owasp / securityshepherd Goto Github PK
View Code? Open in Web Editor NEWWeb and mobile application security training platform
Home Page: https://owasp.org/www-project-security-shepherd/
License: GNU General Public License v3.0
Web and mobile application security training platform
Home Page: https://owasp.org/www-project-security-shepherd/
License: GNU General Public License v3.0
Support IP tracking and detecting "forwardedBy" HTTP headers in the Log4j logs
always getting pings from people who skip the read me .txt
Simplified, chat application, "encrypted" chat, key in chat.
Make the next level stuff easier!
-Implement Google Volley for more efficient/readable code.
-Decide on what the challenge will entail.
Also Make a level about this issue
The key isn't stored in a string, the key is generated with a generateKey() function which the attacker has to copy in order to get the key.
To be addressed when resources allow
Different type of bad filtering?
Different goal?
XML Injection?
Currently this is done with a filter. Going to change the approach so it is a sanitised URL encoded for HTML
SQLCipher based APKs will not install on anything but an emulator. Find out why:
-Check Imported JARS
-Rebuild new SQLCipher APK from scratch
-Check libs folder
Do not use Eclipse Emulator (It's terrible). Do this in a way where players only have APK files for challenges I want them to reverse.
-Create API
-Exposed DB Connection
-Android JSON/Volley Communication
CSRF Nonces that seems random but is infact there are only 5, hashed in MD5
Strong CSRF projection with pseudorandom values used as nonces. However a getNonce function can be manipulated to recover a user's nonce value. Function will also be vulnerable to enumeration, and all CSRF nonces (For the challenge) can be recovered in a single request.
A CSRF Challenge that uses nonces, but any valid nonce will succeed.
Nonces will be very short (5 possibilities)
Current issue is not prevalent enough and too easy to pass.
Last thing we do - Organise the levels in how the user gets them
Inspecting logcat output.
This isn't critical, But easy to achieve.
Session identifies are very weak. The admin's sesssion will be session number 1000004, base64'd
Move existing levels into Security Shepherd
Obfusticated javascript describes Admin functions
A crypto level
result key is XORd with a secret server key.
The user can use the same cipher to encrypt their own text to try brute force the key. However the actual vulnerability in the crypto is that the XOR function will not account for spaces, and will reveal the server key. The ciphertext can then be XORd with the key to recover the plain text.
This was an issue discovered in shepherd's user specific keys that was addressed.
Challenge builder is awful and needs to be completely redesigned for a scalable solution
Custom Buttons, change background. Review dimensions of images.
Hard coded Database Password - encrypted database
Based on Admin URL Disclosure bug
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.