AI vibe coded this app — then we hacked it

Описание: We gave Claude a purposely vulnerable application and asked it to find the bugs. It found 10.

We put in 43.

Naomi Buckwalter, CISO at Contrast Security, walks through the full attack chain live — from AI security review, to silent database exfiltration, to a single ADR rule blocking the next attempt without touching a line of code.

Learn why a Claude-vibe-coded app, Cargo Cats, contained 43 vulnerabilities but only 10 were detected by AI security review. See how Contrast Security's ADR (Application Detection and Response) identifies and blocks real-world attacks like command injection and deserialization without requiring immediate code patches.

The walkthrough covers:
→ Why Claude's security review flagged 10 of 43 known vulnerabilities — a 77% miss rate on a purposely vulnerable application
→ How a serialized payload inside a CSV file triggers deserialization at the application layer with no warning to the user
→ Why the application returned "import failed" while the attack completed successfully in the background
→ What WAFs, EDRs and application logs miss when an attack executes entirely at the application layer
→ How Contrast Security surfaced all 43 Issues at runtime — including the exact method, stack trace and line of custom code where input validation failed
→ How one ADR protect rule blocked the next attack attempt with zero code changes and zero sprint tickets
The focus then shifts to what runtime detection and blocking actually look like in Contrast Security Studio.
Naomi shows how Contrast Security handles AI-generated code risk in two ways.

Runtime vulnerability discovery
Contrast instruments the running application and tracks untrusted input as it flows through execution. Where Claude flagged 10 Issues, Contrast found all 43. Each Issue includes the application name, server name, full request details, the method where the flaw triggered and the exact line of custom code involved. This is not static analysis. This is visibility from inside the running application.
Attack blocking with ADR — no patch required
When the deserialized payload executes, Contrast opens an Incident tied to the originating Issue and logs the full attack chain: the method that started in java.lang.process.impl, the deserialized object, the instruction to write /etc/passwd to a new file, and the outbound exfiltration. With one ADR protect rule enabled for command injection, the next import attempt returns a deserialization attack detected block. No code change. No sprint. No JIRA ticket. ADR blocks at the application layer and gives developers time to fix on their own timeline without leaving production exposed.

The 33 vulnerabilities Claude missed are not hypothetical. They are in production applications right now.

00:06 — Meet CargoCats: a purposely vulnerable shipping app
00:30 — Why we built it with known flaws
01:10 — Giving Claude the security review
01:45 — Claude's result: 10 of 43 vulnerabilities found
02:15 — What a 77% miss rate means in production
02:50 — Finding the vulnerable file upload field
03:20 — What's inside the payload file
03:50 — Uploading the attack: app says "import failed"
04:20 — What actually happened in the background
05:00 — Why WAF and EDR saw nothing
05:40 — Application-layer attacks and log blindness
06:15 — Opening Contrast Security Studio
06:50 — All 43 Issues surfaced at runtime
07:20 — Full attack details: method, stack trace, custom code line
08:00 — How the deserialized object wrote and exfiltrated the file
08:40 — Incident correlation: tying the attack back to the Issue
09:10 — Enabling the ADR protect rule for command injection
09:40 — Running the payload again: deserialization attack detected
10:10 — No code patch required — blocked entirely from ADR
10:45 — What ADR gives developers: fix on their timeline
11:15 — 43 vs 10: the real cost of missing 33 vulnerabilities in production

▶ Learn about Contrast ADR — https://www.contrastsecurity.com/cont...
▶ Free demo — https://contrastsecurity.com/demo
▶ Watch the full Runtime Security playlist:    / @contrastsecurity