirect /dashboard  │
│                                                                 │
│  4. DASHBOARD (/dashboard)                                      │
│     Player → View available challenges:                         │
│     • Operation Hallucination (4 stages)                        │
│     • Future challenges (coming soon)                           │
│     • Profile stats (score, level, completion %)                │
│                                                                 │
│  5-8. CHALLENGE STAGES (Operation Hallucination)                │
│     Stage 1: Mission briefing and narrative context             │
│     Stage 2: Riddle validation with pattern matching            │
│     Stage 3: AWS KMS decryption with temporary credentials      │
│     Stage 4: Final protocol name validation                     │
│                                                                 │
│  9. SUCCESS PAGE                                                │
│     Player → See completion message →                           │
│     Display updated score and level →                           │
│     Narrative conclusion: Mission accomplished →                │
│     Button: "Return to Dashboard"                               │
└─────────────────────────────────────────────────────────────────┘

Key Player Experience Metrics:

Time to First Challenge: <60 seconds from landing page to Stage 1 (includes authentication)
Stage 2 Completion Rate: ~70% of players solve riddle within 3 attempts
Stage 3 Completion Rate: ~85% of players successfully decrypt message (AWS CLI learning curve)
Stage 4 Completion Rate: ~90% of players validate protocol name (straightforward after Stage 3)
Overall Completion Rate: ~60% of players complete all 4 stages

Player Feedback Loops:

Immediate: Client-side validation provides instant feedback (form errors, loading states)
Fast: API responses within 100-600ms (Lambda validation, DynamoDB updates)
Progressive: Each stage builds on previous, providing sense of accomplishment
Narrative: Story-driven challenges maintain engagement and context
Educational: Players learn AWS concepts (KMS, STS, IAM) through hands-on experience

11. Future Enhancements

Phase 2 Features

Enhanced Challenges:

More Challenge Types: AWS (Lambda, S3, IAM), Security (XSS, SQL injection), Puzzle (cryptography, steganography), AI (prompt injection, model poisoning)
Multi-Day Challenges: Progressive challenges that unlock daily (encourages return visits)
Team Challenges: Collaborative challenges requiring multiple players (shared state, real-time sync)
Challenge Creation Tools: Admin panel for creating new challenges (no-code challenge builder)

User Features:

Profile Customization: Avatars, badges, achievements (gamification elements)
Progress Tracking: Detailed statistics (time spent, attempts per stage, completion dates)
Challenge History: Replay completed challenges, see previous attempts
Social Features: Friends list, team formation, global leaderboard

Technical Enhancements:

Real-Time Updates: WebSocket API for live challenge progress, leaderboard updates
Advanced Analytics: CloudWatch Logs Insights for player behavior analysis
Multi-Factor Authentication: TOTP or SMS-based MFA for account security
Guest-to-Authenticated Upgrade: Migrate guest progress to authenticated account

Migration Path

Incremental Enhancement Strategy:

Frontend: Remains static (add new routes and components without server-side rendering)
Backend: Add new Lambda functions for new challenges (modular architecture scales horizontally)
Database: Add Global Secondary Indexes for new query patterns (leaderboard by score, challenges by difficulty)
Real-Time: Add DynamoDB Streams + Lambda for real-time leaderboard updates
WebSocket: Add API Gateway WebSocket API for live challenge progress

No Major Rewrites Required:

Architecture designed for incremental enhancement (add features without breaking existing functionality)
Existing challenges continue to work (backwards compatibility maintained)
New challenges follow same validation pattern (reuse Lambda structure, DynamoDB schema)
Frontend routes can be added dynamically (file-based routing in Next.js)

12. Conclusion

Cloud Challenge CTF's architecture demonstrates how a static frontend + serverless backend approach can deliver a sophisticated, interactive CTF experience with minimal infrastructure overhead and maximum flexibility. The phased architecture allows rapid MVP development while maintaining a clear path to enhanced features when needed.

Key Strengths

Rapid Development: Static frontend eliminates server-side rendering complexity, allowing focus on challenge design, narrative, and player experience
Scalable Foundation: Both frontend and backend scale automatically without configuration
Cost Efficiency: Pay only for actual usage—infrastructure scales to zero when unused (~$17/month for 1 million requests)
Clear Migration Path: Incremental enhancement without major rewrites
Performance: Sub-100ms global response times via CloudFront, <600ms API latency with warm Lambda functions
Developer Experience: Modern tooling (React, Next.js, TypeScript, Tailwind), excellent DX with hot reloading and type safety
Security: Static frontend has no server-side attack surface; Lambda functions run in isolated environments with least-privilege IAM roles

Future Evolution

The architecture continues to evolve as new requirements emerge, but the core principles—static frontend simplicity, serverless backend scalability, and incremental enhancement—remain the foundation for everything we build.

Cloud Challenge CTF proves that complex, interactive educational platforms can be built with minimal infrastructure while maintaining performance, security, and cost efficiency. The serverless architecture enables rapid iteration, automatic scaling, and a clear path to future enhancements without major architectural changes.

Glossary

CTF (Capture The Flag) A cybersecurity competition where players solve challenges to find hidden "flags" (secret strings or codes), often used for education and training.

Static Export Next.js feature that generates static HTML files for deployment to static hosting (S3, CDN) without requiring a Node.js server.

Serverless Cloud computing model where code runs in stateless compute containers managed by a cloud provider (AWS Lambda), eliminating server management.

API Gateway AWS service for creating, publishing, maintaining, monitoring, and securing RESTful and WebSocket APIs with Lambda integration.

DynamoDB AWS NoSQL database service providing single-digit millisecond performance at any scale with automatic scaling and managed infrastructure.

CloudFront AWS Content Delivery Network (CDN) service for global content distribution with 450+ edge locations providing sub-100ms latency worldwide.

Lambda Function AWS serverless compute service that runs code in response to events (API requests, database changes, scheduled tasks) with automatic scaling.

OAuth 2.0 Authorization framework that allows applications to obtain limited access to user accounts via third-party authentication (Google, GitHub, etc.).

Guest Mode Anonymous play option allowing users to play without creating an account, using auto-generated profiles with temporary sessions (sessionStorage).

KMS (Key Management Service) AWS service for creating and managing encryption keys with fine-grained access control and audit logging.

STS (Security Token Service) AWS service for requesting temporary, limited-privilege credentials with customizable expiration times (15 minutes to 36 hours).

Operation Hallucination Multi-stage CTF challenge focused on GenAI data poisoning attacks, teaching AWS CLI, KMS decryption, and cryptographic concepts.

Stage Progression System for tracking player progress through multi-stage challenges, storing per-stage completion status and attempt counts in DynamoDB.

Attempt Tracking Anti-cheating mechanism limiting wrong answers (max 3) and close answers (max 3) with 30-minute lockout after exceeding limits.

Lockout Temporary restriction preventing further challenge attempts after exceeding attempt limits, implemented via lockedUntil timestamp in DynamoDB.

Close Answer Partially correct answer that demonstrates understanding but isn't exact match (e.g., "LLM" for "GenAI"), rewarded with persistence bonus.

Persistence Bonus Reduced score (800 vs 1000 points) awarded to players who unlock next stage after 3 close attempts, encouraging learning and iteration.

Skill Levels User proficiency ratings in three dimensions: AWS (cloud knowledge), Security (infosec concepts), Puzzle (critical thinking), each rated beginner/intermediate/advanced.

Security Clearance Level User progression level (1-3) based on challenge completion and total score, unlocking access to harder challenges.

Cyberpunk Theme Visual aesthetic inspired by 1980s-90s cyberpunk fiction (Neuromancer, Blade Runner) featuring dark backgrounds, neon accents, terminal aesthetics, and hacker culture.

← Technology & Implementation

Table of Contents