• Stars
    star
    223
  • Rank 178,458 (Top 4 %)
  • Language Groff
  • License
    BSD 2-Clause "Sim...
  • Created over 9 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OpenDNS application security training program

Security_Ninjas_AppSec_Training

OpenDNS Security Ninjas AppSec Training

Slide deck link-> http://www.slideshare.net/OpenDNS/security-ninjas-opensource

This hands-on training lab consists of 10 fun real world like hacking exercises, corresponding to each of the OWASP Top 10 vulnerabilities. Hints and solutions are provided along the way. Although the backend for this is written in PHP, vulnerabilities would remain the same across all web based languages, so the training would still be relevant even if you don’t actively code in PHP.

Making the Hands-on Lab Work:

Docker instructions

I would highly recommend that you run the training in a docker container because of the following:

  1. Setting up and destroying the environment would be super easy and quick.

  2. The docker container would be sandboxed which means that the vulnerable application wouldn’t be able to harm the host OS.

Setup:

  1. Setup docker https://docs.docker.com/installation/. There are many ways to do this depending on the OS you use.

  2. Make sure docker has been installed correctly by running ‘docker version’.

  3. Start the Application Security Training container by running the following command (I chose port 8899 to avoid port allocation conflicts): 'docker run -d -p 8899:80 opendns/security-ninjas'

  4. Get the IP address of your container: In my case the command was ‘boot2docker ip’ as I was running docker using boot2docker

  5. Go to your web browser and enter {IP address from step 4}:8899

  6. The training should be running now.

  7. Kill the container after you are done. Go back to the terminal and type ‘docker ps’. Get the container id of the training

  8. Then run ‘docker kill {container id}’

Running it using a web server:

If for some reason you are not able to run the training in a docker container, you may also run it using a web server.

  1. Download a web server (like Apache) and PHP.

  2. Download the source code from here and put it in the directory where the web server looks for files to serve.

  3. In the Security Ninjas sub-directory, change text file permissions - 'chmod 777 *.txt'

  4. Make sure WHOIS is installed on the web server.

  5. Start the web server and reach the application from your web browser.

The following steps are optional but recommended:

  1. Install Firefox.

  2. Install the FoxyProxy plugin for Firefox. Then:

    • In select mode: Use proxy “Default” for all URLs.
    • Configure the Default proxy to use 127.0.0.1:8080.
  3. You can delete or disable this plugin after the exercise.

  4. Install Burp Suite free from http://portswigger.net/burp/download.html. You could use some other proxy tool as well.

  5. You can get some basic Burp Suite tutorials from http://portswigger.net/burp/tutorials/

  6. You can turn the proxy off for most of the exercises but for some, having the intercept on would make it much easier to inspect and alter the HTTP requests.

  7. Run the training in Firefox.


Suggestions or Comments?

We would love to get some feedback! You can reach me directly at [email protected]. Happy hacking!


CSS credits: html5up.net

More Repositories

1

dnscrypt-win-client

Windows front end for DNSCrypt Proxy
C#
959
star
2

dataviz

OpenDNS Data Visualization Framework
CSS
263
star
3

public-domain-lists

OpenDNS public domain lists of domain names for training/testing classifiers
173
star
4

pyinvestigate

Python module to interface with the OpenDNS Investigate API
Python
63
star
5

autotask-php

A PHP SOAP wrapper for the Autotask Web Service API
PHP
62
star
6

OpenResolve

Docker Image for Domain Information as a REST-like API
Python
57
star
7

og-miner

OpenDNS Graph Miner
Python
45
star
8

dnspython-clientsubnetoption

Class to implement RFC7871 (Client Subnet in DNS Queries) for dnspython.
Python
31
star
9

dynamicipupdate

Dynamic IP Update Client
C++
31
star
10

TrafficCop

iptables rule generator
Python
30
star
11

investigate-examples

Coding examples for the OpenDNS Investigate API
Python
25
star
12

nginx-auth-proxy

nginx auth proxy container
Shell
25
star
13

diagnosticapp

App to diagnose DNS issues
C#
22
star
14

registry-oauth-server

Python
18
star
15

doh-client

Python
18
star
16

zmachine-api

Web service to manage zmachine game instances, for fun and whimsy
JavaScript
15
star
17

PinyinDetector

Tool to identify domains containing Pinyin language
OpenEdge ABL
12
star
18

brand_watch

Use OpenDNS's investigate API to find newly observed domains which match a brand or string
Python
12
star
19

lemur-digicert

DigiCert Plugin for Lemur
Python
11
star
20

nginx-xray

X-Ray is a simple yet efficient way of debugging issues in production.
C
8
star
21

basic-auth-service

JavaScript
7
star
22

SampleBlockPages

ASP
7
star
23

puppet-vagrant

Ruby
6
star
24

investigate-chrome-plugin

Chrome browser plugin for researching websites using OpenDNS Investigate
JavaScript
6
star
25

hubot-zmachine

A hubot connector for the zmachine-api web service
CoffeeScript
4
star
26

lemming

OpenDNS Data Systems Automation
Go
3
star
27

jenkins-status-light

Python
3
star
28

ramp-p2p

Plugin for Crowd Favorite's RAMP plugin allowing data from Scribu's Posts 2 Posts plugin to be synced.
2
star
29

merchant-esolutions-php

PHP Client for Merchant e-Solutions' payment gateway APIs
PHP
2
star
30

vegadns2client

A Go Client for VegaDNS-API
Go
2
star
31

hubot-youtubepl

Create and manage youtube playlists from links posted to your chatrooms
CoffeeScript
1
star