Difference between revisions of "OWASP Security Shepherd"

From OWASP
Jump to: navigation, search
(FAQs)
 
(38 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|right|Competitive Learning Environment]]
+
=Main=
'''Security Shepherd''' is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
 +
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
  
== Overview ==
+
==OWASP Security Shepherd==
[[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|right|Easy configuration to suit every use]]
+
Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
+
  
Security Shepherds vulnerabilities are not simulated, and are instead delievered through hardened real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the [[OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] and portable browsers already configured for proxy use.
+
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.
  
===CTF Mode===
+
==Description==
Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one modules at a time. They must complete there current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When ether of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.
+
  
===User Management===
+
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.
Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. User’s activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.
+
  
===Topic Coverage===
+
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
The Security Shepherd project covers the following web application security topics;
+
  
*[[Top_10_2010-A1|SQL Injection]]
+
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response.
*[[Top_10_2010-A2|Cross Site Scripting]]
+
*[[Top_10_2010-A3|Broken Authetication and Session Management]]
+
*[[Top_10_2010-A5|Cross Site Rrequest Forgery]]
+
*[[Top_10_2010-A4|Insecure Direct Object Reference]]
+
*[[Top_10_2010-A7|Insecure Cryptographic Storage]]
+
*[[Top_10_2010-A8|Failure to Restrict URL Access]]
+
*[[Top_10_2010-A10|Unvalidated Redirects and Forwards]]
+
*[[Top_10_2010-A9|Insufficient Transport Layer Security]]
+
  
== Future Development ==
+
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition.
  
New levels or level idea's are wanted in the highest degree. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org.
+
== Why use Security Shepherd? ==
  
The aims of Security Shepherd's future development is to allow level contribution easier through the creation of a "Challenge Builder" framework. It is also desirable to implement an automatic updating solution so that new levels that become available across new releases can be syncronised seemlessly.
+
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.
  
Check out the project [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap roadmap] and find some tasks that you can help with right away..
+
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.
  
==Releases==
+
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.
  
Security Shepherd has been designed with expansion in mind. The applicaiton's underlying architecture is composed of a secure core applicaiton and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerabilty exapmles. If these services are compromised, the core service can continue to run unaffected.
+
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack
 +
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.
  
Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web applicaion server like Tomcat. To eliminate tedious environment configration; there is a Security Shepherd portable environment. This environment includes Tomcat/MySQL servers and scripts that can be used to automatically stand them up. This portable environment is currently only available for Windows environments (32bit and 64bit). Development for other operating systems is ongoing.  
+
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users.  
  
===Security Shepherd 1.2:===
+
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)
The standard release is a single download, unrar, and click-to-run release. This service is currently only available for Windows operating systems
+
    * Double-click on the startServers.bat - Two Tomcat and two MySQL command windows will start
+
    * Browse to https://localhost:8080/
+
    * Default user is admin/password (You'll have to change the password upon login)
+
  
===Security Shepherd 1.2 Manual:===
+
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level.  
The manual release is a single download, unrar, and follow the steps release.  
+
    * Deploy the core.war and exposed.war on your application server(s)
+
    * Run the core.sql and exposed.sql scripts in your database servers(s) as root users
+
    * Point your browser at the core application (eg: https://localhost:8080/core)
+
    * Default user is admin/password (You'll have to change the password upon login)
+
    * Through the admin configuration tools, set the URL's for the application servers and sign on information for your databases
+
  
==Downloads==
+
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard.
  
Security Shepherd downloads are available at [http://code.google.com/p/owasp-security-shepherd/downloads/list Google Code] and [https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]. The deployments that require no server set up are quite big and are only available on Source Forge due to size constraints.  
+
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.
  
You can synch to the current Security Shepherd source tree at [http://code.google.com/p/owasp-security-shepherd/ Google code]
+
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.
  
Note: Source code and Manual Installation Packs are in the process of been uploaded. Stay tuned...
+
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods.  
  
== Project Contributors ==
+
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.
  
The SecurityShepherd project is run by Mark Denihan. He can be contacted at mark.denihan@owasp.org.  Security Shepherd distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/owasp-security-shepherd/downloads/list Google]. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd [http://lists.owasp.org/mailman/listinfo/owasp-security-shepherd mailing list].
+
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know.  
  
This project was initially created as part of my BSc. Thanks to Dr.Fred Mtenzi and [http://www.dit.ie DIT] for allowing me to donate this project to the OWASP community.
+
== Security Shepherd Road Map ==
 +
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].
  
== Events with Security Shepherd ==
+
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].
[[Image:Shepherd-CTF-In-Play.JPG|thumb|300px|right|Over 60 people playing the CTF at [[HackDub2012]]]]
+
  
The Security Shepherd application has been tried and tested across a number of Beta runs in venues like DIT and the Dublin TOG hackerspace. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training.
+
| valign="top"  style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |
  
* Security Shepherd was used as the [[HackDub2012|OWASP Dublin Hackathon 2012]]
+
== What is Security Shepherd? ==
* Security Shepherd's platform will be used to manage the [[AppSecIreland2012| OWASP Ireland AppSec 2012]] CTF in September
+
* Security Shepherd's platform will be used to manage the IRISS security conference in October
+
  
[[Category:OWASP Project|Security Shepherd Project]]
+
OWASP Security Shepherd provides:
[[Category:OWASP Download]]
+
[[Category:OWASP Tool]]
+
[[Category:OWASP Release Quality Tool]]
+
  
__NOTOC__
+
* Teaching Tool for All Application Security
 +
* Web Application Pen Testing Training
 +
* Mobile Application Pen Testing Training
 +
* Safe Playground to Practise AppSec Techniques
 +
* Real Security Risk Examples
  
[[Category:OWASP Project]]
+
==Topic Coverage==
 +
The Security Shepherd project covers the following web and mobile application security topics;
 +
 
 +
*[[Top_10_2013-A1|SQL Injection]]
 +
*[[Top_10_2013-A2|Broken Authentication and Session Management]]
 +
*[[Top_10_2013-A3|Cross Site Scripting]]
 +
*[[Top_10_2013-A4|Insecure Direct Object Reference]]
 +
*[[Top_10_2013-A5|Security Misconfiguration]]
 +
*[[Top_10_2013-A6|Sensitive Data Exposure]]
 +
*[[Top_10_2013-A7|Missing Function Level Access Control]]
 +
*[[Top_10_2013-A8|Cross Site Request Forgery]]
 +
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]
 +
*[[Data_Validation|Poor Data Validation]]
 +
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]
 +
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]]
 +
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]
 +
*[[Mobile_Top_10_2014-M6|Broken crypto]]
 +
*[[Mobile_Top_10_2014-M7|Client Side Injection]]
 +
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]
 +
 
 +
==Layout Options==
 +
 
 +
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:
 +
 
 +
'''CTF Mode'''
 +
 
 +
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.
 +
 
 +
'''Open Floor'''
 +
 
 +
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks.
 +
 
 +
'''Tournament Mode'''
 +
 
 +
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. 
 +
 
 +
 
 +
| valign="top"  style="padding-left:25px;width:250px;" |
 +
 
 +
== Download ==
 +
 
 +
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]
 +
 
 +
== Presentation ==
 +
 
 +
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]
 +
 
 +
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]
 +
 
 +
== Project Leaders ==
 +
 
 +
Mark Denihan - mark.denihan@owasp.org
 +
 
 +
Sean Duggan  - sean.duggan@owasp.org
 +
 
 +
== Recent News and Events ==
 +
* [January 2017] Shepherd Graduates to Flagship
 +
 
 +
== Related Projects ==
 +
 
 +
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]
 +
 
 +
==Licensing==
 +
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 +
 
 +
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of  merchantability or fitness for a particular purpose.  See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_TOOL.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
=FAQs=
 +
 
 +
; Q Can I Re-Skin Shepherd and then Train People With it?
 +
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!
 +
 
 +
; Q Where can I access Security Shepherd?
 +
: A You can Download it and run it yourself or there are various public instances (eg: [https://community.ctf365.com/t/owasp-security-shepherd/357 CTF365])
 +
 
 +
; Q Where can I download Security Shepherd?
 +
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]
 +
 
 +
; Q How can I run Shepherd on my network safely?
 +
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.
 +
 
 +
= Acknowledgements =
 +
== Project Sponsors ==
 +
 
 +
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter.
 +
 
 +
[[File:BccRiskAdvisoryLogo.jpg]]
 +
 
 +
[[File:EdgescanLogo.jpg]]
 +
 
 +
[[File:Manicode-logo.png]]
 +
==Contributors==
 +
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:
 +
 
 +
* Mark Denihan
 +
* Sean Duggan
 +
* Paul McCann
 +
* John Clarke
 +
* Lei Shao
 +
* Natalia Lopez
 +
* Aidan Knowles
 +
* Jason Flood
 +
 
 +
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org
 +
 
 +
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.
 +
 
 +
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]
 +
 
 +
==Other==
 +
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.
 +
 
 +
=Setup Help=
 +
===Security Shepherd v3.0 VM Setup:===
 +
To get a Security Shepherd VM ready to rock, follow these steps;
 +
 
 +
Setting up your instance of Security Shepherd with the VM: In Steps!
 +
 
 +
* Import the VM to your hypervisor (Eg: Virtual Box)
 +
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.
 +
* Boot the VM
 +
* Sign in with securityshepherd / owaspSecurityShepherd
 +
* Change the user password with the passwd command
 +
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this
 +
* On your host machine, open https://<VM IP Address>/
 +
* Sign in with admin / password
 +
* Change the admin password (cannot be password again)
 +
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)
 +
* Time to play!
 +
 
 +
===How to Upgrade Version 2.4 to Version 3.0:===
 +
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;
 +
 
 +
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]
 +
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.
 +
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance
 +
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb
 +
 
 +
All settings will be set to default after completing these steps and new levels will be marked as open.
 +
 
 +
===Security Shepherd v3.0 Manual Pack (Windows):===
 +
* Download the Security Shepherd Manual Pack
 +
* Install Apache Tomcat 7
 +
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!
 +
* Extract the Security Shepherd Manual Pack
 +
* Copy the sql files extracted from the pack to the bin directory of MySql
 +
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )
 +
* Type the following commands to execute the Shepherd Manual Pack SQL files;
 +
 
 +
source coreSchema.sql
 +
source moduleSchemas.sql
 +
 
 +
* Open the webapps directory of your Tomcat instance
 +
* Delete any directories that are there already
 +
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat
 +
* Start Tomcat
 +
* Open the temp directory of Tomcat
 +
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!
 +
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.
 +
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )
 +
* Sign into Security Shepherd with the default admin credentials (admin / password)
 +
* Change the admin password (Can't be 'password' again)
 +
* Make sure JAVA_HOME is set;
 +
* Right click My Computer and select Properties.
 +
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.
 +
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate
 +
 
 +
  "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
 +
 
 +
* The following is an example of filling out the details for the cert. You can choose your own.
 +
 
 +
Enter keystore password:  passw0rd
 +
Re-enter new password: password
 +
What is your first and last name?
 +
  [Unknown]:  Paul Stone
 +
What is the name of your organizational unit?
 +
  [Unknown]:  Security Shepherd
 +
What is the name of your organization?
 +
  [Unknown]:  OWASP
 +
What is the name of your City or Locality?
 +
  [Unknown]:  Baile Átha Cliath
 +
What is the name of your State or Province?
 +
  [Unknown]:  Laighin
 +
What is the two-letter country code for this unit?
 +
  [Unknown]:  IE
 +
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?
 +
  [no]:  yes
 +
 
 +
Enter key password for (RETURN if same as keystore password):  <RETURN>
 +
 
 +
* This will create a file under C:\Users\YOUR_USERNAME.keystore
 +
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:
 +
 
 +
  <Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" />
 +
 
 +
  <Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore"  keystorePass="passw0rd" keyAlias="tomcat"/>
 +
 
 +
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml
 +
 
 +
  <security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint>
 +
 
 +
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/
 +
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/
 +
 
 +
Time to Play!
 +
 
 +
=Videos=
 +
{|
 +
|-
 +
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;
 +
{{#ev:youtube|yppMkJRp4pk}}
 +
|}
 +
{|
 +
|-
 +
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;
 +
{{#ev:youtube|sb8KQV6morY}}
 +
|}
 +
{|
 +
|-
 +
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;
 +
{{#ev:youtube|8mlY4ob757s}}
 +
|}
 +
 
 +
=Screenshots=
 +
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]
 +
 
 +
__NOTOC__ <headertabs />
 +
 
 +
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]]  [[Category:OWASP_Tool]]

Latest revision as of 05:11, 24 January 2017

[edit]

Flagship big.jpg

OWASP Security Shepherd

The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.

Description

The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.

Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response.

Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition.

Why use Security Shepherd?

Wide Topic Coverage: Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.

Gentle Learning Curve: Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.

Layman Write Ups: Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.

Real World Examples: The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.

Scalability: Shepherd can be used locally by a single user or easily as a server for a high amount of users.

Highly Customisable: Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)

Perfect for Classrooms: Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level.

Scoreboard: Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard.

User Management: Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.

Localisation Support: Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.

Robust Service: Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods.

Configurable Feedback: An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.

Granular Logging: The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know.

Security Shepherd Road Map

Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our GitHub Wiki describing How to Add a New Language to Security Shepherd.

Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our GitHub Wiki describing How to Make a Security Shepherd Level. For the Latest and Greatest short term goals. Please see the issues page in our GitHub.

What is Security Shepherd?

OWASP Security Shepherd provides:

  • Teaching Tool for All Application Security
  • Web Application Pen Testing Training
  • Mobile Application Pen Testing Training
  • Safe Playground to Practise AppSec Techniques
  • Real Security Risk Examples

Topic Coverage

The Security Shepherd project covers the following web and mobile application security topics;

Layout Options

An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:

CTF Mode

When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.

Open Floor

When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks.

Tournament Mode

When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition.


Download

Presentation

AppSecEU 2014 Video

AppSecEU 2014 Presentation

Project Leaders

Mark Denihan - mark.denihan@owasp.org

Sean Duggan - sean.duggan@owasp.org

Recent News and Events

  • [January 2017] Shepherd Graduates to Flagship

Related Projects

Licensing

The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .

Classifications

Owasp-flagship-trans-85.png Owasp-breakers-small.png
Owasp-builders-small.png
Project Type Files TOOL.jpg

Q Can I Re-Skin Shepherd and then Train People With it?
A Yes! Follow [this guide]!
Q Where can I access Security Shepherd?
A You can Download it and run it yourself or there are various public instances (eg: CTF365)
Q Where can I download Security Shepherd?
A You can download it from the [GitHub Release Page]
Q How can I run Shepherd on my network safely?
A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.

Project Sponsors

The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter.

BccRiskAdvisoryLogo.jpg

EdgescanLogo.jpg

Manicode-logo.png

Contributors

OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Mark Denihan
  • Sean Duggan
  • Paul McCann
  • John Clarke
  • Lei Shao
  • Natalia Lopez
  • Aidan Knowles
  • Jason Flood

The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org

New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project GitHub and find some issues that you can help with right away.

To contribute right away, pull the source from GitHub

Other

Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.

Security Shepherd v3.0 VM Setup:

To get a Security Shepherd VM ready to rock, follow these steps;

Setting up your instance of Security Shepherd with the VM: In Steps!

  • Import the VM to your hypervisor (Eg: Virtual Box)
  • Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.
  • Boot the VM
  • Sign in with securityshepherd / owaspSecurityShepherd
  • Change the user password with the passwd command
  • In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this
  • On your host machine, open https://<VM IP Address>/
  • Sign in with admin / password
  • Change the admin password (cannot be password again)
  • Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)
  • Time to play!

How to Upgrade Version 2.4 to Version 3.0:

You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;

  • Download and run this SQL file on your DB server: [Upgrade Core Schema Script]
  • Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.
  • Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance
  • Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb

All settings will be set to default after completing these steps and new levels will be marked as open.

Security Shepherd v3.0 Manual Pack (Windows):

  • Download the Security Shepherd Manual Pack
  • Install Apache Tomcat 7
  • Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!
  • Extract the Security Shepherd Manual Pack
  • Copy the sql files extracted from the pack to the bin directory of MySql
  • Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )
  • Type the following commands to execute the Shepherd Manual Pack SQL files;

source coreSchema.sql source moduleSchemas.sql

  • Open the webapps directory of your Tomcat instance
  • Delete any directories that are there already
  • Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat
  • Start Tomcat
  • Open the temp directory of Tomcat
  • If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!
  • If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.
  • Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )
  • Sign into Security Shepherd with the default admin credentials (admin / password)
  • Change the admin password (Can't be 'password' again)
  • Make sure JAVA_HOME is set;
  • Right click My Computer and select Properties.
  • On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.
  • To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate
 "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
  • The following is an example of filling out the details for the cert. You can choose your own.

Enter keystore password: passw0rd Re-enter new password: password What is your first and last name?

 [Unknown]:  Paul Stone

What is the name of your organizational unit?

 [Unknown]:  Security Shepherd

What is the name of your organization?

 [Unknown]:  OWASP

What is the name of your City or Locality?

 [Unknown]:  Baile Átha Cliath

What is the name of your State or Province?

 [Unknown]:  Laighin

What is the two-letter country code for this unit?

 [Unknown]:  IE

Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?

 [no]:  yes

Enter key password for (RETURN if same as keystore password): <RETURN>

  • This will create a file under C:\Users\YOUR_USERNAME.keystore
  • Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:
 <Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" />
 <Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore"  keystorePass="passw0rd" keyAlias="tomcat"/>
  • To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml
 <security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint>

Time to Play!

 
 
 

Detailed vulnerability explainations
Competitive Learning Environment
Easy configuration to suit every use