OWASP Security Shepherd
Security Shepherd is a computer based training application for web application security vulnerabilities. This project strives to herd the lost sheep of the technological world back to the safe and sound ways of secure practices. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
Security Shepherd's vulnerabilities are not simulated, and are instead delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filters and poor security configuration. Security Shepherd includes everything you need to complete all of its levels including the OWASP Zed Attack Proxy Project and portable browsers already configured for proxy use.
Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one module at a time. They must complete their current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When either of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.
Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. Users' activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.
The Security Shepherd project covers the following web application security topics;
- SQL Injection
- Cross Site Scripting
- Broken Authetication and Session Management
- Cross Site Rrequest Forgery
- Insecure Direct Object Reference
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Unvalidated Redirects and Forwards
- Insufficient Transport Layer Security
New levels or level ideas are wanted in the highest degree. If you wish to contribute a level or even an idea; contact Mark Denihan on firstname.lastname@example.org.
The aim of Security Shepherd's future development is to allow level contribution easier through the creation of a "Challenge Builder" framework. It is also desirable to implement an automatic updating solution so that new levels that become available across new releases can be synchronised seamlessly.
Check out the project roadmap and find some tasks that you can help with right away..
Security Shepherd has been designed with expansion in mind. The application's underlying architecture is composed of a secure core application and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerabilty examples. If these services are compromised, the core service can continue to run unaffected.
Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web applicaion server like Tomcat. To eliminate tedious environment configration; there is a Security Shepherd portable environment. This environment includes Tomcat/MySQL servers and scripts that can be used to automatically stand them up. This portable environment is currently only available for Windows environments (32bit and 64bit). Development for other operating systems is ongoing.
Security Shepherd 1.2:
The standard release is a single download, unrar, and click-to-run release. This service is currently only available for Windows operating systems
* Double-click on the startServers.bat - Two Tomcat and two MySQL command windows will start * Browse to https://localhost:8080/ * Default user is admin/password (You'll have to change the password upon login)
Security Shepherd 1.2 Manual:
The manual release is a single download, unrar, and follow the steps release.
* Deploy the core.war and exposed.war on your application server(s) * Run the core.sql and exposed.sql scripts in your database servers(s) as root users * Point your browser at the core application (eg: https://localhost:8080/core) * Default user is admin/password (You'll have to change the password upon login) * Through the admin configuration tools, set the URL's for the application servers and sign on information for your databases
You can synch to the current Security Shepherd source tree at Google code
Note: Source code and Manual Installation Packs are in the process of been uploaded. Stay tuned...
The SecurityShepherd project is run by Mark Denihan. He can be contacted at email@example.com. Security Shepherd distributions are currently maintained on SourceForge and Google. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd mailing list.
This project was initially created as part of my BSc. Thanks to Dr.Fred Mtenzi and DIT for allowing me to donate this project to the OWASP community.
Events with Security Shepherd
The Security Shepherd application has been tried and tested across a number of Beta runs in venues like DIT and the Dublin TOG hackerspace. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training.