OWASP Security Shepherd
Security Shepherd is a CBT-like (Cognitive behavioral therapy) application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
Security Shepherds vulnerabilities are not simulated, and are instead delievered through harderned real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficent protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the OWASP Zed Attack Proxy and portable browsers already configured for proxy use.
Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one modules at a time. They must complete there current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When ether of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.
Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. User’s activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.
The Security Shepherd project covers the following web application security topics;
- SQL Injection
- Cross Site Scripting
- Broken Authetication and Session Management
- Cross Site Rrequest Forgery
- Insecure Direct Object Reference
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Unvalidated Redirects and Forwards
- Insufficent Transport Layer Security
New levels or level idea's are wanted in the highest degree. If you wish to contribute a level or even an idea; contact Mark Denihan on firstname.lastname@example.org.
The aims of Security Shepherd's future development is to allow level contribution easier through the creation of a "Challenge Builder" framework. It is also desirable to implement an automatic updating solution so that new levels that become available across new releases can be syncronised seemlessly.
Check out the project roadmap and find some tasks that you can help with right away.
Security Shepherd downloads are available at Security Shepherd Google code downloads.
You can synch to the current Security Shepherd source tree at Google code.
Security Shepherd has been designed with expansion in mind. The applicaiton's underlying architecture is composed of a secure core applicaiton and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerabilty exapmles. If these services are compromised, the core service can continue to run unaffected.
Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web applicaion server like Tomcat. To eliminate tedious environment configration; there is a Security Shepherd portable environment. This environment includes Tomcat/MySQL servers and scripts that can be used to automatically stand them up. This portable environment is currently only available for Windows environments (32bit and 64bit). Development for other operating systems is ongoing.
Security Shepherd 1.2:
The standard release is a single download, unrar, and click-to-run release. This service is currently only available for Windows operating systems
* Double-click on the startServers.bat - Two Tomcat and two MySQL command windows will start * Browse to https://localhost:8080/ * Default user is admin/password (You'll have to change the password upon login)
Security Shepherd 1.2 Manual:
The manual release is a single download, unrar, and follow the steps release.
* Deploy the core.war and exposed.war on your application server(s) * Run the core.sql and exposed.sql scripts in your database servers(s) as root users * Default user is admin/password (You'll have to change the password upon login) * Point your browser at the core application (eg: https://localhost:8080/core) * Default user is admin/password (You'll have to change the password upon login) * Through the admin configuration tools, set the URL's for the exposed application server and database servers
The SecurityShepherd project is run by Mark Denihan. He can be contacted at email@example.com. Security Shepherd distributions are currently maintained on SourceForge and Google. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd mailing list.
This project was initially created as part of my BSc. Thanks to Dr.Fred Mtenzi and DIT for allowing me to donate this project to the OWASP community.