diff --git a/Shepherd.pdf b/TopDog.pdf
similarity index 91%
rename from Shepherd.pdf
rename to TopDog.pdf
index 48ae87a420519b590f56a366d1d17cc50496cc41..f0ba141e2bb1198824e2e8cfe72bc593ebe49bfb 100644
Binary files a/Shepherd.pdf and b/TopDog.pdf differ
diff --git a/Shepherd.tex b/TopDog.tex
similarity index 80%
rename from Shepherd.tex
rename to TopDog.tex
index 7d60dba04c15c83a519e5a3066d2c4121d412c92..bec4c99538bf3eac10c08749ae72cfd2772e8a74 100644
--- a/Shepherd.tex
+++ b/TopDog.tex
@@ -9,7 +9,6 @@
\usepackage{todonotes}
\usepackage{savesym}
\usepackage{pdflscape}
-\usepackage{fixltx2e}
\usepackage{rotating}
\usepackage{booktabs}
\usepackage{mathtools}
@@ -66,21 +65,24 @@ maxbibnames=10
\small{Information Coding Group}\\\small{Department of Electrical
Engineering, Linköping University}
}
-\title{LiU TopDog Challenge 2016\\~\\ \large{TSIT01, TSIT02
+\title{LiU TopDog Challenge 2017\\~\\ \large{TSIT01, TSIT02
Computer Security\\ Linköping University}}
\maketitle
\section*{About this document}
This lab memo is intended for the computer security courses \texttt{TSIT01} and
-\texttt{TSIT02} for Master students at Linköping University.
+\texttt{TSIT02} for Master-level students at Linköping University.
\section*{Changelog}
-2016: Initial version
+\begin{description}
+ \item[2017] Revised for the 2017 course.
+ \item[2016] Initial version.
+\end{description}
\section*{Acknowledgements}
-This lab owes its existence to Anders Märak Leffler who brought Security
-Shepherd to my attention back in 2015. I also want to thank the OWASP Foundation
-and the OWASP chapter in Gothenburg for help with getting started with Security
-Shepherd. Thanks to the LiU IT department who was willing to set up and support
-a web application server that, contrary to all common sense and in violation of
+This lab owes its existence to Anders Märak Leffler who brought this software to
+my attention back in 2015. I also want to thank the OWASP Foundation and the
+OWASP chapter in Gothenburg for help with getting started. Thanks to the LiU IT
+department who was willing to set up and support a web application server that,
+contrary to all common sense and in violation of
probably a dozen IT policies, contains all kinds of web vulnerabilities. Also
thanks to Niklas Johansson for helping me get all the lab details straight and,
of course, prof. Jan-Åke Larsson, who gave us the go-ahead to build what is
@@ -101,7 +103,7 @@ with the goal of breaking into them and/or make the application perform tasks
that it was not designed for.
\section{Overview}
-The LiU TopDog 2016 challenge uses Security Shepherd, a training system for
+In the LiU TopDog 2017 challenge you will practice
penetration testing. Using a set of increasingly difficult challenges, you will
gradually learn the basics of how an adversary might exploit badly designed
applications and security systems. The goal is to give you the basics in
@@ -125,9 +127,11 @@ stuck in a module and need a hint. Register for the coaching session in Lisam.
The coaching sessions are not compulsory!
\section{Deadline}\label{sec:deadline}
-The lab server opens up for registration on November 8th at 17:00.
-The lab must be finished before the end of the exam period. Shortly after, the Security Shepherd server will be shut down,
-so you can't do the lab after this date.
+The lab server opens up for registration on November 8th at 17:00. The lab must
+be finished before the end of the exam period. Shortly after, the TopDog server
+will be shut down, so you can't do the lab after this date. If you don't
+complete the assignments before the deadline, you will have to do the lab next
+year.
\section{Disciplinary stuff}
You are expected to do the lab in your own in groups of two. Co-operation
@@ -167,20 +171,18 @@ course homepage to see if we updated the PM, as we continuously improve the lab.
First, you need to find a partner to work with. All students are expected to
work in groups of two. If this is not possible, please contact the lab
assistant. When you have somebody to work with you will need to choose a
-username and password to use on the Security Shepherd server. Each group of two
+username and password to use on the TopDog server. Each group of two
will have an account, so you will need to choose a username and password for the
group. Please note the following:
\begin{enumerate}
\item Your username (not password) is public and will be shown to to the
entire class on the scoreboard.
- \item Don't use strange chars like åäö in the username as this can give
- internal problems in Security Shepherd (yes, stupid, we know!)
\item We reserve the right to ban stupid and/or offensive usernames for any
reason.
\item Both of you will have the password, so choose a password you don't use
anywhere else.
- \item The password storage in Security Shepherd is hashed but not
- salted and therefore isn't 100\% secure system.
+ \item The password storage in TopDog is hashed and salted, however do not
+ use a password that can be found anywhere else.
\end{enumerate}
Tip: Generate a random password
and write it down on a note in your wallet!
@@ -199,7 +201,7 @@ login username and password before contacting us (see \cref{sec:contact}).
\begin{figure}
\centering
\includegraphics[width=.9\linewidth]{shepherd-login.png}
- \caption{The Security Shepherd login page\label{fig:login}}
+ \caption{The TopDog login page\label{fig:login}}
\end{figure}
\section{Scoreboard}
@@ -233,12 +235,12 @@ passing the lab!
\end{landscape}
\chapter{Performing the Lab}
-Security Shepherd contains a number of modules that cover different topics in
+TopDog contains a number of modules that cover different topics in
web pentesting. It also offers a number of lessons that give a gentle
introduction to the topic on hand.
For each lesson and challenge your goal is to retrieve the so-called
-\enquote{result key}. When you finish a lesson or challenge, Security Shepherd
+\enquote{result key}. When you finish a lesson or challenge, TopDog
detects that \enquote{it has been hacked} and gives you the key. Paste this key
into the box on top, shown in \cref{fig:resultkey}. Depending on
the module the format of the result key can vary, but it might look something
@@ -282,94 +284,61 @@ the actual server. If you have any ideas or suggestions we are all ears!
\section{Challenges}\label{sec:challenges}
The following 21 challenges are required to pass the lab, and you are free to do the challenges in any order you want.
\begin{description}
- \item[Session Management Challenge 1]
- {\color{white}Try replacing \enquote{user} with
+ \item[Session Management Challenge 1]
+ {\color{white}Try replacing \enquote{user} with
\enquote{administrator}. But where?}
- \item[Poor Data Validation 1]
- {\color{white}The \enquote{troll} here means the third
+ \item[Poor Data Validation 1]
+ {\color{white}The \enquote{troll} here means the third
image, i.e.\ a \enquote{trollface}. Google it if you are unsure.}
\item[Cross Site Scripting 1]
- \item[Session Management Challenge 2]
- {\color{white}Try attacking the password reset.}
+ \item[Session Management Challenge 2]
+ {\color{white}Try attacking the password reset.}
\item[Session Management Challenge 3]
\item[SQL Injection 1]
\item[SQL Injection 2]
- {\color{white}The server first checks if the query contains \emph{one} @ before processing it!}
+ {\color{white}The server first checks if the query contains \emph{one} @ before processing it!}
\item[Insecure Cryptographic Storage Challenge 1]
\item[Insecure Cryptographic Storage Challenge 2]
{\color{white}Here, \enquote{2d cipher} refers to the
\enquote{Vigenère cipher}.}
\item[Insecure Direct Object Reference Challenge 1]
- \item[Insecure Direct Object Reference Challenge 2]
- {\color{white}Do challenges 1 and 2
+ \item[Insecure Direct Object Reference Challenge 2]
+ {\color{white}Do challenges 1 and 2
before the Bank challenge!}
- \item[Poor Data Validation 2]
- {\color{white}Remember that large integers can overflow!}
+ \item[Poor Data Validation 2]
+ {\color{white}Remember that large integers can overflow!}
\item[Failure to Restrict URL Access 1]
\item[CSRF 1]
- \item[Cross Site Scripting 2]
- {\color{white}Now the XSS filter is getting more clever,
- but it's not perfect. Check the source code of the HTML returned from
- the server to see which commands are filtered and which are not. Use the
+ \item[Cross Site Scripting 2]
+ {\color{white}Now the XSS filter is getting more clever,
+ but it's not perfect. Check the source code of the HTML returned from
+ the server to see which commands are filtered and which are not. Use the
hints from the slides.}
- \item[Session Management Challenge 4]
- {\color{white}Can you guess a Session ID? It should
+ \item[Session Management Challenge 4]
+ {\color{white}Can you guess a Session ID? It should
be somewhat larger than 20.}
\item[Failure to Restrict URL Access 2]
\item[Cross Site Scripting 3]
- \item[Insecure Cryptographic Storage Challenge 3]
- {\color{white}There are a number of ways
- to defeat the crypto and get the encryption key in this challenge. The
+ \item[Insecure Cryptographic Storage Challenge 3]
+ {\color{white}There are a number of ways
+ to defeat the crypto and get the encryption key in this challenge. The
quickest way is to submit base64 encoded spaces.}
- \item[SQL Injection 3]
- {\color{white}To complete this challenge, you must craft a second
- statement to return Mary Martin's credit card number as the current
- statement only returns the customerName attribute. Note that the UNION
+ \item[SQL Injection 3]
+ {\color{white}To complete this challenge, you must craft a second
+ statement to return Mary Martin's credit card number as the current
+ statement only returns the customerName attribute. Note that the UNION
statement isn't filtered!}
- \item[Insecure Direct Object Reference Bank]
- {\color{white}To complete this challenge you
- must first register an account. The account must have a unique name. The
- next step is to click the refresh balance button. Capture this request, and
- replay it with different account numbers until you find one with cash. If
- you are the first person to attempt this challenge, the account number 1
- should have 10 million in it. You should be able to figure out the rest.
+ \item[Insecure Direct Object Reference Bank]
+ {\color{white}To complete this challenge you
+ must first register an account. The account must have a unique name. The
+ next step is to click the refresh balance button. Capture this request, and
+ replay it with different account numbers until you find one with cash. If
+ you are the first person to attempt this challenge, the account number 1
+ should have 10 million in it. You should be able to figure out the rest.
See \cref{sec:faq-bank} if there's not enough money anywhere!}
\end{description}
There are hidden hints!
-\section{Challenges not required}\label{sec:hard-challenges}
-The following extra challenges are included in Security Shepherd but are NOT
-required to finish the course. They are difficult. Note that, for these challenges, you are on your
-own. To keep the competition fair the lab assistant will not help you, and these challenges might
-require knowledge we didn't cover in the lecture, and resources we can't
-provide.
-\begin{itemize}
- \item CSRF 2
- \item CSRF 3
- \item CSRF 4
- \item CSRF 5
- \item CSRF 6
- \item CSRF 7
- \item CSRF JSON
- \item SQL Injection 4
- \item SQL Injection 5
- \item SQL Injection 6
- \item SQL Injection 7
- \item SQL Injection Escaping
- \item SQL Injection Stored Procedure
- \item Insecure Cryptographic Storage Challenge 4
- \item Security Misconfig Cookie Flag
- \item Session Management Challenge 5
- \item Session Management Challenge 6
- \item Session Management Challenge 7
- \item Session Management Challenge 8
- \item Cross Site Scripting 4
- \item Cross Site Scripting 5
- \item Cross Site Scripting 6
- \item Failure to Restrict URL Access 3. This is a fun one if you want a
- challenge!
-\end{itemize}
-
\section{Finishing the lab}
You are done with the lab when you have finished the 21 required challenges
listed in \cref{sec:challenges}. When this is done, make sure you have signed
@@ -385,7 +354,7 @@ This section will be updated with frequently asked questions about the lab.
\section{There is something wrong with the server!}
First check that your Internet connection is working and that your attack proxy
-isn't giving you problems. If the Security Shepherd server is unavailable, or if there's some
+isn't giving you problems. If the TopDog server is unavailable, or if there's some
\emph{technical} issue with it that has nothing to do with the lab itself, first
wait a few minutes. If it doesn't come back it might be an outage (planned or
unplanned). If we are doing some planned work on the server this will be posted
@@ -398,17 +367,8 @@ description of the problem. Only use this e-mail address for technical issues
with the server. For all other questions, see
\cref{sec:contact}.
-\section{I don't see any challenges and it's Tuesday morning}
-If the lessons and challenges are gone and just replaced by a button saying
-\enquote{Get Next Challenge} send an e-mail to the address listed in
-\cref{sec:contact}. On 1:30 AM on Tuesday mornings the server is set to reboot,
-and for some reason Shepherd is partially reset when the reboot happens. We have
-to manually set the module to appear every time this happens, and if you still
-see the button it's either early in the morning, or we just forgot.
-
-\section{There is no registration link on the login page}
-Registration is only available during the actual course dates. See
-\cref{sec:deadline} on when registration opens.
+\section{How do I create a TopDog account?}
+The link to the registration page can be found in Lisam.
\section{How can I get bonus points for the exam?}
The scoreboard and its points, bonus points, and medals is for fun only. They
@@ -424,12 +384,11 @@ sign the lab attendance list before finishing. This is important as we need to
know who is who, otherwise anyone could pretend to be the scoreboard leader!
\section{I finished the lab and want something more challenging!}
-Try your skills on the harder non-compulsory challenges in
-\cref{sec:hard-challenges}. If you want still more challenges, check out
+Try your skills on the challenges! If this is still not enough, check out
\cref{sec:ctf}!
\section{I don't get a result key, only \enquote{Key Should be here! Please
-refresh the home page and try again! If that doesn't work, sign in and out
+ refresh the home page and try again! If that doesn't work, sign in and out
again!}}
This is probably because you created a username with non-latin characters such
as å, ä and ö. If this is the case, contact us (\cref{sec:contact}) and we'll
@@ -481,12 +440,12 @@ feature to view the source related to a particular item on a page by
right-clicking it and selecting \enquote{Inspect} or \enquote{Inspect Element},
depending on your web browser.
-In Security Shepherd you must remember that the web modules are located in an
+In the TopDog challenge you must remember that the web modules are located in an
\texttt{iframe} in the web page. You must therefore click \emph{inside} the
module itself and select \enquote{View Frame Source}, or \enquote{This Frame}
-followed by \enquote{View Source} as shown in \cref{fig:frame-source}.
-Otherwise, you will be reading the source code of Security Shepherd itself and
-not the module.
+followed by \enquote{View Source} as shown in \cref{fig:frame-source} (this
+example assumes you are using Firefox). Otherwise, you will be reading the
+source code of TopDog itself and not the module.
\begin{figure}
\centering
@@ -544,11 +503,12 @@ In order to use the attack proxy, you will need to configure your web browser to
connect through it. Here, it is recommended that you download and install a
secondary web browser to your computer, so that you have one normal browser (for
googling and general browsing) and one \enquote{attack browser} for use with
-Security Shepherd. Otherwise, ZAP will intercept all your HTTPS sessions which
+TopDog. Otherwise, ZAP will intercept all your HTTPS sessions (i.e. also your
+general web browsing), which
is very annoying.
By default, ZAP listens to connections on port 8080. Therefore, configure the
-attack browser (the one you use for Security Shepherd) to use \texttt{localhost:8080}
+attack browser (the one you use for TopDog) to use \texttt{localhost:8080}
as the proxy configuration for HTTP and HTTPS protocols.
\begin{figure}
@@ -569,7 +529,7 @@ Chrome can be found here: \url{https://support.google.com/chrome/answer/96815}.
\label{fig:maninthemiddle}
\end{figure}
-Now, using the attack browser, go to the Security Shepherd page:
+Now, using the attack browser, go to the TopDog page:
\url{https://snickerboa.it.liu.se}. It might be that your browser gives a
warning about your connection being insecure since ZAP decrypts and re-encrypts
HTTPS traffic (see \cref{fig:maninthemiddle}). Remember that we talked about
@@ -577,7 +537,7 @@ this in the lecture. You will have to accept the ZAP
certificate and add it as an exception to the attack browser.
\subsection{Intercepting HTTP(S) traffic with ZAP}
-Now you can browse around in Security Shepherd and see that the traffic appears
+Now you can browse around in TopDog and see that the traffic appears
in ZAP. In the left-hand pane you see \texttt{Sites}. Expand it and you see the
site \texttt{https://snickerboa.it.liu.se}. Inside, you see the different
requests (mainly \texttt{GET} and \texttt{POST}) that were made to the server.
@@ -639,7 +599,7 @@ destinations.
\end{figure}
\chapter{Capturing The Flag}\label{sec:ctf}
-Security Shepherd is what the hacking community calls a CTF, or Capture The
+TopDog is what the hacking community calls a CTF, or Capture The
Flag. CTF:s are a good way of practicing one's skills in order to become better
at pentesting, reverse-engineering, cracking, etc. It is common for security
conferences to have CTF competitions where teams try to solve a number of