OWASP Exorcist

A self-healing dashboard with infinite replayability that teaches OWASP security through Halloween-themed gameplay. Your code is haunted - use Kiro AI to exorcise unique demons every session!

Comment

💡 Inspiration

Security education is boring. Developers skip it, vulnerabilities slip through, and companies pay millions in breach fines. We thought: what if learning security was as engaging as playing a game?

The Digital Exorcism was born from a simple question: What if your code could haunt itself?

We wanted to create something that:

  • Makes OWASP security concepts memorable (not just another checklist)
  • Showcases Kiro's full ecosystem (Specs, Steering, Hooks, MCP)
  • Provides immediate, visceral feedback (see your fixes heal the app)
  • Teaches through play (gamification + education)

🎮 What It Does

The Digital Exorcism is a meta-application - a React dashboard that monitors its own source code for security vulnerabilities and responds with visual/audio degradation.

The Gameplay:

  1. Your codebase starts at 100% corruption with dynamically generated OWASP demons
  2. Use Kiro AI to find and fix vulnerabilities
  3. Watch the app "heal" in real-time as corruption drops
  4. Learn security concepts through witty, Halloween-themed explanations
  5. Every session is unique - different vulnerabilities each time!

The Magic:

  • Dynamic Generation: 3-5 unique vulnerabilities per session from 8 OWASP types
  • Visual Feedback: UI shifts from horror (red, glitchy) to peaceful (clean, bright)
  • Audio Feedback: Soundscape evolves from dissonant drones to harmonic tones
  • AI Guidance: Kiro acts as your exorcist partner with a spooky personality
  • Educational: Each fix includes bite-sized security lessons + AWS security services
  • Infinite Replayability: Never the same game twice!

Dual Difficulty Modes:

  • Easy Mode: 3 vulnerabilities with hints and file locations (great for learning)
  • Hard Mode: 4-5 vulnerabilities, detective challenge with hints only (for brave souls!)

🛠️ How We Built It

The Kiro-Powered Workflow:

We didn't just use Kiro - we built an experience that demonstrates its entire ecosystem working together:

1. Spec-Driven Development (.kiro/specs/digital-exorcism/)

  • Started with requirements using EARS patterns
  • Created design with correctness properties
  • Generated task breakdown
  • Kiro implemented from the spec

2. Steering Documents (.kiro/steering/)

  • exorcist-personality.md - Gave Kiro a witty, Halloween-themed personality
  • game-commands.md - Orchestrates game flow and responses
  • owasp-guide.md - Security fix patterns for Kiro to follow
  • security-lessons.md - Educational content to share with users

3. Agent Hooks (.kiro/hooks/)

  • measure-corruption.cjs - Auto-scans code with enhanced detection (strips JSX, prevents false positives)
  • start-game-dynamic.cjs - Dynamic vulnerability generation with template validation
  • celebration-toast.cjs - Victory celebrations at 0% corruption

4. Custom MCP Server (src/mcp/corruption-server.ts)

  • get_corruption_level - Reads the "spiritual health" of code
  • get_owasp_top_10 - Fetches vulnerability knowledge base
  • get_vulnerability_details - Deep-dive education on specific vulnerabilities

Tech Stack:

  • Frontend: React + TypeScript + Vite
  • Styling: CSS with dynamic corruption-based variables
  • Audio: WebAudio API for soundscape
  • State: File-based polling (corruption-state.json)
  • AI: Kiro IDE with full ecosystem integration

🚧 Challenges We Ran Into

1. Pattern Contamination in Detection

  • Problem: Vulnerability scanner detected patterns in JSX display text (e.g., <h3>Code Injection via eval()</h3> triggered false positives)
  • Solution: Enhanced detection hook to strip JSX content while preserving code patterns. Created comprehensive template design guidelines.
  • Impact: 100% detection accuracy, no false positives

2. Dynamic Vulnerability Generation

  • Problem: Static vulnerabilities made the game repetitive after one playthrough
  • Solution: Built template system with 8 OWASP types, random selection, and validation
  • Impact: Infinite replayability - every session is unique!

3. Template Quality Assurance

  • Problem: New vulnerability templates could introduce detection issues
  • Solution: Automated validation in start-game-dynamic.cjs that warns about pattern contamination
  • Impact: Catches issues before deployment, maintains game quality

4. Browser Caching

  • Problem: Dashboard wouldn't update even after corruption state changed
  • Solution: Added timestamp-based cache-busting to fetch requests

5. Balancing Personality vs. Clarity

  • Problem: Too much humor could confuse users
  • Solution: 70% helpful, 20% witty, 10% spooky - always prioritize clarity

6. AWS Security Integration

  • Problem: Teaching code-level security without cloud context felt incomplete
  • Solution: Added AWS security service recommendations to every vulnerability fix
  • Impact: Users learn both application security AND cloud security best practices

Technical Innovation: Dynamic Vulnerability Generation

The Challenge

Static vulnerabilities made the game repetitive. After one playthrough, users knew exactly what to fix and where. We needed infinite replayability without sacrificing educational quality.

The Solution: Template-Based Generation System

Architecture:

.kiro/templates/vulnerabilities/
├── code-injection-eval.json
├── xss-dangerous-html.json
├── hardcoded-secret.json
├── sql-injection.json
├── idor.json
├── insecure-deserialization.json
├── insufficient-logging.json
└── missing-validation.json

Each template contains:

  • Vulnerable code pattern
  • Detection regex/string
  • Fix indicators
  • Educational content (analogies, real-world examples, AWS services)
  • Difficulty range
  • OWASP classification

Generation Flow:

  1. User says "start the game" with difficulty (easy/hard)
  2. Hook loads all 8 templates
  3. Validates templates for pattern contamination
  4. Randomly selects 3 (easy) or 4-5 (hard) unique OWASP categories
  5. Generates React components with vulnerable code
  6. Creates detection patterns for corruption scanner
  7. Writes corruption state with session ID
  8. Starts dev server if needed

Key Innovation: Pattern Contamination Prevention

We discovered that detection patterns could match JSX display text:

// ❌ This triggers false positive:
<h3>Code Injection via eval()</h3>  // Pattern: eval\s*\(

// ✅ Solution: Use generic terms in templates
<h3>Code Injection Vulnerability</h3>

Automated Validation:

function validateTemplate(template) {
  const warnings = [];
  if (template.name.includes(vulnerablePattern)) {
    warnings.push('Template name contains vulnerable pattern');
  }
  // Check hints, educational content, etc.
  return warnings;
}

Impact:

  • ✅ Infinite replayability (8! = 40,320 possible combinations)
  • ✅ Consistent quality (automated validation)
  • ✅ Easy to extend (just add new JSON templates)
  • ✅ Educational integrity maintained
  • ✅ 100% detection accuracy (no false positives)

Documentation Created

To ensure maintainability, we created comprehensive guides:

  1. .kiro/steering/vulnerability-template-rules.md (3,000+ words)

    • Pattern contamination prevention
    • Template design checklist
    • Detection best practices

  2. .kiro/templates/vulnerabilities/TEMPLATE_CHECKLIST.md

    • Quick reference for developers
    • Testing commands
    • Common mistakes to avoid

  3. .kiro/docs/pattern-contamination-fix.md

    • Technical implementation details
    • Problem analysis and solution

  4. .kiro/docs/IMPROVEMENTS_SUMMARY.md

    • High-level overview
    • Impact assessment
    • Metrics and results

Result: A production-ready system that's easy to maintain and extend!

🏆 Accomplishments That We're Proud Of

1. Complete Kiro Ecosystem Integration We used EVERY major Kiro feature in a meaningful way:

  • ✅ Specs for structured development
  • ✅ Steering for AI personality and game rules
  • ✅ Hooks for automation and dynamic generation
  • ✅ MCP for extensibility and OWASP knowledge

2. Dynamic Vulnerability System Built a template-based generation system that creates unique game sessions:

  • 8 OWASP vulnerability types with educational content
  • Automated validation to prevent template issues
  • Smart detection that avoids false positives
  • Infinite replayability with consistent quality

3. Meta-Application Innovation Built an app that monitors and responds to its own code quality - a technical challenge that required creative architecture.

4. Educational Impact Each vulnerability fix includes:

  • Real-world breach examples (Uber: $148M, British Airways: $230M, Equifax: 143M people)
  • Memorable analogies (vampires, doormats, haunted houses)
  • OWASP classification and prevention methods
  • AWS security service recommendations (CloudTrail, WAF, Secrets Manager, etc.)

5. One-Command Experience Users just say "start the game" and Kiro handles everything:

  • Generates unique vulnerabilities
  • Starts dev server if needed
  • Provides difficulty-appropriate guidance
  • Showcases AI orchestration at its best

6. Engaging Personality Kiro becomes "The Digital Exorcist" with witty, Halloween-themed responses that make security fun.

7. Production-Ready Quality

  • Comprehensive documentation (4 guides created)
  • Automated testing and validation
  • Clean architecture with separation of concerns
  • Scalable template system for future vulnerabilities

📚 What We Learned

About Kiro:

  • Steering documents are incredibly powerful for shaping AI behavior
  • Hooks enable automation that feels magical to users
  • MCP tools make Kiro extensible for domain-specific needs
  • Specs provide structure that scales to complex projects

About Security Education:

  • Gamification works - people engage more with interactive learning
  • Metaphors stick - "vampires" and "doormats" are more memorable than technical jargon
  • Immediate feedback matters - seeing corruption drop motivates continued learning
  • Real-world examples resonate - breach stories make security tangible

About Development:

  • Meta-applications are hard but rewarding
  • File-based state is simple and effective
  • Cache-busting is essential for real-time updates
  • Personality makes technical content accessible

🚀 What's Next for OWASP Exorcist

Short Term:

  • DONE: Dynamic vulnerability generation (8 types, infinite replayability)
  • DONE: AWS security service integration
  • Add more OWASP vulnerabilities (CSRF, broken auth, security misconfiguration)
  • Multiplayer mode (compete to fix fastest)
  • Leaderboards and achievements
  • Custom challenge creator

Medium Term:

  • Community template marketplace (share custom vulnerabilities)
  • Progressive difficulty (unlock harder vulnerabilities as you learn)
  • Achievement system with badges
  • Time-based challenges and speedrun mode

Long Term:

  • CI/CD integration (run as security training in pipelines)
  • VS Code extension (bring the game to any editor)
  • Corporate training platform (track team progress)
  • Multi-language support (Python, Java, Go vulnerabilities)
  • VR mode (immersive security training experience)

The Vision: Transform security training from a checkbox exercise into an engaging, memorable experience that developers actually enjoy - and make it scalable for teams and organizations.

🎃 Summary

The Digital Exorcism showcases Kiro's full potential:

Specs provide structure
Steering shapes personality
Hooks automate workflows
MCP extends capabilities
AI partners with developers
Dynamic Generation enables infinite replayability
AWS Integration teaches cloud security

Built With

Share this project:

Updates