Skip to content
Snippets Groups Projects
Commit 237ffc89 authored by Jonathan Jogenfors's avatar Jonathan Jogenfors
Browse files

Rename

parent cbc972be
Branches
No related tags found
No related merge requests found
No preview for this file type
......@@ -9,7 +9,6 @@
\usepackage{todonotes}
\usepackage{savesym}
\usepackage{pdflscape}
\usepackage{fixltx2e}
\usepackage{rotating}
\usepackage{booktabs}
\usepackage{mathtools}
......@@ -66,21 +65,24 @@ maxbibnames=10
\small{Information Coding Group}\\\small{Department of Electrical
Engineering, Linköping University}
}
\title{LiU TopDog Challenge 2016\\~\\ \large{TSIT01, TSIT02
\title{LiU TopDog Challenge 2017\\~\\ \large{TSIT01, TSIT02
Computer Security\\ Linköping University}}
\maketitle
\section*{About this document}
This lab memo is intended for the computer security courses \texttt{TSIT01} and
\texttt{TSIT02} for Master students at Linköping University.
\texttt{TSIT02} for Master-level students at Linköping University.
\section*{Changelog}
2016: Initial version
\begin{description}
\item[2017] Revised for the 2017 course.
\item[2016] Initial version.
\end{description}
\section*{Acknowledgements}
This lab owes its existence to Anders Märak Leffler who brought Security
Shepherd to my attention back in 2015. I also want to thank the OWASP Foundation
and the OWASP chapter in Gothenburg for help with getting started with Security
Shepherd. Thanks to the LiU IT department who was willing to set up and support
a web application server that, contrary to all common sense and in violation of
This lab owes its existence to Anders Märak Leffler who brought this software to
my attention back in 2015. I also want to thank the OWASP Foundation and the
OWASP chapter in Gothenburg for help with getting started. Thanks to the LiU IT
department who was willing to set up and support a web application server that,
contrary to all common sense and in violation of
probably a dozen IT policies, contains all kinds of web vulnerabilities. Also
thanks to Niklas Johansson for helping me get all the lab details straight and,
of course, prof. Jan-Åke Larsson, who gave us the go-ahead to build what is
......@@ -101,7 +103,7 @@ with the goal of breaking into them and/or make the application perform tasks
that it was not designed for.
\section{Overview}
The LiU TopDog 2016 challenge uses Security Shepherd, a training system for
In the LiU TopDog 2017 challenge you will practice
penetration testing. Using a set of increasingly difficult challenges, you will
gradually learn the basics of how an adversary might exploit badly designed
applications and security systems. The goal is to give you the basics in
......@@ -125,9 +127,11 @@ stuck in a module and need a hint. Register for the coaching session in Lisam.
The coaching sessions are not compulsory!
\section{Deadline}\label{sec:deadline}
The lab server opens up for registration on November 8th at 17:00.
The lab must be finished before the end of the exam period. Shortly after, the Security Shepherd server will be shut down,
so you can't do the lab after this date.
The lab server opens up for registration on November 8th at 17:00. The lab must
be finished before the end of the exam period. Shortly after, the TopDog server
will be shut down, so you can't do the lab after this date. If you don't
complete the assignments before the deadline, you will have to do the lab next
year.
\section{Disciplinary stuff}
You are expected to do the lab in your own in groups of two. Co-operation
......@@ -167,20 +171,18 @@ course homepage to see if we updated the PM, as we continuously improve the lab.
First, you need to find a partner to work with. All students are expected to
work in groups of two. If this is not possible, please contact the lab
assistant. When you have somebody to work with you will need to choose a
username and password to use on the Security Shepherd server. Each group of two
username and password to use on the TopDog server. Each group of two
will have an account, so you will need to choose a username and password for the
group. Please note the following:
\begin{enumerate}
\item Your username (not password) is public and will be shown to to the
entire class on the scoreboard.
\item Don't use strange chars like åäö in the username as this can give
internal problems in Security Shepherd (yes, stupid, we know!)
\item We reserve the right to ban stupid and/or offensive usernames for any
reason.
\item Both of you will have the password, so choose a password you don't use
anywhere else.
\item The password storage in Security Shepherd is hashed but not
salted and therefore isn't 100\% secure system.
\item The password storage in TopDog is hashed and salted, however do not
use a password that can be found anywhere else.
\end{enumerate}
Tip: Generate a random password
and write it down on a note in your wallet!
......@@ -199,7 +201,7 @@ login username and password before contacting us (see \cref{sec:contact}).
\begin{figure}
\centering
\includegraphics[width=.9\linewidth]{shepherd-login.png}
\caption{The Security Shepherd login page\label{fig:login}}
\caption{The TopDog login page\label{fig:login}}
\end{figure}
\section{Scoreboard}
......@@ -233,12 +235,12 @@ passing the lab!
\end{landscape}
\chapter{Performing the Lab}
Security Shepherd contains a number of modules that cover different topics in
TopDog contains a number of modules that cover different topics in
web pentesting. It also offers a number of lessons that give a gentle
introduction to the topic on hand.
For each lesson and challenge your goal is to retrieve the so-called
\enquote{result key}. When you finish a lesson or challenge, Security Shepherd
\enquote{result key}. When you finish a lesson or challenge, TopDog
detects that \enquote{it has been hacked} and gives you the key. Paste this key
into the box on top, shown in \cref{fig:resultkey}. Depending on
the module the format of the result key can vary, but it might look something
......@@ -282,94 +284,61 @@ the actual server. If you have any ideas or suggestions we are all ears!
\section{Challenges}\label{sec:challenges}
The following 21 challenges are required to pass the lab, and you are free to do the challenges in any order you want.
\begin{description}
\item[Session Management Challenge 1]
{\color{white}Try replacing \enquote{user} with
\item[Session Management Challenge 1]
{\color{white}Try replacing \enquote{user} with
\enquote{administrator}. But where?}
\item[Poor Data Validation 1]
{\color{white}The \enquote{troll} here means the third
\item[Poor Data Validation 1]
{\color{white}The \enquote{troll} here means the third
image, i.e.\ a \enquote{trollface}. Google it if you are unsure.}
\item[Cross Site Scripting 1]
\item[Session Management Challenge 2]
{\color{white}Try attacking the password reset.}
\item[Session Management Challenge 2]
{\color{white}Try attacking the password reset.}
\item[Session Management Challenge 3]
\item[SQL Injection 1]
\item[SQL Injection 2]
{\color{white}The server first checks if the query contains \emph{one} @ before processing it!}
{\color{white}The server first checks if the query contains \emph{one} @ before processing it!}
\item[Insecure Cryptographic Storage Challenge 1]
\item[Insecure Cryptographic Storage Challenge 2]
{\color{white}Here, \enquote{2d cipher} refers to the
\enquote{Vigenère cipher}.}
\item[Insecure Direct Object Reference Challenge 1]
\item[Insecure Direct Object Reference Challenge 2]
{\color{white}Do challenges 1 and 2
\item[Insecure Direct Object Reference Challenge 2]
{\color{white}Do challenges 1 and 2
before the Bank challenge!}
\item[Poor Data Validation 2]
{\color{white}Remember that large integers can overflow!}
\item[Poor Data Validation 2]
{\color{white}Remember that large integers can overflow!}
\item[Failure to Restrict URL Access 1]
\item[CSRF 1]
\item[Cross Site Scripting 2]
{\color{white}Now the XSS filter is getting more clever,
but it's not perfect. Check the source code of the HTML returned from
the server to see which commands are filtered and which are not. Use the
\item[Cross Site Scripting 2]
{\color{white}Now the XSS filter is getting more clever,
but it's not perfect. Check the source code of the HTML returned from
the server to see which commands are filtered and which are not. Use the
hints from the slides.}
\item[Session Management Challenge 4]
{\color{white}Can you guess a Session ID? It should
\item[Session Management Challenge 4]
{\color{white}Can you guess a Session ID? It should
be somewhat larger than 20.}
\item[Failure to Restrict URL Access 2]
\item[Cross Site Scripting 3]
\item[Insecure Cryptographic Storage Challenge 3]
{\color{white}There are a number of ways
to defeat the crypto and get the encryption key in this challenge. The
\item[Insecure Cryptographic Storage Challenge 3]
{\color{white}There are a number of ways
to defeat the crypto and get the encryption key in this challenge. The
quickest way is to submit base64 encoded spaces.}
\item[SQL Injection 3]
{\color{white}To complete this challenge, you must craft a second
statement to return Mary Martin's credit card number as the current
statement only returns the customerName attribute. Note that the UNION
\item[SQL Injection 3]
{\color{white}To complete this challenge, you must craft a second
statement to return Mary Martin's credit card number as the current
statement only returns the customerName attribute. Note that the UNION
statement isn't filtered!}
\item[Insecure Direct Object Reference Bank]
{\color{white}To complete this challenge you
must first register an account. The account must have a unique name. The
next step is to click the refresh balance button. Capture this request, and
replay it with different account numbers until you find one with cash. If
you are the first person to attempt this challenge, the account number 1
should have 10 million in it. You should be able to figure out the rest.
\item[Insecure Direct Object Reference Bank]
{\color{white}To complete this challenge you
must first register an account. The account must have a unique name. The
next step is to click the refresh balance button. Capture this request, and
replay it with different account numbers until you find one with cash. If
you are the first person to attempt this challenge, the account number 1
should have 10 million in it. You should be able to figure out the rest.
See \cref{sec:faq-bank} if there's not enough money anywhere!}
\end{description}
There are hidden hints!
\section{Challenges not required}\label{sec:hard-challenges}
The following extra challenges are included in Security Shepherd but are NOT
required to finish the course. They are difficult. Note that, for these challenges, you are on your
own. To keep the competition fair the lab assistant will not help you, and these challenges might
require knowledge we didn't cover in the lecture, and resources we can't
provide.
\begin{itemize}
\item CSRF 2
\item CSRF 3
\item CSRF 4
\item CSRF 5
\item CSRF 6
\item CSRF 7
\item CSRF JSON
\item SQL Injection 4
\item SQL Injection 5
\item SQL Injection 6
\item SQL Injection 7
\item SQL Injection Escaping
\item SQL Injection Stored Procedure
\item Insecure Cryptographic Storage Challenge 4
\item Security Misconfig Cookie Flag
\item Session Management Challenge 5
\item Session Management Challenge 6
\item Session Management Challenge 7
\item Session Management Challenge 8
\item Cross Site Scripting 4
\item Cross Site Scripting 5
\item Cross Site Scripting 6
\item Failure to Restrict URL Access 3. This is a fun one if you want a
challenge!
\end{itemize}
\section{Finishing the lab}
You are done with the lab when you have finished the 21 required challenges
listed in \cref{sec:challenges}. When this is done, make sure you have signed
......@@ -385,7 +354,7 @@ This section will be updated with frequently asked questions about the lab.
\section{There is something wrong with the server!}
First check that your Internet connection is working and that your attack proxy
isn't giving you problems. If the Security Shepherd server is unavailable, or if there's some
isn't giving you problems. If the TopDog server is unavailable, or if there's some
\emph{technical} issue with it that has nothing to do with the lab itself, first
wait a few minutes. If it doesn't come back it might be an outage (planned or
unplanned). If we are doing some planned work on the server this will be posted
......@@ -398,17 +367,8 @@ description of the problem. Only use this e-mail address for technical issues
with the server. For all other questions, see
\cref{sec:contact}.
\section{I don't see any challenges and it's Tuesday morning}
If the lessons and challenges are gone and just replaced by a button saying
\enquote{Get Next Challenge} send an e-mail to the address listed in
\cref{sec:contact}. On 1:30 AM on Tuesday mornings the server is set to reboot,
and for some reason Shepherd is partially reset when the reboot happens. We have
to manually set the module to appear every time this happens, and if you still
see the button it's either early in the morning, or we just forgot.
\section{There is no registration link on the login page}
Registration is only available during the actual course dates. See
\cref{sec:deadline} on when registration opens.
\section{How do I create a TopDog account?}
The link to the registration page can be found in Lisam.
\section{How can I get bonus points for the exam?}
The scoreboard and its points, bonus points, and medals is for fun only. They
......@@ -424,12 +384,11 @@ sign the lab attendance list before finishing. This is important as we need to
know who is who, otherwise anyone could pretend to be the scoreboard leader!
\section{I finished the lab and want something more challenging!}
Try your skills on the harder non-compulsory challenges in
\cref{sec:hard-challenges}. If you want still more challenges, check out
Try your skills on the challenges! If this is still not enough, check out
\cref{sec:ctf}!
\section{I don't get a result key, only \enquote{Key Should be here! Please
refresh the home page and try again! If that doesn't work, sign in and out
refresh the home page and try again! If that doesn't work, sign in and out
again!}}
This is probably because you created a username with non-latin characters such
as å, ä and ö. If this is the case, contact us (\cref{sec:contact}) and we'll
......@@ -481,12 +440,12 @@ feature to view the source related to a particular item on a page by
right-clicking it and selecting \enquote{Inspect} or \enquote{Inspect Element},
depending on your web browser.
In Security Shepherd you must remember that the web modules are located in an
In the TopDog challenge you must remember that the web modules are located in an
\texttt{iframe} in the web page. You must therefore click \emph{inside} the
module itself and select \enquote{View Frame Source}, or \enquote{This Frame}
followed by \enquote{View Source} as shown in \cref{fig:frame-source}.
Otherwise, you will be reading the source code of Security Shepherd itself and
not the module.
followed by \enquote{View Source} as shown in \cref{fig:frame-source} (this
example assumes you are using Firefox). Otherwise, you will be reading the
source code of TopDog itself and not the module.
\begin{figure}
\centering
......@@ -544,11 +503,12 @@ In order to use the attack proxy, you will need to configure your web browser to
connect through it. Here, it is recommended that you download and install a
secondary web browser to your computer, so that you have one normal browser (for
googling and general browsing) and one \enquote{attack browser} for use with
Security Shepherd. Otherwise, ZAP will intercept all your HTTPS sessions which
TopDog. Otherwise, ZAP will intercept all your HTTPS sessions (i.e. also your
general web browsing), which
is very annoying.
By default, ZAP listens to connections on port 8080. Therefore, configure the
attack browser (the one you use for Security Shepherd) to use \texttt{localhost:8080}
attack browser (the one you use for TopDog) to use \texttt{localhost:8080}
as the proxy configuration for HTTP and HTTPS protocols.
\begin{figure}
......@@ -569,7 +529,7 @@ Chrome can be found here: \url{https://support.google.com/chrome/answer/96815}.
\label{fig:maninthemiddle}
\end{figure}
Now, using the attack browser, go to the Security Shepherd page:
Now, using the attack browser, go to the TopDog page:
\url{https://snickerboa.it.liu.se}. It might be that your browser gives a
warning about your connection being insecure since ZAP decrypts and re-encrypts
HTTPS traffic (see \cref{fig:maninthemiddle}). Remember that we talked about
......@@ -577,7 +537,7 @@ this in the lecture. You will have to accept the ZAP
certificate and add it as an exception to the attack browser.
\subsection{Intercepting HTTP(S) traffic with ZAP}
Now you can browse around in Security Shepherd and see that the traffic appears
Now you can browse around in TopDog and see that the traffic appears
in ZAP. In the left-hand pane you see \texttt{Sites}. Expand it and you see the
site \texttt{https://snickerboa.it.liu.se}. Inside, you see the different
requests (mainly \texttt{GET} and \texttt{POST}) that were made to the server.
......@@ -639,7 +599,7 @@ destinations.
\end{figure}
\chapter{Capturing The Flag}\label{sec:ctf}
Security Shepherd is what the hacking community calls a CTF, or Capture The
TopDog is what the hacking community calls a CTF, or Capture The
Flag. CTF:s are a good way of practicing one's skills in order to become better
at pentesting, reverse-engineering, cracking, etc. It is common for security
conferences to have CTF competitions where teams try to solve a number of
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment