Difference between revisions of "OWASP Security Shepherd"

From OWASP
Jump to: navigation, search
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div>
 
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|right|Competitive Learning Environment]]
 
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|right|Competitive Learning Environment]]
'''Security Shepherd''' is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
+
'''Security Shepherd''' is a computer based training application for web and mobile application security vulnerabilities. This project strives to herd the lost sheep of the technological world back to the safe and sound ways of secure practices. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
  
 
== Overview ==
 
== Overview ==
 
[[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|right|Easy configuration to suit every use]]
 
[[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|right|Easy configuration to suit every use]]
Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
+
Security Shepherd has been implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
  
Security Shepherds vulnerabilities are not simulated, and are instead delievered through hardened real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the [[OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] and portable browsers already configured for proxy use.
+
Security Shepherd's vulnerabilities are not simulated, and are instead delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filters and poor security configuration.
  
 
===CTF Mode===
 
===CTF Mode===
Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one modules at a time. They must complete there current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When ether of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.
+
Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one module at a time. They must complete their current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When either of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.
  
 
===User Management===
 
===User Management===
Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. User’s activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.
+
Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. Users' activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.
  
 
===Topic Coverage===
 
===Topic Coverage===
Line 26: Line 27:
 
*[[Top_10_2010-A10|Unvalidated Redirects and Forwards]]
 
*[[Top_10_2010-A10|Unvalidated Redirects and Forwards]]
 
*[[Top_10_2010-A9|Insufficient Transport Layer Security]]
 
*[[Top_10_2010-A9|Insufficient Transport Layer Security]]
 +
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]
 +
*[[Mobile_Top_10_2014-M7|Client Side Injection]]
 +
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]
 +
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]]
 +
*[[Mobile_Top_10_2014-M6|Broken crypto]]
  
== Future Development ==
+
==Download==
  
New levels or level idea's are wanted in the highest degree. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org.
+
You can download the Security Shepherd VM or Manual Installation Pack from [https://sourceforge.net/projects/owaspshepherd/files/ Source Forge].
  
The aims of Security Shepherd's future development is to allow level contribution easier through the creation of a "Challenge Builder" framework. It is also desirable to implement an automatic updating solution so that new levels that become available across new releases can be syncronised seemlessly.
+
==Releases==
  
Check out the project [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap roadmap] and find some tasks that you can help with right away..
+
Security Shepherd has been designed with expansion in mind. The application's underlying architecture is composed of a secure core application and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerability examples. If these services are compromised, the core service can continue to run unaffected.
  
==Releases==
+
Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web application server like Tomcat. To eliminate tedious environment configuration; there is a Security Shepherd Virtual Machine. This environment includes Tomcat/MySQL servers pre-loaded with Security Shepherd. For those that prefer the path of higher resistance or want to build a dedicated Security Shepherd server, a manual pack is available for download as well.
  
Security Shepherd has been designed with expansion in mind. The applicaiton's underlying architecture is composed of a secure core applicaiton and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerabilty exapmles. If these services are compromised, the core service can continue to run unaffected.
+
===Security Shepherd v2.0 VM Setup:===
 +
To get a Security Shepherd VM ready to rock, follow these steps;
  
Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web applicaion server like Tomcat. To eliminate tedious environment configration; there is a Security Shepherd portable environment. This environment includes Tomcat/MySQL servers and scripts that can be used to automatically stand them up. This portable environment is currently only available for Windows environments (32bit and 64bit). Development for other operating systems is ongoing.
+
Setting up your instance of Security Shepherd with the VM: In Steps!
  
===Security Shepherd 1.2:===
+
* Import the VM to your hyper visor (Eg: Virtual Box)
The standard release is a single download, unrar, and click-to-run release. This service is currently only available for Windows operating systems
+
* Make sure the VM has a bridged adapter
    * Double-click on the startServers.bat - Two Tomcat and two MySQL command windows will start
+
* Boot the VM
    * Browse to https://localhost:8080/
+
* Sign in with securityshepherd / owaspSecurityShepherd
    * Default user is admin/password (You'll have to change the password upon login)
+
* Change the user password with the passwd command
 +
* In the VM, run "ifconfig" to find the IP address. Make note of this
 +
* On your host machine, open http://<VM IP Address>/
 +
* Sign in with admin / password
 +
* Change the admin password (cannot be password again)
 +
* Use the configuration menu in the home page to change the application address from http://127.0.0.1/ to http://<VM IP Address>/
 +
* Time to play!
  
===Security Shepherd 1.2 Manual:===
+
===Security Shepherd v2.0 Manual Pack:===
 
The manual release is a single download, unrar, and follow the steps release.  
 
The manual release is a single download, unrar, and follow the steps release.  
    * Deploy the core.war and exposed.war on your application server(s)
+
* Download the Security Shepherd Manual Pack
    * Run the core.sql and exposed.sql scripts in your database servers(s) as root users
+
* Install Apache Tomcat 7
    * Point your browser at the core application (eg: https://localhost:8080/core)
+
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!
    * Default user is admin/password (You'll have to change the password upon login)
+
* Extract the Security Shepherd Manual Pack
    * Through the admin configuration tools, set the URL's for the application servers and sign on information for your databases
+
* Copy the sql files extracted from the pack to the bin directory of MySql
 +
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )  
 +
* Type the following commands to execute the Shepherd Manual Pack SQL files;
  
==Downloads==
+
source core.sql
 +
source exposedSchema.sql
  
Security Shepherd downloads are available at [http://code.google.com/p/owasp-security-shepherd/downloads/list Google Code] and [https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]. The deployments that require no server set up are quite big and are only available on Source Forge due to size constraints.  
+
* Open the webapps directory of your Tomcat instance
 +
* Delete any directories that are there already
 +
* Move the WAR files from the Shepherd Manual Pack into the webapps folder of Tomcat
 +
* Start Tomcat
 +
* Open the temp directory of Tomcat
 +
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in both the ROOT and Exposed directories in the temp folder, modify the /WEB-INF/site.properties to point at your local DB with your MySql settings. Leave the Driver alone!
 +
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.
 +
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )
 +
* Sign into Security Shepherd with the default admin credentials (admin / password)
 +
* Change the admin password
 +
* Follow in application prompts for further configuration
  
You can synch to the current Security Shepherd source tree at [http://code.google.com/p/owasp-security-shepherd/ Google code]
+
== Future Development ==
  
Note: Source code and Manual Installation Packs are in the process of been uploaded. Stay tuned...
+
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org.
  
== Project Contributors ==
+
The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education.
 +
Check out the project [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap roadmap] and find some tasks that you can help with right away..
  
The SecurityShepherd project is run by Mark Denihan. He can be contacted at mark.denihan@owasp.org.  Security Shepherd distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/owasp-security-shepherd/downloads/list Google]. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd [http://lists.owasp.org/mailman/listinfo/owasp-security-shepherd mailing list].
+
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]
 
+
This project was initially created as part of my BSc. Thanks to Dr.Fred Mtenzi and [http://www.dit.ie DIT] for allowing me to donate this project to the OWASP community.
+
  
 
== Events with Security Shepherd ==
 
== Events with Security Shepherd ==
 
[[Image:Shepherd-CTF-In-Play.JPG|thumb|300px|right|Over 60 people playing the CTF at [[HackDub2012]]]]
 
[[Image:Shepherd-CTF-In-Play.JPG|thumb|300px|right|Over 60 people playing the CTF at [[HackDub2012]]]]
  
The Security Shepherd application has been tried and tested across a number of Beta runs in venues like DIT and the Dublin TOG hackerspace. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training.  
+
The Security Shepherd application has been tried and tested across a number of Beta runs in venues like Facebook and the IRISScon CTF. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training.  
  
 
* Security Shepherd was used as the [[HackDub2012|OWASP Dublin Hackathon 2012]]
 
* Security Shepherd was used as the [[HackDub2012|OWASP Dublin Hackathon 2012]]
* Security Shepherd's platform will be used to manage the [[AppSecIreland2012| OWASP Ireland AppSec 2012]] CTF in September
+
* Security Shepherd's platform was used be used to manage the [[AppSecIreland2012| OWASP Ireland AppSec 2012]] CTF in September 2012
* Security Shepherd's platform will be used to manage the IRISS security conference in October  
+
* Security Shepherd's platform was used to administer the Traditional Style CTF at the IRISS security conference in October 2012 and 2013
 +
* Security Shepherd's platform was used to deliver the Traditional Style CTF at the 2013 SOURCE Conference CTF in Facebook
 +
* Security Shepherd's platform was used to govern the EU Tour 2013 and LATAM Tour 2013 Online CTF's
 +
* Security Shepherd's platform was used to conduct the 2013 OWASP Global CTF
 +
* Security Shepherd was used as the 2014 OWASP application security summer school CTF at the Faculty of Organization and Informatics in Varaždin
 +
 
 +
== Project Contributors ==
 +
 
 +
The Security Shepherd project was founded and is ran by Mark Denihan. The mobile wing of Security Shepherd is lead by Sean Duggan. If you wish to contribute to the OWASP Security Shepherd project please contact at mark.denihan@owasp.org, as help in any regard of the application is very much appreciated.  Security Shepherd distributions are currently maintained on [http://bit.ly/shepherdSourceForge SourceForge]. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd [https://lists.owasp.org/mailman/listinfo/owasp_security_shepherd mailing list].
 +
 
 +
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to [http://www.dit.ie DIT] for allowing those projects to be donated to the OWASP community.
 +
 
 +
== Project Sponsors ==
 +
 
 +
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2014] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter].
 +
[[File:BccRiskAdvisoryLogo.jpg]][[File:EdgescanLogo.jpg]]
  
 
[[Category:OWASP Project|Security Shepherd Project]]
 
[[Category:OWASP Project|Security Shepherd Project]]

Latest revision as of 19:48, 2 March 2015

Incubator big.jpg
Detailed vulnerability explainations
Competitive Learning Environment

Security Shepherd is a computer based training application for web and mobile application security vulnerabilities. This project strives to herd the lost sheep of the technological world back to the safe and sound ways of secure practices. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.

Overview

Easy configuration to suit every use

Security Shepherd has been implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Security Shepherd's vulnerabilities are not simulated, and are instead delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filters and poor security configuration.

CTF Mode

Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one module at a time. They must complete their current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When either of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.

User Management

Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. Users' activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.

Topic Coverage

The Security Shepherd project covers the following web application security topics;

Download

You can download the Security Shepherd VM or Manual Installation Pack from Source Forge.

Releases

Security Shepherd has been designed with expansion in mind. The application's underlying architecture is composed of a secure core application and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerability examples. If these services are compromised, the core service can continue to run unaffected.

Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web application server like Tomcat. To eliminate tedious environment configuration; there is a Security Shepherd Virtual Machine. This environment includes Tomcat/MySQL servers pre-loaded with Security Shepherd. For those that prefer the path of higher resistance or want to build a dedicated Security Shepherd server, a manual pack is available for download as well.

Security Shepherd v2.0 VM Setup:

To get a Security Shepherd VM ready to rock, follow these steps;

Setting up your instance of Security Shepherd with the VM: In Steps!

  • Import the VM to your hyper visor (Eg: Virtual Box)
  • Make sure the VM has a bridged adapter
  • Boot the VM
  • Sign in with securityshepherd / owaspSecurityShepherd
  • Change the user password with the passwd command
  • In the VM, run "ifconfig" to find the IP address. Make note of this
  • On your host machine, open http://<VM IP Address>/
  • Sign in with admin / password
  • Change the admin password (cannot be password again)
  • Use the configuration menu in the home page to change the application address from http://127.0.0.1/ to http://<VM IP Address>/
  • Time to play!

Security Shepherd v2.0 Manual Pack:

The manual release is a single download, unrar, and follow the steps release.

  • Download the Security Shepherd Manual Pack
  • Install Apache Tomcat 7
  • Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!
  • Extract the Security Shepherd Manual Pack
  • Copy the sql files extracted from the pack to the bin directory of MySql
  • Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )
  • Type the following commands to execute the Shepherd Manual Pack SQL files;

source core.sql source exposedSchema.sql

  • Open the webapps directory of your Tomcat instance
  • Delete any directories that are there already
  • Move the WAR files from the Shepherd Manual Pack into the webapps folder of Tomcat
  • Start Tomcat
  • Open the temp directory of Tomcat
  • If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in both the ROOT and Exposed directories in the temp folder, modify the /WEB-INF/site.properties to point at your local DB with your MySql settings. Leave the Driver alone!
  • If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.
  • Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )
  • Sign into Security Shepherd with the default admin credentials (admin / password)
  • Change the admin password
  • Follow in application prompts for further configuration

Future Development

New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org.

The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project roadmap and find some tasks that you can help with right away..

To contribute right away, pull the source from GitHub

Events with Security Shepherd

Over 60 people playing the CTF at HackDub2012

The Security Shepherd application has been tried and tested across a number of Beta runs in venues like Facebook and the IRISScon CTF. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training.

  • Security Shepherd was used as the OWASP Dublin Hackathon 2012
  • Security Shepherd's platform was used be used to manage the OWASP Ireland AppSec 2012 CTF in September 2012
  • Security Shepherd's platform was used to administer the Traditional Style CTF at the IRISS security conference in October 2012 and 2013
  • Security Shepherd's platform was used to deliver the Traditional Style CTF at the 2013 SOURCE Conference CTF in Facebook
  • Security Shepherd's platform was used to govern the EU Tour 2013 and LATAM Tour 2013 Online CTF's
  • Security Shepherd's platform was used to conduct the 2013 OWASP Global CTF
  • Security Shepherd was used as the 2014 OWASP application security summer school CTF at the Faculty of Organization and Informatics in Varaždin

Project Contributors

The Security Shepherd project was founded and is ran by Mark Denihan. The mobile wing of Security Shepherd is lead by Sean Duggan. If you wish to contribute to the OWASP Security Shepherd project please contact at mark.denihan@owasp.org, as help in any regard of the application is very much appreciated. Security Shepherd distributions are currently maintained on SourceForge. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd mailing list.

Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.

Project Sponsors

The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the AppSec EU 2014 conference as well as follow them on Twitter. BccRiskAdvisoryLogo.jpgEdgescanLogo.jpg