├── .gitignore ├── Hacking-for-Web-Application-Developers ├── A10-Server-Side-Request-Forgery │ └── README.md ├── A08-Software-and-Data-Integrity-Failures │ └── README.md ├── A09-Security-Logging-and-Monitoring-Failures │ └── README.md ├── images │ └── mapping_owasp_top_10_2021.png ├── A01-Broken-Access-Control │ ├── images │ │ └── score-board.png │ └── README.md ├── A06-Vulnerable-and-Outdated-Components │ └── README.md ├── A05-Security-Misconfiguration │ └── README.md ├── password-list.txt ├── A04-Insecure-Design │ └── README.md ├── A02-Cryptographic-Failures │ └── README.md ├── README.md ├── A07-Identification-and-Authentication-Failures │ └── README.md └── A03-Injection │ └── README.md ├── Hacking-for-API-Developers ├── postman │ ├── car.mp4 │ ├── local_postman_environment.json │ ├── agile_dev_de_postman_environment.json │ └── crapi.postman_collection.json ├── API02-Broken-User-Authentication │ ├── exploit.sh │ ├── crack.sh │ ├── crapi.txt │ ├── README.md │ └── top1000.txt ├── API01-Broken-Object-Level-Authorization │ └── README.md ├── API03-Excessive-Data-Exposure │ └── README.md ├── API08-Injection │ └── README.md ├── API10-Insufficient-Logging-and-Monitoring │ └── README.md ├── API06-Mass-Assignment │ └── README.md ├── API04-Lack-of-Resources-and-Rate-Limiting │ └── README.md ├── API05-Broken-Function-Level-Authorization │ └── README.md ├── API07-Security-Misconfiguration │ └── README.md ├── API09-Improper-Assets-Management │ └── README.md └── README.md ├── Supply-Chain-Security ├── images │ └── dependency_track_integrations.png └── README.md ├── Identity-Access-Management-for-Developers └── README.md ├── Attack-Demos └── README.md ├── README.md ├── Cryptography-for-Developers └── README.md └── LICENSE /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/ -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A10-Server-Side-Request-Forgery/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A08-Software-and-Data-Integrity-Failures/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A09-Security-Logging-and-Monitoring-Failures/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/postman/car.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NovatecConsulting/developer-security-training/HEAD/Hacking-for-API-Developers/postman/car.mp4 -------------------------------------------------------------------------------- /Supply-Chain-Security/images/dependency_track_integrations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NovatecConsulting/developer-security-training/HEAD/Supply-Chain-Security/images/dependency_track_integrations.png -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/images/mapping_owasp_top_10_2021.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NovatecConsulting/developer-security-training/HEAD/Hacking-for-Web-Application-Developers/images/mapping_owasp_top_10_2021.png -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A01-Broken-Access-Control/images/score-board.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NovatecConsulting/developer-security-training/HEAD/Hacking-for-Web-Application-Developers/A01-Broken-Access-Control/images/score-board.png -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API02-Broken-User-Authentication/exploit.sh: -------------------------------------------------------------------------------- 1 | JWT=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZmFAZXhhbXBsZS5jb20iLCJpYXQiOjE2Njg3NTg4MDUsImV4cCI6MTY2ODg0NTIwNX0.JiuzRl6V0dghDDfAUP3a1S9mgKb0zk3jU7ixlq80eAIfsZ49QQdHZJ2sNpcKkOZr3TCKnJxXPjzl0yz7S6LAag 2 | 3 | python3 jwt_tool.py $JWT -T -X a 4 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API02-Broken-User-Authentication/crack.sh: -------------------------------------------------------------------------------- 1 | JWT=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZmFAZXhhbXBsZS5jb20iLCJpYXQiOjE2Njg3NTg4MDUsImV4cCI6MTY2ODg0NTIwNX0.JiuzRl6V0dghDDfAUP3a1S9mgKb0zk3jU7ixlq80eAIfsZ49QQdHZJ2sNpcKkOZr3TCKnJxXPjzl0yz7S6LAag 2 | 3 | python3 jwt_tool.py $JWT -C -d crapi.txt 4 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API02-Broken-User-Authentication/crapi.txt: -------------------------------------------------------------------------------- 1 | Crapi2020 2 | Crapi2021 3 | Crapi2022 4 | OWASP 5 | iparc2022 6 | crapi2022 7 | owasp 8 | iparc2023 9 | crAPI2022 10 | Jwt2022 11 | iparc2020 12 | crAPI2020 13 | Jwt2020 14 | iparc2021 15 | crAPI2021 16 | Jwt_2022 iparc 17 | crapi 18 | Jwt_2020 19 | JWT 20 | community 21 | Owasp2021 22 | jwt2020 23 | vehicle 24 | Vehicle_2022 25 | JWT_2022 26 | crapi_2022! 27 | -------------------------------------------------------------------------------- /Identity-Access-Management-for-Developers/README.md: -------------------------------------------------------------------------------- 1 | # Identity Access Management for Developers 2 | 3 | 4 | ## Setup 5 | 6 | 7 | 8 | ### REST API clients 9 | 10 | #### Postman 11 | 12 | To make calls to REST API of the Juice Shop via a comfortable UI you may use Postman. 13 | Follow the setup instructions on https://www.postman.com/downloads. 14 | 15 | #### Httpie 16 | 17 | If you are more used to make calls to REST API of the Juice Shop via command line you may try Httpie. 18 | Follow the setup instructions on https://httpie.org. 19 | 20 | #### Curl 21 | 22 | If you are more used to make calls to REST API of the Juice Shop via command line you also may try the classic Curl. 23 | Follow the setup instructions on https://curl.haxx.se. 24 | 25 | ### The Labs 26 | 27 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API01-Broken-Object-Level-Authorization/README.md: -------------------------------------------------------------------------------- 1 | # API01: Broken Object Level Authorization 2 | 3 | APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user. 4 | 5 | Attackers can exploit API endpoints that are vulnerable to broken object level authorization by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access. 6 | 7 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/postman/local_postman_environment.json: -------------------------------------------------------------------------------- 1 | {"id":"fbc275bf-4980-4709-ac34-0f9d5e5e7fb0","name":"Local crAPI","values":[{"key":"url","value":"http://localhost:8888/","enabled":true,"type":"default"},{"key":"email","value":"test@example.com","enabled":true,"type":"default"},{"key":"password","value":"Test_2022","enabled":true,"type":"default"},{"key":"token","value":"eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ0ZXN0QGV4YW1wbGUuY29tIiwiaWF0IjoxNjY0MjY4NTU4LCJleHAiOjE2NjQzNTQ5NTh9.jeCc9TTKUahe32s-Vgw2KcwzInS9CKTmnz7Aomz-OcOMl9FE3J6fA0cunQADYBxaX3ChiAZNYaI4SB7nuig7Cg","enabled":true,"type":"default"},{"key":"url_mail","value":"http://localhost:8025/","enabled":true,"type":"default"},{"key":"name","value":"My Name","enabled":true,"type":"default"},{"key":"phone","value":"+4915112345","enabled":true,"type":"default"},{"key":"post_id","value":"2pJLvzVocYXNXmm7VXxXgR","enabled":true,"type":"default"}]} -------------------------------------------------------------------------------- /Attack-Demos/README.md: -------------------------------------------------------------------------------- 1 | # Attack Demos 2 | 3 | 4 | ### The Demos 5 | 6 | The labs are categorized according to the cryptographic types. 7 | 8 | * [API01: Broken Object Level Authorization](API01-Broken-Object-Level-Authorization/README.md) 9 | * [API02: Broken User Authentication](API02-Broken-User-Authentication/README.md) 10 | * [API03: Excessive Data Exposure](API03-Excessive-Data-Exposure/README.md) 11 | * [API04: Lack of Resources and Rate Limiting](API04-Lack-of-Resources-and-Rate-Limiting/README.md) 12 | * [API05: Broken Function Level Authorization](API05-Broken-Function-Level-Authorization/README.md) 13 | * [API06: Mass Assignment](API06-Mass-Assignment/README.md) 14 | * [API07: Security Misconfiguration](API07-Security-Misconfiguration/README.md) 15 | * [API08: Injection](API08-Injection/README.md) 16 | * [API09: Improper Assets Management](API09-Improper-Assets-Management/README.md) 17 | * [API10: Insufficient Logging and Monitoring](API10-Insufficient-Logging-and-Monitoring/README.md) 18 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A06-Vulnerable-and-Outdated-Components/README.md: -------------------------------------------------------------------------------- 1 | # Challenge Collection 6: Using Components With Known Vulnerabilities 2 | 3 | The challenges in this chapter are all about security issues of libraries or other 3rd party components the application uses internally. 4 | 5 | * [Challenge 6.1: Inform the shop about a vulnerable library it is using](#challenge-61-inform-shop-about-vulnerable-library) 6 | * [Tips:](#tips) 7 | 8 | ## Challenge 6.1: Inform the shop about a vulnerable library it is using 9 | Juice Shop depends on a JavaScript library with known vulnerabilities. Check online the dependencies in the file package.json.bak. 10 | 11 | ### Tips: 12 | 13 | 1. **Tip:** Access a developer's forgotten backup file: /ftp/package.json.bak%2500.md 14 | 15 | 2. **Tip:** Look for possible dependencies related to security in the package.json.bak. Do some research on the internet for known security issues in the most suspicious application dependencies. 16 | 17 | 3. **Tip:** Use the Contact Us form to submit a feedback mentioning the vulnerable library including its exact version. 18 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A05-Security-Misconfiguration/README.md: -------------------------------------------------------------------------------- 1 | # A05: Security Misconfiguration 2 | 3 | * [Challenge 7.1: Deprecated Interface](#challenge-71-Deprecated-Interface) 4 | * [Tips:](#tips) 5 | * [Challenge 7.2: Error Handling](#challenge-72-Error-Handling) 6 | * [Tips:](#tips-1) 7 | 8 | Security misconfiguration is usually a lack of hardening of the system or service, such as: 9 | - Change the default passwords / accounts; 10 | - Shutting down unnecessary service; 11 | - Very informative error messages for users; 12 | - New security functions received during update and not configured; 13 | - Obsolete software; 14 | 15 | ## Challenge 7.1: Deprecated Interface 16 | The old B2B interface was renewed and not all components were removed properly. 17 | No attack or exploit is needed. 18 | 19 | ### Tips: 20 | 21 | 1. **Tip:** Log in as any user and go for **Contact Us**. 22 | 2. **Tip:** Use Devtools to find it in Code. 23 | 24 | ## Challenge 7.2: Error Handling 25 | Trigger an error that is not handled correctly. 26 | 27 | ### Tips: 28 | 29 | 1. **Tip:** There are more than one possibility to trigger such Error. 30 | 2. **Tip:** Try to submit bad input to forms. 31 | 3. **Tip:** Try to manipulate the URL path and its parameters. 32 | 33 | **Hint:** Don't forget to open your Javascript console. -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/password-list.txt: -------------------------------------------------------------------------------- 1 | PublishThisListPlease 2 | root 3 | !@ 4 | wubao 5 | password 6 | 123456 7 | admin 8 | 12345 9 | 1234 10 | p@ssw0rd 11 | 123 12 | 1 13 | jiamima 14 | test 15 | root123 16 | ! 17 | !q@w 18 | !qaz@wsx 19 | idc!@ 20 | admin!@ 21 | 22 | alpine 23 | qwerty 24 | 12345678 25 | 111111 26 | 123456789 27 | 1q2w3e4r 28 | 123123 29 | default 30 | 1234567 31 | qwe123 32 | 1qaz2wsx 33 | 1234567890 34 | abcd1234 35 | 000000 36 | user 37 | toor 38 | qwer1234 39 | 1q2w3e 40 | asdf1234 41 | redhat 42 | 1234qwer 43 | cisco 44 | 12qwaszx 45 | test123 46 | 1q2w3e4r5t 47 | admin123 48 | changeme 49 | 1qazxsw2 50 | 123qweasd 51 | q1w2e3r4 52 | letmein 53 | server 54 | root1234 55 | master 56 | abc123 57 | rootroot 58 | a 59 | system 60 | pass 61 | 1qaz2wsx3edc 62 | p@$$w0rd 63 | 112233 64 | welcome 65 | !QAZ2wsx 66 | linux 67 | 123321 68 | manager 69 | 1qazXSW@ 70 | q1w2e3r4t5 71 | oracle 72 | asd123 73 | admin123456 74 | ubnt 75 | 123qwe 76 | qazwsxedc 77 | administrator 78 | superuser 79 | zaq12wsx 80 | 121212 81 | 654321 82 | ubuntu 83 | 0000 84 | zxcvbnm 85 | root@123 86 | 1111 87 | vmware 88 | q1w2e3 89 | qwerty123 90 | cisco123 91 | 11111111 92 | pa55w0rd 93 | asdfgh 94 | 11111 95 | 123abc 96 | asdf 97 | centos 98 | 888888 99 | 54321 100 | password123 -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API03-Excessive-Data-Exposure/README.md: -------------------------------------------------------------------------------- 1 | # API03: Excessive Data Exposure 2 | 3 | Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. 4 | 5 | Exploitation of Excessive Data Exposure is simple, and is usually performed by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user. 6 | The API returns sensitive data to the client by design. This data is usually filtered on the client side before being presented to the user. 7 | 8 | ## How To Prevent 9 | 10 | * Never rely on the client side to filter sensitive data. 11 | * Review the responses from the API to make sure they contain only legitimate data. 12 | * Backend engineers should always ask themselves "who is the consumer of the data?" before exposing a new API endpoint. 13 | * Avoid using generic methods such as to_json() and to_string(). Instead, cherry-pick specific properties you really want to return 14 | * Classify sensitive and personally identifiable information (PII) that your application stores and works with, reviewing all API calls returning such information to see if these responses pose a security issue. 15 | * Implement a schema-based response validation mechanism as an extra layer of security. As part of this mechanism define and enforce data returned by all API methods, including errors. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Security Training for Developers 2 | 3 | This repository contains alls labs and demos that are part of the security training for developers. 4 | 5 | ** Please note: This is still work in progress ** 6 | 7 | ## Learning targets 8 | 1. Understand basic security terminology 9 | 2. Understand importance of security 10 | 3. OWASP 11 | - What is it? 12 | - What does OWASP offer? (Projects, Documentation, Tools) 13 | - Highlight the most popular and important projects like the OWASP Top 10 14 | 4. Insights on a selected set of static and dynamic application security testing tools 15 | 5. Finding and exploiting vulnerabilities to understand the impact they could cause 16 | 6. Fixing/avoiding specific security issues 17 | 18 | ## Learning approach 19 | 20 | 1. Learn about a security issue, threat or vulnerability 21 | 2. How to perform hacking/exploiting the security issue, threat or vulnerability 22 | 3. How to avoid or mitigate such security issue, threat or vulnerability in your own applications and code 23 | 24 | ### Table of contents 25 | - [Hacking for Web Application Developers](Hacking-for-Web-Application-Developers/README.md) 26 | - [Hacking for API Developers](Hacking-for-API-Developers/README.md) 27 | - [Cryptography for Developers](Cryptography-for-Developers/README.md) 28 | - [Identity Access Management (IAM) for API Developers](Identity-Access-Management-for-Developers/README.md) 29 | - [Supply Chain Security](Supply-Chain-Security/README.md) 30 | - [Attack Demos](Attack-Demos/README.md) 31 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API08-Injection/README.md: -------------------------------------------------------------------------------- 1 | # API08: Injection 2 | 3 | Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization. 4 | 5 | The API is vulnerable to injection flaws if: 6 | 7 | * Client-supplied data is not validated, filtered, or sanitized by the API. 8 | * Client-supplied data is directly used or concatenated to SQL/NoSQL/LDAP queries, OS commands, XML parsers, and Object Relational Mapping (ORM)/Object Document Mapper (ODM). 9 | * Data coming from external systems (e.g., integrated systems) is not validated, filtered, or sanitized by the API. 10 | 11 | ## How To Prevent 12 | 13 | Preventing injection requires keeping data separate from commands and queries. 14 | 15 | * Perform data validation using a single, trustworthy, and actively maintained library. 16 | * Validate, filter, and sanitize all client-provided data, or other data coming from integrated systems. 17 | * Special characters should be escaped using the specific syntax for the target interpreter. 18 | * Prefer a safe API that provides a parameterized interface. 19 | * Always limit the number of returned records to prevent mass disclosure in case of injection. 20 | * Validate incoming data using sufficient filters to only allow valid values for each input parameter. 21 | * Define data types and strict patterns for all string parameters. -------------------------------------------------------------------------------- /Hacking-for-API-Developers/postman/agile_dev_de_postman_environment.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "7267364-8544d3fc-f0c9-4339-81d5-434151c2df87", 3 | "name": "Agile-Dev crAPI", 4 | "values": [ 5 | { 6 | "key": "url", 7 | "value": "https://api.agile-dev.de", 8 | "enabled": true, 9 | "type": "default" 10 | }, 11 | { 12 | "key": "email", 13 | "value": "dummy@example.com", 14 | "enabled": true, 15 | "type": "default" 16 | }, 17 | { 18 | "key": "password", 19 | "value": "Dummy_2022", 20 | "enabled": true, 21 | "type": "default" 22 | }, 23 | { 24 | "key": "token", 25 | "value": "", 26 | "enabled": true, 27 | "type": "default" 28 | }, 29 | { 30 | "key": "url_mail", 31 | "value": "https://mail.agile-dev.de", 32 | "enabled": true, 33 | "type": "default" 34 | }, 35 | { 36 | "key": "name", 37 | "value": "My Name", 38 | "enabled": true, 39 | "type": "default" 40 | }, 41 | { 42 | "key": "phone", 43 | "value": "+4915112345", 44 | "enabled": true, 45 | "type": "default" 46 | }, 47 | { 48 | "key": "post_id", 49 | "value": "2pJLvzVocYXNXmm7VXxXgR", 50 | "enabled": true, 51 | "type": "default" 52 | } 53 | ] 54 | } -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API10-Insufficient-Logging-and-Monitoring/README.md: -------------------------------------------------------------------------------- 1 | # API10: Insufficient Logging and Monitoring 2 | 3 | Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. 4 | 5 | The API is vulnerable if: 6 | 7 | * It does not produce any logs, the logging level is not set correctly, or log messages do not include enough detail. 8 | * Log integrity is not guaranteed (e.g., Log Injection). 9 | * Logs are not continuously monitored. 10 | * API infrastructure is not continuously monitored. 11 | 12 | ## How To Prevent 13 | 14 | * Log all failed authentication attempts, denied access, and input validation errors. 15 | * Logs should be written using a format suited to be consumed by a log management solution, and should include enough detail to identify the malicious actor. 16 | * Logs should be handled as sensitive data, and their integrity should be guaranteed at rest and transit. 17 | * Configure a monitoring system to continuously monitor the infrastructure, network, and the API functioning. 18 | * Use a Security Information and Event Management (SIEM) system to aggregate and manage logs from all components of the API stack and hosts. 19 | * Configure custom dashboards and alerts, enabling suspicious activities to be detected and responded to earlier. 20 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API06-Mass-Assignment/README.md: -------------------------------------------------------------------------------- 1 | # API06: Mass Assignment 2 | 3 | Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on an allowlist, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to. 4 | 5 | Objects in modern applications might contain many properties. Some of these properties should be updated directly by the client (e.g., user.first_name or user.address) and some of them should not (e.g., user.is_vip flag). 6 | 7 | An API endpoint is vulnerable if it automatically converts client parameters into internal object properties, without considering the sensitivity and the exposure level of these properties. This could allow an attacker to update object properties that they should not have access to. 8 | 9 | Examples for sensitive properties: 10 | 11 | * Permission-related properties: user.is_admin, user.is_vip should only be set by admins. 12 | * Process-dependent properties: user.cash should only be set internally after payment verification. 13 | * Internal properties: article.created_time should only be set internally by the application. 14 | 15 | ## How To Prevent 16 | 17 | * If possible, avoid using functions that automatically bind a client’s input into code variables or internal objects. 18 | * Whitelist only the properties that should be updated by the client. 19 | * Use built-in features to blacklist properties that should not be accessed by clients. 20 | * If applicable, explicitly define and enforce schemas for the input data payloads. -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API04-Lack-of-Resources-and-Rate-Limiting/README.md: -------------------------------------------------------------------------------- 1 | # API04: Lack of Resources and Rate Limiting 2 | 3 | Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force. 4 | 5 | API requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the user input and endpoint business logic. Also, consider the fact that requests from multiple API clients compete for resources. An API is vulnerable if at least one of the following limits is missing or set inappropriately (e.g., too low/high): 6 | 7 | * Execution timeouts 8 | * Max allocable memory 9 | * Number of file descriptors 10 | * Number of processes 11 | * Request payload size (e.g., uploads) 12 | * Number of requests per client/resource 13 | * Number of records per page to return in a single request response 14 | 15 | ## How To Prevent 16 | * Docker makes it easy to limit memory, CPU, number of restarts, file descriptors, and processes. 17 | * Implement a limit on how often a client can call the API within a defined timeframe. 18 | * Notify the client when the limit is exceeded by providing the limit number and the time at which the limit will be reset. 19 | * Add proper server-side validation for query string and request body parameters, specifically the one that controls the number of records to be returned in the response. 20 | * Define and enforce maximum size of data on all incoming parameters and payloads such as maximum length for strings and maximum number of elements in arrays. -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API05-Broken-Function-Level-Authorization/README.md: -------------------------------------------------------------------------------- 1 | # API05: Broken Function Level Authorization 2 | 3 | Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions. 4 | 5 | The best way to find broken function level authorization issues is to perform deep analysis of the authorization mechanism, while keeping in mind the user hierarchy, different roles or groups in the application, and asking the following questions: 6 | 7 | * Can a regular user access administrative endpoints? 8 | * Can a user perform sensitive actions (e.g., creation, modification, or erasure) that they should not have access to by simply changing the HTTP method (e.g., from GET to DELETE)? 9 | * Can a user from group X access a function that should be exposed only to users from group Y, by simply guessing the endpoint URL and parameters (e.g., /api/v1/users/export_all)? 10 | 11 | Don’t assume that an API endpoint is regular or administrative only based on the URL path. 12 | 13 | ## How To Prevent 14 | 15 | Your application should have a consistent and easy to analyze authorization module that is invoked from all your business functions. Frequently, such protection is provided by one or more components external to the application code. 16 | 17 | * The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function. 18 | * Review your API endpoints against function level authorization flaws, while keeping in mind the business logic of the application and groups hierarchy. 19 | * Make sure that all of your administrative controllers inherit from an administrative abstract controller that implements authorization checks based on the user’s group/role. 20 | * Make sure that administrative functions inside a regular controller implements authorization checks based on the user’s group and role. 21 | 22 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API07-Security-Misconfiguration/README.md: -------------------------------------------------------------------------------- 1 | # API07: Security Misconfiguration 2 | 3 | Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. 4 | 5 | The API might be vulnerable if: 6 | 7 | * Appropriate security hardening is missing across any part of the application stack, or if it has improperly configured permissions on cloud services. 8 | * The latest security patches are missing, or the systems are out of date. 9 | * Unnecessary features are enabled (e.g., HTTP verbs). 10 | * Transport Layer Security (TLS) is missing. 11 | * Security directives are not sent to clients (e.g., [Security Headers](https://owasp.org/www-project-secure-headers/#div-headers)). 12 | * A Cross-Origin Resource Sharing (CORS) policy is missing or improperly set. 13 | * Error messages include stack traces, or other sensitive information is exposed. 14 | 15 | ## How To Prevent 16 | 17 | The API life cycle should include: 18 | 19 | * A repeatable hardening process leading to fast and easy deployment of a properly locked down environment. 20 | * A task to review and update configurations across the entire API stack. The review should include: orchestration files, API components, and cloud services (e.g., S3 bucket permissions). 21 | * A secure communication channel for all API interactions access to static assets (e.g., images). 22 | * An automated process to continuously assess the effectiveness of the configuration and settings in all environments. 23 | 24 | Further Requirements: 25 | 26 | * To prevent exception traces and other valuable information from being sent back to attackers, if applicable, define and enforce all API response payload schemas including error responses. 27 | * Ensure API can only be accessed by the specified HTTP verbs. All other HTTP verbs should be disabled (e.g. HEAD). 28 | * APIs expecting to be accessed from browser-based clients (e.g., WebApp front-end) should implement a proper Cross-Origin Resource Sharing (CORS) policy. 29 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A04-Insecure-Design/README.md: -------------------------------------------------------------------------------- 1 | # A04: Insecure Design 2 | 3 | **Insecure design** is a broad category representing different weaknesses, expressed as *missing or ineffective control design*. Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes and remediation. 4 | 5 | A secure design can still have implementation defects leading to vulnerabilities that may be exploited. 6 | 7 | An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required. 8 | 9 | This includes the following topics: 10 | 11 | * Establish and use a secure development lifecycle with AppSec professionals to help evaluate and design security and privacy-related controls 12 | * Establish and use a library of [secure design patterns](https://patchstack.com/articles/security-design-principles-owasp/) or paved road ready to use components 13 | * Use [threat modeling](https://www.threatmodelingmanifesto.org/) for critical authentication, access control, business logic, and key flows 14 | * Integrate security language and controls into user stories 15 | * Integrate plausibility checks at each tier of your application (from frontend to backend) 16 | * Write [unit and integration tests](https://martinfowler.com/articles/practical-test-pyramid.html) to validate that all critical flows are resistant to the threat model. 17 | * Compile use-cases and [misuse-cases](https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html) for each tier of your application. 18 | * Segregate tier layers on the system and network layers depending on the exposure and protection needs 19 | * Segregate tenants robustly by design throughout all tiers 20 | * Limit resource consumption by user or service 21 | 22 | ## Challenges 23 | 24 | There are no challenges for **Insecure Design**. -------------------------------------------------------------------------------- /Supply-Chain-Security/README.md: -------------------------------------------------------------------------------- 1 | # Supply Chain Security 2 | 3 | 4 | As part of this training we will use [OWASP Dependency Track](https://dependency-track.org). 5 | 6 | ![alt owasp-dep_check](images/dependency_track_integrations.png "Dependency Track Integrations") 7 | 8 | As you can see in the picture this tools uses [CycloneDX](https://cyclonedx.org/) as exchange format. 9 | 10 | It is possible to automatically generate this format from all commonly used software packaging systems or programming languages like: 11 | 12 | * [Java/Kotlin with Gradle](https://github.com/CycloneDX/cyclonedx-gradle-plugin) 13 | * [Java/Kotlin with Maven](https://github.com/CycloneDX/cyclonedx-maven-plugin) 14 | * [Javascript/Typescript & Node.js](https://github.com/CycloneDX/cyclonedx-node-npm) 15 | * [C# with .NET](https://github.com/CycloneDX/cyclonedx-dotnet) 16 | 17 | ## Setup 18 | 19 | ### OWASP Dependency Track 20 | 21 | For the training labs we will just use the most simplified way to install OWASP Dependency Track. 22 | 23 | Just follow the instructions on 24 | [Dependency Track Quickstart](https://docs.dependencytrack.org/getting-started/deploy-docker/#quickstart-docker-compose). 25 | 26 | ## The Labs 27 | 28 | 29 | ## References 30 | 31 | * [Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800-161r1)](https://doi.org/10.6028/NIST.SP.800-161r1) 32 | * [Software Supply Chain Security (Synopsys)](https://www.synopsys.com/glossary/what-is-software-supply-chain-security.html) 33 | * [Threat Landscape for Supply Chain Attacks (European Union Agency For Cybersecurity)](https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks) 34 | * [What is software supply chain security and why does it matter? (GitHub)](https://github.blog/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog/) 35 | * [Supply Chain Security: Mitigating the Supply Chain Threat (Aqua Security)](https://www.aquasec.com/cloud-native-academy/supply-chain-security/supply-chain-security-mitigating-the-supply-chain-threat/) 36 | * [What is an SBOM? (Aqua Security)](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) 37 | * [OWASP Software Component Verification Standard (SCVS)](https://owasp.org/www-project-software-component-verification-standard/) 38 | 39 | 40 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API02-Broken-User-Authentication/README.md: -------------------------------------------------------------------------------- 1 | # API02: Broken User Authentication 2 | 3 | ## Description 4 | 5 | Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user, compromises API security overall. 6 | Authentication in APIs is a complex and confusing mechanism. Software and security engineers might have misconceptions about what are the boundaries of authentication and how to implement it correctly. 7 | 8 | ## Vulnerability 9 | 10 | An API is vulnerable if it: 11 | 12 | * Permits [credential stuffing](https://owasp.org/www-community/attacks/Credential_stuffing) whereby the attacker has a list of valid usernames and passwords. 13 | * Permits attackers to perform a brute force attack on the same user account, without presenting captcha/account lockout mechanism. 14 | * Permits [weak passwords](https://pages.nist.gov/800-63-3/sp800-63b.html#appA). 15 | * Sends sensitive authentication details, such as auth tokens and passwords in the URL. 16 | * Doesn’t validate the authenticity of tokens. 17 | * Accepts unsigned/weakly signed JWT tokens ("alg":"none")/doesn’t validate their expiration date. 18 | * Uses plain text, non-encrypted, or weakly hashed passwords. 19 | * Uses weak encryption keys. 20 | 21 | ## Forge JWT 22 | 23 | To make it more easy to play around with JSON web tokens (JWT) the `jwt tool` can be used. 24 | Look at for more information. 25 | 26 | To install it you need to have python 3 installed and then just follow these steps: 27 | 28 | ```bash 29 | git clone https://github.com/ticarpi/jwt_tool 30 | python3 -m pip install termcolor cprint pycryptodomex requests 31 | ``` 32 | 33 | To use it: 34 | 35 | 1. Change into `jwt_tool` directory 36 | 2. Call it using `python3 jwt_tool.py -h` (with getting help usage) 37 | 38 | ### Brute force attack on JWT signature secret key 39 | 40 | To perform a brute force attack to retrieve the secret key for creating a valid signature for a JWT you can use the provided `crack.sh` script using one of the included word lists. 41 | 42 | ### Exploit JWT 43 | 44 | You can also try to change JWT to try to exploit the authentication using the provided èxploit.sh` script. 45 | -------------------------------------------------------------------------------- /Cryptography-for-Developers/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography for Developers 2 | 3 | In this hacking hands-on training, the most common cryptographic concepts and algorithms are presented to teach developers how to securely use cryptography. 4 | 5 | ## Cryptography 1x1 6 | 7 | ### Encryption 8 | 9 | #### Symmetric 10 | 11 | #### Assymmetric (Private/Public Key) 12 | 13 | ### Hashing 14 | 15 | ### Signatures and Certificates 16 | 17 | ### SSL/TLS 18 | 19 | ## Setup 20 | 21 | 22 | ### Web Proxy 23 | 24 | #### OWASP ZAP 25 | 26 | Follow the setup instructions on https://www.zaproxy.org/download/. 27 | 28 | Starting with version 2.8.0, OWASP ZAP includes a _Heads Up Display_. Look into the 29 | corresponding [OWASP ZAP HUD github project](https://github.com/zaproxy/zap-hud) to learn more about this fascinating feature. 30 | 31 | ### REST API clients 32 | 33 | #### Postman 34 | 35 | To make calls to REST API of the Juice Shop via a comfortable UI you may use Postman. 36 | Follow the setup instructions on https://www.postman.com/downloads. 37 | 38 | #### Httpie 39 | 40 | If you are more used to make calls to REST API of the Juice Shop via command line you may try Httpie. 41 | Follow the setup instructions on https://httpie.org. 42 | 43 | #### Curl 44 | 45 | If you are more used to make calls to REST API of the Juice Shop via command line you also may try the classic Curl. 46 | Follow the setup instructions on https://curl.haxx.se. 47 | 48 | ### The Labs 49 | 50 | The labs are categorized according to the cryptographic types. 51 | 52 | * [API01: Broken Object Level Authorization](API01-Broken-Object-Level-Authorization/README.md) 53 | * [API02: Broken User Authentication](API02-Broken-User-Authentication/README.md) 54 | * [API03: Excessive Data Exposure](API03-Excessive-Data-Exposure/README.md) 55 | * [API04: Lack of Resources and Rate Limiting](API04-Lack-of-Resources-and-Rate-Limiting/README.md) 56 | * [API05: Broken Function Level Authorization](API05-Broken-Function-Level-Authorization/README.md) 57 | * [API06: Mass Assignment](API06-Mass-Assignment/README.md) 58 | * [API07: Security Misconfiguration](API07-Security-Misconfiguration/README.md) 59 | * [API08: Injection](API08-Injection/README.md) 60 | * [API09: Improper Assets Management](API09-Improper-Assets-Management/README.md) 61 | * [API10: Insufficient Logging and Monitoring](API10-Insufficient-Logging-and-Monitoring/README.md) 62 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/API09-Improper-Assets-Management/README.md: -------------------------------------------------------------------------------- 1 | # API09: Improper Assets Management 2 | 3 | APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints. 4 | 5 | The API might be vulnerable if: 6 | 7 | * The purpose of an API host is unclear, and there are no explicit answers to the following questions: 8 | * Which environment is the API running in (e.g., production, staging, test, development)? 9 | * Who should have network access to the API (e.g., public, internal, partners)? 10 | * Which API version is running? 11 | * What data is gathered and processed by the API (e.g., PII)? 12 | * What's the data flow? 13 | * There is no documentation, or the existing documentation is not updated. 14 | * There is no retirement plan for each API version. 15 | * Hosts inventory is missing or outdated. 16 | * Integrated services inventory, either first- or third-party, is missing or outdated. 17 | * Old or previous API versions are running unpatched. 18 | 19 | ## How To Prevent 20 | 21 | * Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g., production, staging, test, development), who should have network access to the host (e.g., public, internal, partners) and the API version. 22 | * Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and its sensitivity. 23 | * Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy and endpoints, including their parameters, requests, and responses. 24 | * Generate documentation automatically by adopting open standards. Include the documentation build in your CI/CD pipeline. 25 | * Make API documentation available to those authorized to use the API. 26 | * Use external protection measures such as API security firewalls for all exposed versions of your APIs, not just for the current production version. 27 | * Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones. 28 | * When newer versions of APIs include security improvements, perform risk analysis to make the decision of the mitigation actions required for the older version: for example, whether it is possible to backport the improvements without breaking API compatibility or you need to take the older version out quickly and force all clients to move to the latest version. 29 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A02-Cryptographic-Failures/README.md: -------------------------------------------------------------------------------- 1 | # A02: Cryptographic Failures 2 | 3 | The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU's [General Data Protection Regulation (GDPR)](https://gdpr.eu/), or regulations, e.g., financial data protection such as [PCI Data Security Standard (PCI DSS)](https://www.pcisecuritystandards.org/): 4 | 5 | * Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, FTP also using TLS upgrades like STARTTLS. External internet traffic is hazardous. Verify all internal traffic, e.g., between load balancers, web servers, or back-end systems. 6 | * Are any old or weak cryptographic algorithms or protocols used either by default or in older code? 7 | * Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? Are crypto keys checked into source code repositories? 8 | * Is encryption not enforced, e.g., are any HTTP headers (browser) security directives or headers missing? 9 | * Is the received server certificate and the trust chain properly validated? 10 | * Are initialization vectors ignored, reused, or not generated sufficiently secure for the cryptographic mode of operation? Is an insecure mode of operation such as ECB in use? Is encryption used when authenticated encryption is more appropriate? 11 | * Are passwords being used as cryptographic keys in absence of a password base key derivation function? 12 | * Is randomness used for cryptographic purposes that was not designed to meet cryptographic requirements? Even if the correct function is chosen, does it need to be seeded by the developer, and if not, has the developer over-written the strong seeding functionality built into it with a seed that lacks sufficient entropy/unpredictability? 13 | * Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic hash functions used when cryptographic hash functions are needed? 14 | * Are deprecated cryptographic padding methods such as PKCS number 1 v1.5 in use? 15 | * Are cryptographic error messages or side channel information exploitable, for example in the form of padding oracle attacks? 16 | 17 | ## Table of Challenges 18 | 19 | * [Challenge 1: Find and open a confidential document (Sensitive Data Exposure)](#challenge-1-find-and-open-a-confidential-document-sensitive-data-exposure) 20 | 21 | 22 | **HINT:** [Install Postman](https://www.getpostman.com/apps) and [OWASP ZAP](https://www.zaproxy.org/download) if you haven't done yet. 23 | 24 | ## Challenges 25 | 26 | ### Challenge 1: Find and open a confidential document (Sensitive Data Exposure) 27 | 28 | **Tips:** 29 | 30 | - A scan of the **OWASP Juice Shop** by [OWASP ZAP](https://www.zaproxy.org/download) might help you. 31 | 32 | - Search after hidden links to areas you haven't seen before (with **OWASP ZAP** or in the user interface). 33 | 34 | - Inspect the `About Us` section. 35 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/README.md: -------------------------------------------------------------------------------- 1 | # Hacking for Web Application Developers (powered by OWASP Juice Shop) 2 | 3 | In this hacking hands-on training, the most critical risks in web applications are presented to teach frontend and backend developers how to develop a secure web application. 4 | 5 | After introducing the [Open Web Application Security Project Top 10 2021 (OWASP Top 10 2021)](https://owasp.org/Top10/), a selection of the application security risks listed in the OWASP Top 10 will be described step by step. 6 | 7 | ![alt owasp-top-10-2021](images/mapping_owasp_top_10_2021.png "OWASP Top 10 (2021)") 8 | 9 | Almost every security risk of the selection has its own folder with certain challenges to solve. In this challenges, the participants of the course have to find various security flaws in 10 | the [OWASP Juice Shop](https://github.com/bkimminich/juice-shop), which is an intentionally vulnerable web application. 11 | The descriptions of the challenges include tips to help finding the right way of hacking the application. 12 | 13 | Always read at first only one hint, then try to solve the challenge. If you don't have a clue of going forward, then read the following tip. 14 | 15 | **IMPORTANT:** It is recommended to do the security training in the right order, as the challenges might depend on each other. 16 | 17 | ## Setup 18 | 19 | ### OWASP Juice Shop 20 | 21 | Follow the setup instructions on https://github.com/juice-shop/juice-shop#setup 22 | (Installation using _Docker Container_ recommended). 23 | 24 | ``` 25 | docker pull bkimminich/juice-shop:v14.2.1 26 | docker run --rm -p 3000:3000 bkimminich/juice-shop:v14.2.1 27 | ``` 28 | 29 | ### Web Proxy 30 | 31 | #### OWASP ZAP 32 | 33 | Follow the setup instructions on https://www.zaproxy.org/download/. 34 | 35 | Starting with version 2.8.0, OWASP ZAP includes a _Heads Up Display_. Look into the 36 | corresponding [OWASP ZAP HUD github project](https://github.com/zaproxy/zap-hud) to learn more about this fascinating feature. 37 | 38 | ### REST API clients 39 | 40 | #### Postman 41 | 42 | To make calls to REST API of the Juice Shop via a comfortable UI you may use Postman. 43 | Follow the setup instructions on https://www.postman.com/downloads. 44 | 45 | #### Httpie 46 | 47 | If you are more used to make calls to REST API of the Juice Shop via command line you may try Httpie. 48 | Follow the setup instructions on https://httpie.org. 49 | 50 | #### Curl 51 | 52 | If you are more used to make calls to REST API of the Juice Shop via command line you also may try the classic Curl. 53 | Follow the setup instructions on https://curl.haxx.se. 54 | 55 | ### The Challenges 56 | 57 | The challenges are categorized according to the OWASP Top 10 (2021) list. 58 | 59 | * [A01: Broken Access Control](A01-Broken-Access-Control/README.md) 60 | * [A02: Cryptographic Failures](A02-Cryptographic-Failures/README.md) 61 | * [A03: Injection](A03-Injection/README.md) 62 | * [A04: Insecure Design](A04-Insecure-Design/README.md) 63 | * [A05: Security Misconfiguration](A05-Security-Misconfiguration/README.md) 64 | * [A06: Vulnerable and Outdated Components](A06-Vulnerable-and-Outdated-Components/README.md) 65 | * [A07: Identification and Authentication Failures](A07-Identification-and-Authentication-Failures/README.md) 66 | * [A08: Software and Data Integrity Failures](A08-Software-and-Data-Integrity-Failures/README.md) 67 | * [A09: Security Logging and Monitoring Failures](A09-Security-Logging-and-Monitoring-Failures/README.md) 68 | * [A10: Server Side Request Forgery](A10-Server-Side-Request-Forgery/README.md) 69 | 70 | ## Useful links 71 | 72 | * [Complete documentation about OWASP Juice Shop](https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/) 73 | * [The Page of the OWASP Juice Shop Project in The OWASP Foundation Wiki.](https://www.owasp.org/index.php/OWASP_Juice_Shop) 74 | * [The OWASP Top 10: Description of each application security risk in OWASP](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) 75 | * [Postman API Development Environment](https://www.getpostman.com/downloads/) 76 | * [Httpie Http command line client](https://httpie.org/) 77 | * [Curl Http command line client](https://curl.haxx.se/) 78 | * [OWASP ZAP Web Security Proxy & Scanner](https://github.com/zaproxy/zaproxy/wiki/Downloads) -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A07-Identification-and-Authentication-Failures/README.md: -------------------------------------------------------------------------------- 1 | # Challenge Collection 2: Broken Authentication 2 | 3 | **Broken Authentication** is the consequence of programming flaws in session management and authentication. Insufficient conception of identity and access control can lead to security gaps. Attackers are able to exploit these security gaps by using automated tools for brute-force-attacks. The worst case is that attackers gain access to administrator accounts, get sensitive data and the possibility to identity theft. 4 | 5 | * [Challenge 2.1: Brute-force attack](#challenge-21-brute-force-attack) 6 | * [Tips:](#tips) 7 | * [Challenge 2.2: Create an administrator account](#challenge-22-create-an-administrator-account) 8 | * [Tips:](#tips-1) 9 | * [Challenge 2.3: Take over the session of a previously logged in user](#challenge-23-take-over-the-session-of-a-previously-logged-in-user) 10 | * [Tips:](#tips-2) 11 | * [Challenge 2.4: Change the password of the user account of Bender](#challenge-24-change-the-password-of-the-user-account-of-bender) 12 | * [Tips:](#tips-3) 13 | * [Challenge 2.5: Log in with the user account of Bjoern](#challenge-25-log-in-with-the-user-account-of-bjoern) 14 | * [Tips:](#tips-4) 15 | 16 | **HINT:** Make sure that you download [Postman](https://www.getpostman.com/apps) and [OWASP ZAP](https://github.com/zaproxy/zaproxy/wiki/Downloads). 17 | 18 | ## Challenge 2.1: Brute-force attack 19 | Log in with the original password of the administrator without SQL injection or changing the password. Detect the password with a **brute force attack**. For example, you could use https://github.com/zaproxy/zaproxy/wiki/Downloads. 20 | 21 | ### Tips: 22 | 23 | 1. **Tip:** His email is admin@juice-sh.op. 24 | 25 | 2. **Tip:** Try to attack the **POST** call on http://localhost:3000/rest/user/login with [OWASP ZAP](https://github.com/zaproxy/zaproxy/wiki/Downloads). 26 | 27 | 3. **Tip:** You need a word list with a top list of the weakest passwords. Browse to https://github.com/danielmiessler/SecLists/tree/master/Passwords. 28 | 29 | 30 | ## Challenge 2.2: Create an administrator account 31 | Create an account that has all administrator permissions. 32 | 33 | ### Tips: 34 | 35 | 1. **Tip:** [Postman](https://www.getpostman.com/apps) could help you. 36 | 37 | 2. **Tip:** Have a look at the **GET**-Requests in the console of the **Web Development Tool**. 38 | 39 | 3. **Tip:** The **GET**-Requests sent while interacting with the **administration section** might help you. 40 | 41 | 42 | ## Challenge 2.3: Take over the session of a previously logged in user 43 | Switch to the session of a previously logged in user without reusing his user credentials. You have to log in the user account that you want to attack at least one time. After a logout, you should try to return to this session without the login section. 44 | 45 | ### Tips: 46 | 47 | 1. **Tip:** Capture all **GET** and **POST** requests while logging in by ticking the `Persist Logs` option in the console of the **Web Development Tool** or leaving the console open. 48 | 49 | 2. **Tip:** The token in the tab `Response` might be useful. 50 | 51 | 3. **Tip:** Have a look at the tab `Storage`. 52 | 53 | 4. **Tip:** Log in while observing the tab `Storage`. 54 | 55 | 56 | ## Challenge 2.4: Change the password of the user account of Bender 57 | **Information:** Save this challenge for Chapter 3 - Injection. 58 | 59 | Change the password of the user account of Bender without using the forgot password mechanism, cracking the password hash or SQL injection. You may use SQL injection for the first login, but the final change of the password shouldn't be a result of this method. 60 | 61 | ### Tips: 62 | 63 | 1. **Tip:** His email is bender@juice-sh.op. 64 | 65 | 2. **Tip:** Inspect and adapt the HTTP calls while interacting with the `change password` mechanism. 66 | 67 | 3. **Tip:** [Postman](https://www.getpostman.com/apps) will help you. 68 | 69 | 70 | ## Challenge 2.5: Log in with the user account of Bjoern 71 | Log in with the original user credentials of Bjoern (without SQL injection). 72 | 73 | ### Tips: 74 | 75 | 1. **Tip:** His email is bjoern.kimminich@googlemail.com. 76 | 77 | 2. **Tip:** Bjoern's encrypted password is not a [MD5](https://en.wikipedia.org/wiki/MD5) hash. 78 | 79 | 3. **Tip:** Brute-force attacks and decrypting the password hash won't be possible. 80 | 81 | 4. **Tip:** The registration has been performed by **Google OAuth**. 82 | 83 | 5. **Tip:** Have a look at the tab `Debugger` (**Firefox**) or `Sources` (**Chrome**). 84 | 85 | 86 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A01-Broken-Access-Control/README.md: -------------------------------------------------------------------------------- 1 | # A01: Broken Access Control 2 | 3 | **Access Control** enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Common access control vulnerabilities include: 4 | 5 | * Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone. 6 | * Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests. 7 | * Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references) 8 | * Accessing API with missing access controls for POST, PUT and DELETE (i.e. CSRF). 9 | * Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user. 10 | * Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. 11 | * CORS misconfiguration allows API access from unauthorized/untrusted origins. 12 | * Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. 13 | 14 | ## Table of Challenges 15 | 16 | * [Prepare for the challenges:](#prepare-for-the-challenges) 17 | * [Challenge 1: Find the Score Board with the challenge overview](#challenge-1-find-the-score-board-with-the-challenge-overview) 18 | * [Challenge 2: Find the Admin Page](#challenge-2-find-the-admin-page) 19 | * [Challenge 3: Show the basket of another user:](#challenge-3-show-the-basket-of-another-user) 20 | * [Challenge 4: Write a comment in the name of another user:](#challenge-4-write-a-comment-in-the-name-of-another-user) 21 | * [Challenge 5: Post a product review as another user or edit any user’s existing review](#challenge-5-post-a-product-review-as-another-user-or-edit-any-users-existing-review-forged-review) 22 | * [Challenge 6: Change the description of the product OWASP SSL Advanced Forensic Tool (O-Saft)](#challenge-6-change-the-description-of-the-product-owasp-ssl-advanced-forensic-tool-o-saft) 23 | 24 | **HINT:** Make sure that you download [Postman](https://www.getpostman.com/apps). 25 | 26 | ## Challenges 27 | 28 | ### Prepare for the challenges: 29 | Before starting the first challenge, try to become familiar with the **OWASP Juice Shop**. Try out the functionalities in the menu bar like the `Contact Us`-Button or the `Search`-Field, have a look at the **Login Site** and **create an account** in the **OWASP Juice Shop**. After you have done the **user registration**, there might be several new functions as a logged in user which you should also try out. 30 | 31 | ### Challenge 1: Find the Score Board with the challenge overview 32 | 33 | The **Score Board** provides an overview of all challenges in the **OWASP Juice Shop**. This subpage cannot be found by navigating through the application, because there is no direct button redirecting to the Score Board yet. 34 | Try to find this secret subpage! 35 | 36 | ![alt score-board](images/score-board.png "Score Board") 37 | 38 | **Tips:** 39 | 40 | - You can try to guess the URL. 41 | 42 | - Have a look at the **Web Development Tools** of **Mozilla Firefox** or **Google Chrome** 43 | 44 | - **Firefox Users**: The tab `Debugger` --> `Sources` of the **Web Development Tool** will help you. 45 | - **Google Chrome Users**: The tab `Sources` --> `Page` of the **Web Development Tool** will help you. 46 | 47 | - **Tip:** The file `main.js` may include useful information. 48 | 49 | ### Challenge 2: Find the hidden Admin Page 50 | Similar to the **Score Board**, the **Admin Page** is also hidden in the application and cannot be called by clicking a certain link. Try to find this subpage! 51 | 52 | **Tips:** 53 | 54 | - Have a look at the tips of [Challenge 1](#challenge-1-find-the-score-board-with-the-challenge-overview) 55 | 56 | - Make sure that you are a user in the **OWASP Juice Shop** 57 | 58 | - *Information:* You cannot access this page without being an authorized user. Probably you could already guess that from the code. Note down this path for later challenges. 59 | 60 | ### Challenge 3: Show the basket of another user: 61 | Try to show a **basket** of a registered user of the **OWASP Juice Shop** which is not currently logged in. 62 | 63 | **Tips:** 64 | 65 | - You have to be logged in with a registered user 66 | - While interacting with the **basket**, have a look at the HTTP calls 67 | - **Firefox Users**: The tab `Storage` might help you 68 | - **Chrome Users**: The tab `Application` might help you 69 | 70 | ### Challenge 4: Write a comment in the name of another user: 71 | Submit a comment in the `Contact Us` section in the name of the administrator. 72 | 73 | **Tips:** 74 | 75 | - The **Web Development Tool** could help you 76 | 77 | - **Firefox Users**: The tab `Console` might help you. 78 | **Chrome Users**: The tab `Elements` might help you. 79 | 80 | - Search in the source for hidden input fields. 81 | 82 | - Think about a certain attribute you have to change in the database for modifying the author of the written comment. A search in the sources after the name of this attribute might help you. 83 | 84 | ### Challenge 5: Post a product review as another user or edit any user’s existing review (Forged Review) 85 | 86 | **Tips:** 87 | 88 | - Write a review for a product 89 | - Observe the Network tabs  90 | 91 | 92 | ### Challenge 6: Change the description of the product "OWASP SSL Advanced Forensic Tool (O-Saft)" 93 | Replace the description of the product **OWASP SSL Advanced Forensic Tool (O-Saft)**. The description should only consist of the word `More...`, which links to `https://owasp.slack.com` (the developer of the **OWASP Juice Shop**). 94 | 95 | **Tips:** 96 | 97 | - Capture the HTTP calls in the `Console` while interacting with the product. 98 | 99 | - Try to find out the id of **OWASP SSL Advanced Forensic Tool (O-Saft)**. 100 | 101 | - Try to interact with the **API** via [Postman](https://www.getpostman.com/apps). 102 | 103 | - The sources could reveal the exact path to interact with the **API**. 104 | 105 | - You can solve the challenge by submitting one **PUT** request. 106 | -------------------------------------------------------------------------------- /Hacking-for-API-Developers/README.md: -------------------------------------------------------------------------------- 1 | # Hacking for API Developers (Powered by OWASP crAPI) 2 | 3 | In this hacking hands-on training, the most critical risks in APIs are presented to teach backend developers how to develop a secure API. 4 | 5 | API stands for **application programming interface**, which is a set of definitions and protocols for building and integrating application software. 6 | 7 | APIs let your product or service communicate with other products and services without having to know how they’re implemented. This can simplify app development, saving time and money. When you’re designing new tools and products—or managing existing ones—APIs give you flexibility; simplify design, administration, and use; and provide opportunities for innovation. 8 | 9 | APIs are sometimes thought of as contracts, with documentation that represents an agreement between parties. 10 | 11 | ## Types of APIs 12 | 13 | ### Representational State Transfer (REST) 14 | 15 | The first and most widely used specification is Representational State Transfer (REST). Web APIs that adhere to the REST architectural constraints are called RESTful APIs. In recent years, the OpenAPI specification has emerged as a common standard for defining REST APIs. REST is an architectural style and therefore there is no official standard for RESTful web APIs. As defined in Roy Fielding’s dissertation [*Architectural Styles and the Design of Network-based Software Architectures*](https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm), APIs are RESTful as long as they comply with the following guiding constraints of a RESTful system: 16 | 17 | * Client-server architecture: REST architecture is composed of clients, servers, and resources, and it handles requests through HTTP. 18 | * Statelessness: No client content is stored on the server between requests. Information about the session state is, instead, held with the client. 19 | * Cacheability: Caching can eliminate the need for some client-server interactions. 20 | * Layered system: Client-server interactions can be mediated by additional layers. These layers could offer additional features like load balancing, shared caches, or security. 21 | * Uniform interface: This constraint is core to the design of RESTful APIs and includes 4 facets: 22 | * Resource identification in requests: Resources are identified in requests and are separate from the representations returned to the client. 23 | 24 | * Resource manipulation through representations: Clients receive files that represent resources. These representations must have enough information to allow modification or deletion. 25 | 26 | * Self-descriptive messages: Each message returned to a client contains enough information to describe how the client should process the information. 27 | 28 | * Hypermedia as the engine of application state: After accessing a resource, the REST client should be able to discover through hyperlinks all other actions that are currently available. 29 | 30 | The [Richardson Maturity Model](https://martinfowler.com/articles/richardsonMaturityModel.html) breaks down the principal elements into different levels. 31 | 32 | ### GraphQL 33 | 34 | Another API standard to emerge is [GraphQL](https://graphql.org/), a query language and server-side runtime that’s an alternative to REST. GraphQL prioritizes giving clients exactly the data they request and no more. As an alternative to REST, GraphQL lets developers construct requests that pull data from multiple data sources in a single API call. 35 | Additionally, GraphQL gives API maintainers the flexibility to add or deprecate fields without impacting existing queries. Developers can build APIs with whatever methods they prefer, and the GraphQL specification will ensure they function in predictable ways to clients. 36 | 37 | ### gRPC 38 | 39 | [gRPC](https://grpc.io/) is a modern open source high performance Remote Procedure Call (RPC) framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services. gRPC was initially created by Google. 40 | By default, gRPC uses [Protocol Buffers](https://developers.google.com/protocol-buffers/docs/overview), Google’s mature open source mechanism for serializing structured data (although it can be used with other data formats such as JSON). 41 | 42 | ## Setup 43 | 44 | ### OWASP completely ridiculous API (crAPI) 45 | 46 | For the hacking labs we will use the [completely ridiculous API (crAPI)](https://github.com/owasp/crapi) provided by the OWASP. 47 | 48 | crAPI is a platform for vehicle owners to register and manage their vehicles. Following in the footsteps of Webgoat and JuiceShop, crAPI is an intentionally vulnerable application. In contrast to Webgoat and JuiceShop, crAPI is primarily filled with API vulnerabilities for teaching, learning, and practicing API security. 49 | 50 | You need to have docker installed on your local machine to run this application. To set this up locally just follow the quick start instructions here (if you have a recent docker version installed you may use `docker compose` instead of `docker-compose`): 51 | 52 | https://github.com/owasp/crapi#quickstart-guide 53 | 54 | After running the starting command as specified in the quickstart guide you have to wait a few minutes until all containers are reported as started or healthy. 55 | 56 | Now let's check if the web access is running by navigating to http://localhost:8888 in your web browser. Here just register yourself as a user by clicking the **Signup** button (you don't need to specify valid values here, e.g. use `example.com` as domain for mail addresses). 57 | 58 | There is also a local mail server (MailHog) available. This may be accessed by opening http://localhost:8025 in your web browser. 59 | 60 | If you have signed up before then you will see already a first mail here with a welcome message for your registered mail address. 61 | 62 | 63 | ### Web Proxy 64 | 65 | #### OWASP ZAP 66 | 67 | Follow the setup instructions on https://www.zaproxy.org/download/. 68 | 69 | Starting with version 2.8.0, OWASP ZAP includes a _Heads Up Display_. Look into the 70 | corresponding [OWASP ZAP HUD github project](https://github.com/zaproxy/zap-hud) to learn more about this fascinating feature. 71 | 72 | ### REST API clients 73 | 74 | #### Postman 75 | 76 | To make calls to REST API of the Juice Shop via a comfortable UI you may use Postman. 77 | Follow the setup instructions on https://www.postman.com/downloads. 78 | 79 | #### Httpie 80 | 81 | If you are more used to make calls to REST API of the Juice Shop via command line you may try Httpie. 82 | Follow the setup instructions on https://httpie.org. 83 | 84 | #### Curl 85 | 86 | If you are more used to make calls to REST API of the Juice Shop via command line you also may try the classic Curl. 87 | Follow the setup instructions on https://curl.haxx.se. 88 | 89 | ### The Challenges 90 | 91 | The challenges are categorized according to the [OWASP API Security Top 10 (2019)](https://github.com/OWASP/API-Security) list. 92 | 93 | * [API01: Broken Object Level Authorization](API01-Broken-Object-Level-Authorization/README.md) 94 | * [API02: Broken User Authentication](API02-Broken-User-Authentication/README.md) 95 | * [API03: Excessive Data Exposure](API03-Excessive-Data-Exposure/README.md) 96 | * [API04: Lack of Resources and Rate Limiting](API04-Lack-of-Resources-and-Rate-Limiting/README.md) 97 | * [API05: Broken Function Level Authorization](API05-Broken-Function-Level-Authorization/README.md) 98 | * [API06: Mass Assignment](API06-Mass-Assignment/README.md) 99 | * [API07: Security Misconfiguration](API07-Security-Misconfiguration/README.md) 100 | * [API08: Injection](API08-Injection/README.md) 101 | * [API09: Improper Assets Management](API09-Improper-Assets-Management/README.md) 102 | * [API10: Insufficient Logging and Monitoring](API10-Insufficient-Logging-and-Monitoring/README.md) 103 | -------------------------------------------------------------------------------- /Hacking-for-Web-Application-Developers/A03-Injection/README.md: -------------------------------------------------------------------------------- 1 | # A03: Injection 2 | 3 | An application is vulnerable to attack when: 4 | 5 | * User-supplied data is not validated, filtered, or sanitized by the application. 6 | * Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. 7 | * Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. 8 | * Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures. 9 | 10 | Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. 11 | 12 | ## Table of Challenges 13 | 14 | * [SQL Injection and NoSQL Injection](#sql-injection-and-nosql-injection) 15 | * [Challenge 3.1: Log in as administrator](#challenge-31-log-in-as-administrator) 16 | * [Tips:](#tips) 17 | * [Challenge 3.2: Modify a product review](#challenge-32-modify-a-product-review) 18 | * [Tips:](#tips-1) 19 | * [Challenge 3.3: Modify multiple product reviews at once](#challenge-33-modify-multiple-product-reviews-at-once) 20 | * [Tips:](#tips-2) 21 | * [Challenge 3.4: Cause the server of the juice shop to sleep for 2 seconds](#challenge-34-cause-the-server-of-the-juice-shop-to-sleep-for-2-seconds) 22 | * [Tips:](#tips-3) 23 | * [Cross-Site Scripting (XSS)](#cross-site-scripting-xss) 24 | * [Challenge 5.1: Persisted XSS with Postman](#challenge-51-persisted-xss-with-postman) 25 | * [Tips:](#tips) 26 | * [Challenge 5.2: Persisted XSS with Postman (2)](#challenge-52-persisted-xss-with-postman-2) 27 | * [Tips:](#tips-1) 28 | * [Challenge 5.3: Persisted XSS through the UI](#challenge-53-persisted-xss-through-the-ui) 29 | * [Tips:](#tips-2) 30 | * [Challenge 5.4: Reflected XSS](#challenge-54-reflected-xss) 31 | * [Tips:](#tips-3) 32 | * [Challenge 5.5: DOM XSS](#challenge-55-dom-xss) 33 | * [Tips:](#tips-4) 34 | 35 | **HINT:** Make sure that you download [OWASP ZAP](https://github.com/zaproxy/zaproxy/wiki/Downloads) and [Postman](https://www.getpostman.com/apps). 36 | 37 | ## Challenges 38 | 39 | ### SQL Injection and NoSQL Injection 40 | 41 | **SQL injection** flaws are introduced when software developers create dynamic database queries constructed with string concatenation which includes user supplied input. 42 | 43 | **NoSQL injection** attacks may execute in different areas of an application than traditional SQL injection. Where SQL injection would execute within the database engine, NoSQL variants may execute during within the application layer or the database layer, depending on the NoSQL API used and data model. Typically NoSQL injection attacks will execute where the attack string is parsed, evaluated, or concatenated into a NoSQL API call. 44 | 45 | ### Challenge 3.1: Log in as administrator 46 | Get access to the account of the administrator. 47 | 48 | #### Tips: 49 | 50 | 1. **Tip:** His email is admin@juice-sh.op. 51 | 52 | 2. **Tip:** You don't need the matching password to solve the challenge. 53 | 54 | 3. **Tip:** Try to corrupt the underlying **SQL** Query by inserting invalid input. For example, an apostrophe `'` might help. 55 | 56 | 4. **Tip:** Have a look at the **Web Development Tool**. 57 | 58 | 59 | ### Challenge 3.2: Modify a product review 60 | Modify the product reviews of the product `Apple Juice (1000 ml)` without being logged in the administrator account. 61 | Change the first review with the text `One of my favorites!` written by `admin@juice-sh.op` to `Apple Juice has been hacked!`. 62 | 63 | #### Tips: 64 | 65 | 1. **Tip:** Inspect the HTTP calls while opening a product review. 66 | 67 | 2. **Tip:** Find out, which parameters you have to manipulate. Postman will help you with modifying these parameters. 68 | 69 | 3. **Tip:** You have to slightly change the **GET** call that you have observed in your console. 70 | 71 | 72 | ### Challenge 3.3: Modify multiple product reviews at once 73 | Modify multiple product reviews at once by changing the text of all reviews to `Juice Shop has been hacked!`. 74 | 75 | #### Tips: 76 | 77 | 1. **Tip:** The process of [Challenge 3.2](#challenge-32-modify-a-product-review) might help you. 78 | 79 | 2. **Tip:** Remember the architecture overview - Juiceshop uses MarsDB, a NodeJS MongoDB clone. 80 | 81 | 3. **Tip:** You need to use a query operator to solve this challenge. 82 | 83 | 84 | ### Challenge 3.4: Cause the server of the juice shop to sleep for 2 seconds 85 | Try to lead the server to sleep for 2 seconds. 86 | 87 | #### Tips: 88 | 89 | 1. **Tip:** Find a way to interact with the API. [Challenge 3.2](#challenge-32-modify-a-product-review) and [challenge 3.3](#challenge-33-modify-multiple-product-reviews-at-once) might reveal a possibility where you can exploit a parameter. 90 | 91 | 2. **Tip:** You need to inject a sleep function as a parameter. 92 | 93 | ## Cross-Site scripting (XSS) 94 | 95 | **Cross-Site scripting (XSS)** is the injection of malicious code in web applications. It allows attackers to execute JavaScript in the browser of another user. This can lead to session stealing, account takeover or the download of malicious software, as the code of the attacker becomes a part of the HTML source of the application. 96 | 97 | **HINT:** [Install Postman](https://www.getpostman.com/apps) if you haven't done yet. 98 | 99 | ## Challenge 5.1: Persisted XSS with Postman 100 | Try to perform a **persisted XSS attack** by affecting the table of the **Users** with **Postman**. Every call of the **administration section** should alert a dialog with the content `xss`. 101 | To perform XSS, use iframe: