owasp / securityshepherd Goto Github PK

Support IP tracking and detecting "forwardedBy" HTTP headers in the Log4j logs

always getting pings from people who skip the read me .txt

Simplified, chat application, "encrypted" chat, key in chat.

Make the next level stuff easier!

-Implement Google Volley for more efficient/readable code.

-Decide on what the challenge will entail.

Also Make a level about this issue

The key isn't stored in a string, the key is generated with a generateKey() function which the attacker has to copy in order to get the key.

To be addressed when resources allow

Different type of bad filtering?

Different goal?

XML Injection?

Currently this is done with a filter. Going to change the approach so it is a sanitised URL encoded for HTML

SQLCipher based APKs will not install on anything but an emulator. Find out why:

-Check Imported JARS

-Rebuild new SQLCipher APK from scratch

-Check libs folder

Do not use Eclipse Emulator (It's terrible). Do this in a way where players only have APK files for challenges I want them to reverse.

-Create API

-Exposed DB Connection

-Android JSON/Volley Communication

CSRF Nonces that seems random but is infact there are only 5, hashed in MD5

Strong CSRF projection with pseudorandom values used as nonces. However a getNonce function can be manipulated to recover a user's nonce value. Function will also be vulnerable to enumeration, and all CSRF nonces (For the challenge) can be recovered in a single request.

A CSRF Challenge that uses nonces, but any valid nonce will succeed.

Nonces will be very short (5 possibilities)

Current issue is not prevalent enough and too easy to pass.

Last thing we do - Organise the levels in how the user gets them

Inspecting logcat output.

This isn't critical, But easy to achieve.

Session identifies are very weak. The admin's sesssion will be session number 1000004, base64'd

Move existing levels into Security Shepherd

Obfusticated javascript describes Admin functions

A crypto level

result key is XORd with a secret server key.

The user can use the same cipher to encrypt their own text to try brute force the key. However the actual vulnerability in the crypto is that the XOR function will not account for spaces, and will reveal the server key. The ciphertext can then be XORd with the key to recover the plain text.

This was an issue discovered in shepherd's user specific keys that was addressed.

Challenge builder is awful and needs to be completely redesigned for a scalable solution

Custom Buttons, change background. Review dimensions of images.

Hard coded Database Password - encrypted database

Based on Admin URL Disclosure bug