Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sebastiaanz/pythoneersday-security


https://github.com/sebastiaanz/pythoneersday-security

Last synced: 16 days ago
JSON representation

Awesome Lists containing this project

README 

        
# Pythoneersday Security

- **Date:** 10 May 2023

- **Topic:** Common Vulnerabilities & Security Testing

- **Authors:** Ordina Pythoneers / Sebastiaan Zeeff & Jeremy Vriens



## IMPORTANT: Do not browse the repository



While you may want to immediately explore the repository, this will ruin most of

the fun.



One of the goals today is to find vulnerabilities in websites using a

security testing tool and your creativity. Since the source code of the views is

available in this repository, looking at the implementation may already reveal

those deliberate vulnerabilities.



Please don't explore the repository beyond this README-file before completing 

the exercises unless specifically instructed to do so.



# Part 1: Common Vulnerabilities



1. Go to https://www.hacksplaining.com/lessons

2. Sign up for free with an OAuth account

3. Learn about common vulnerabilities

    - We recommend that you start with SQL Injection, Privilege Escalation,

      and Broken Access Control. These will be the most relevant for the second

      half of the workshop.



If you're done quickly and have already achieved your yellow belt in the

security journey, check out the "Web App Testing" track.



# Part 2: The Hacky Notes App



## Preparation



First of all, make sure that you have a **recent version of Python** (3.10+)

installed. We are not going to write code in Python today, but we are going to 

create a virtual environment to run an instance of the website that we're going

to attack with our security testing tools.



### OWASP ZAP 2.12.0

If you've followed the instructions in the email, you should have already 

installed the OWASP ZAP application. If not, follow these instructions.



All instructions in this readme were written for ZAP 2.12.0, so I'd recommend

making sure you install that version.



#### Step 1: Install a Java Development Kit (Windows/Linux only)

OWASP Zap requires Java 11+ to run. **It's included in the Apple installer**,

but you need to install Java separately if you're using Windows or Linux.



1. Please visit https://www.oracle.com/java/technologies/downloads/

2. Install the JDK for either Java 17 LTS or Java 19 for your platform



#### Step 2: Install OWASP Zed Attack Proxy



1. Please install OWASP Zap from https://www.zaproxy.org/download/ 



### Configuring ZAP and your browser



ZAP works by intercepting, and allowing you to modify, the traffic between your

browser and a web server. This means that you need to configure your browser to

use ZAP as an intermediate proxy.



Personally, I use Firefox, but the steps are similar for other browsers, such as

Chrome and Edge.



#### Step 1: Configure the ZAP Proxy

1. Open ZAP.

2. Select "No, I do not want to persist this session at this moment in time" and

   click start.

3. In the top menu, go to `Tools > Options`

4. Navigate to `Options > Network > Local Servers/Proxies`

5. Check that main proxy is configured as:

    - Address: localhost

    - Port: 8080 (or another port, as long as you remember it)



#### Step 2: Configure the ZAP Root CA Certificate (Optional)

This step is optional, as our localhost webserver will not use SSL, but I've

included these instruction for if you want to use ZAP on TLS-enabled connections

in the future.



**Full disclosure:** This will install a Root CA Certificate for ZAP in your

browser. This allows ZAP to proxy between your browser and a web server even if

the connection is (supposed to be) secured with TLS.



1. Open the options menu again (`Tools > Options`)

2. Navigate to `Options > Network > Server Certificates`

3. Click `Generate` to generate a new Root CA Certificate for ZAP

4. Click on `Save` to save the certificate to a file

    - Remember where you save the file! You'll need it later.

5. Click "Ok" to exit the options menu

6. Open Firefox

7. Go to the Firfox Settings (`Hamburger Menu > Settings`)

8. Go to `Privacy & Security`

9. Scroll down to `Certificates`

10. Click on `View Certificates...`

11. Click on `Import...`

12. Navigate to the certificates file you exported from ZAP and import it



#### Step 3: Configure Firefox to use the ZAP Proxy



1. Open the Firefox menu (`Hamburger Menu > Add-ons and themes`) 

2. Search for "FoxyProxy Standard" in the `Find more add-ons` search bar

3. Install "FoxyProxy Standard" (author: Eric H. Jung) and enable it

4. Click on the FoxyProxy and click on the `Options` button in the modal

5. Click on `+ Add` in the left-hand menu

6. Fill in these details:

    - **Title or Description:** ZAP

    - **Proxy Type:** HTTP

    - **Proxy IP address or DNS name:** localhost

    - **Port:** 8080 (or the other port from earlier)

7. Click `Save & Edit Patterns`

8. In the `White Patterns` list, modify the first (and only) line:

    - Change the `Name` from "all URLs" to "localhost"

    - Change the pattern to `localhost`

    - Change the `Type` to "Reg Exp"

9. Click `Save`

10. You can now close the FoxyProxy settings screen

11. Click on the FoxyProxy extension icon and select the option "Use Enabled

    Proxies By Patterns and Order". This should make sure that FoxyProxy only

    redirects traffic to `localhost` to the ZAP proxy.



#### Step 4: Get hacking!



Before you clone the repository, this is another friendly reminder not to browse

the repository. It takes all the fun out of the challenges!



1. Clone the repository using `git`

2. Create virtual environment with Python 3.10+ and activate it

3. Install the requirements with `pip install -r requirements.txt`

4. Run `python manage.py start` to start the project

5. Visit http://localhost:8888

6. Start with the tutorial

7. Try other challenges afterwards



Tip: If you think you've screwed up the database, you can reset the project

by running `python manage.py reset`.



---



If you're done quickly, consider doing a few modules of the Security Journey. I

recommend "DevSecOps" and "Web App Testing" as highly relevant Green Belt tracks

for developers.