[Owasp-hackademic-challenges] GSoC project idea: Defensive challenges (secure coding)

Spyros spyros.gasteratos at owasp.org
Thu Feb 5 16:35:43 UTC 2015


Hello Anirudh,

Answers inline,

On 02.02.2015 17:06, Anirudh Anand wrote:
> Hello everyone,
>
> My name is Anirudh Anand and I am currently pursuing my 3rd year Bachelors
> degree in computer science. I was going through the OWASP Hackademic
> project recently because I always love to create and crack problems (and
> hence I love CTF's). When I went through the current issues, I came across
> this: https://github.com/Hackademic/hackademic/issues/69
>
Writing defensive challenges is something we need for a long time now, 
it's a very cool feature imho. However, it's a bit tricky to implement 
correctly.

>
> I have personally gone through so many applications like DVWA, OWASP
> webgoat, google gruyere, pentest lab exercises etc.. to enhance my skills
> in appsec but one thing I have noticed (and sad about it) is that almost
> all of them focus on teaching how to attack a vulnerable application and
> how to exploit them. But none of them teaches the students *why such issues
> exists*, which *part of code results in this attack* and how to *securely
> code* applications so as to overcome such issues. Answers to these
> questions is what I am trying to complete with the project.
>
That's interesting.
> For example:
>
> How about giving basic SQLi vulnerable code and telling the users to fix
> it? Then we can test it by trying to inject and if the database dumps
> unusual results, that means fix is not correct (I haven't personally tried
> implementing this but I think it's possible. Please correct me if I am
> wrong.).
>
We've tried implementing secure coding challenges in the past but in the 
end we decided that having user submitted php code on the server is 
quite tricky to secure. There are some tools out there that have managed 
to do that securely ( hack.me from elearn being one of them). However as 
far as I know their solution is based on a substantial infrastructure 
which is hard to distribute to users and let them maintain themselves.

However, as part of OWASP Winter code sprint we have a team of students 
implementing our first ever web sandbox using linux containers and qemu. 
If all goes well we will have a functioning way to sandbox user code by 
the end of spring.
Then we can start implementing defensive challenges with the unit test 
approach you describe.

> If implementing the above idea is difficult, how about a small variety like
> this: http://www.gameofhacks.com ? The basic idea is to give them
> vulnerable code and tell them to identify which kind of issue exists within
> a particular type of code. Once he/she gives the correct answer, we can
> provide a much more detailed explanation on why it happens and how it can
> be tackled by secure coding (imho implementing this in order of difficulty
> will really help students learn the concepts). Similarly we can implement
> defensive challenges to a wide variety(covering entire OWASP top 10).

You mean something like a questionnaire?
Sure, why not? We have a ticket for a questionaire creation plugin which 
can be used to provide the functionality you describe.

>
> The objective I have in mind is that secure coding must be taught to
> students along with techniques on how to attack them. We have too much
> application out there which we can actually try attacking and trying to
> exploit the same. Also we have CTF competitions where we again attack the
> application and exploiting them but not fixing them. I haven't seen any
> good application giving importance to secure coding and teaching students
> on how to code securely so that issues like XSS or sqli can be prevented
> (which I think is a really important task).
>
I fully agree with you, from what little experience I have, the security 
industry focuses more on attack and exploitation and less on proper 
fixing and how to write comprehensive security tests. We could fill that 
gap once we have the required infrastructure.

(Note: we could add fuzzing tests and security unit tests for Hackademic 
itself as part of GSoC)

> I am thinking of further ideas on how I can improve this so that it could
> be more benefitable for the students who use hackademic for learning the
> concepts of appsec. It would be great to get a feedback on this idea.
>
Thanks for taking the time to think about this problem, we essentially 
need a way to restrict php access to the server and allow for each user 
to have his own private place in the server (from the top of my head the 
only way to do it is docker or lxc but maybe I'm missing something).
There are applications which do what we want outside security like 
hackerRank or sourcelair, I think they use docker.

Otherwise we could limit php execution somehow and only allow certain 
functions, but unless we have a php guru doing this (if it's possible) 
the platform becomes "Hack the server using only a the allowed set of 
functions"


> Thanks,
>
>
>
> _______________________________________________
> Owasp-hackademic-challenges mailing list
> Owasp-hackademic-challenges at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-hackademic-challenges
>


More information about the Owasp-hackademic-challenges mailing list