Filesync and Era Literaria: Realistic Open SourceWebs To Develop Web Security Skills

  • Jose Manuel Redondo Lopez Department of Computer Science, University of Oviedo, C/Calvo Sotelo S/N Oviedo (Asturias), 33007, Spain
  • Leticia Del Valle Varela GADD Grupo Meana S. A., Palacio de Lieres s/n Lieres (Asturias), 33580, Spain
Keywords: Web security, pentesting, OWASP, vulnerability, training

Abstract

A great variety of services and applications are currently offered using web sites. Unfortunately, this also caused the proliferation of attacks targeting their potential vulnerabilities. Therefore, the demand for security-trained professionals that identify, prevent and find solutions to security vulnerabilities is greatly increasing. This also increased the need for adequate training tools that show how real attacks are performed and prevented. In this paper we describe the design, implementation and usage examples of two websites designed to facilitate web security training. These websites have a realistic set of features and have been developed using different popular technologies. They deliberately incorporate examples of a large subset of common security vulnerabilities, complemented with learning and training materials. They are also open source to allow the development of customizations and adaptations to different scenarios and facilitate learning secure code development techniques.

 

Downloads

Download data is not yet available.

References

Microsoft (2018). The official Office 365 home page, https://products.office.com/es-ES,

Accessed: 2018-05-21.

Google Inc. (2018). The official Gmail home page, https://www.google.com/intl/

es/gmail/about, Accessed: 2018-05-21.

Amazon (2018). The official Amazon home page, https://www.amazon.com, Accessed:

-05-21.

Ebay (2018). The official Ebay home page, http://www.ebay.com,Accessed: 2018-05-21.

Redondo, J. M., and Ortin, F. (2017). A SaaS Framework for Credit Risk Analysis

Services, IEEE Latin America Transactions, Vol. 15, No. 3.

Microsoft (2018). The official Microsoft Dynamics home page, http://www.dynamicscrm.

es, Accessed: 2018-05-21.

Lonescu, P. (2015). The 10 Most Common Application Attacks in Action,

https://securityintelligence.com/the-10-most-common-application-attacks-in-action/,

Accessed: 2018-05-21.

ICT S. Magazine (2018). 2017 Data Breach Investigations Report 10th

Edition, http://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-

Investigations-Report.pdf, Accessed: 2018-05-15.

OWASP (2018). OWASP Top Ten Project, https://www.owasp.org/index.php/Category:

OWASP Top Ten Project, Accessed: 2018-05-21.

MITRE Corporation (2018). CVE Details: The ultimate security vulnerability datasource,

https://www.cvedetails.com/, Accessed: 2018-05-21.

OWASP (2017). OWASP Secure Coding Practices - Quick Reference Guide,

https://www.owasp.org/index.php/OWASP Secure Coding Practices - Quick Refere

nce Guide, Accessed: 2018-05-21.

Mozilla Corporation (2012). WebAppSec/Secure Coding Guidelines, https://

wiki.mozilla.org/WebAppSec/Secure Coding Guidelines, Accessed: 2018-05-21.

Morgan, S. (2016). One Million Cybersecurity Job Openings In 2016,

http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurityjob-

openings-in-2016/, Accessed: 2018-05-21.

Bacudio, A. G.,Yuan, X., Chu, B. B., and Jones, M. (2011). An Overview of Penetration

Testing, International Journal of Network Security and Its Applications, Vol. 3, No. 6

Vonnegut, S. (2015). 15 Vulnerable Sites To (Legally) Practice Your Hacking Skills,

https://www.checkmarx.com/2015/04/16/15-vulnerable-sites-to-legally-practice-yourhacking-

skills, Accessed: 2018-05-21.

S. Vonnegut (2015). 13 More Hacking Sites to (Legally) Practice Your InfoSec Skills,

https://www.checkmarx.com/2015/11/06/13-more-hacking-sites-to-legally-practiceyour-

infosec-skills, Accessed: 2018-05-21.

Tiobe (2018). Tiobe Index official home page, http://www.tiobe.com/tiobe-index,

Accessed: 2018-05-21.

PYPL (2018). PYPL PopularitY of Programming Language, http://pypl.

github.io/PYPL.html, Accessed: 2018-05-21.

W3 Consortium (2008). Web Content Accessibility Guidelines (WCAG) 2.0,

https://www.w3.org/TR/WCAG20, Accessed: 2018-05-21.

Citrix (2018). Sharefile: The Simple, Secure Way to Collaborate,

https://www.sharefile.com, Accessed: 2018-05-21.

El Corte Ingles (2018). Libreria El Corte Ingles, https://www.elcorteingles.es/libros,

Accessed: 2018-05-21.

OWASP (2016). OWASP Testing Guide v4, https://www.owasp.org/index.php/OWASP

Testing Guide v4 Table of Contents, Accessed: 2018-05-21.

Yii Software LLC (2018). Yii framework: The Fast, Secure and Professional PHP

Framework, http://www.yiiframework.com, Accessed: 2018-05-21.

Microsoft (2014). ASP.NET MVC 5 official home page, https://www.asp.net/mvc/mvc5,

Accessed: 2018-05-21.

Qualys SSLabs (2018). How well do you know SSL?, https://www.ssllabs.com/,

Accessed: 2018-05-20.

OWASP (2017). Session Management Cheat Sheet, https://www.owasp.org/index.

php/Session Management Cheat Sheet, Accessed: 2018-05-20.

N. Kaur, P. Kaur (2014). Input Validation Vulnerabilities in Web Applications, Journal

of Software Engineering, Vol. 8(3), pp. 116–126.

OWASP (2018). Unrestricted File Upload, https://www.owasp.org/index.php/Protect

FileUpload Against Malicious File, Accessed: 2018-05-15.

OWASP (2018). Protect FileUpload Against Malicious File, https://www.owasp.

org/index.php/Unrestricted File Upload, Accessed: 2018-05-15.

Portswigger (2018). Burp Suite, https://portswigger.net/burp, Accessed:

-05-15.

XeusHack (2018). Zip Bomb, https://xeushack.com/zip-bomb/, Accessed: 2018-05-15.

BeeF (2018). BeeF: The Browser Exploitation Framework Project, http:

//beefproject.com, Accessed: 2018-05-21.

de Oviedo, U. (2018). Master Universitario en Ingenieria Web,

https://ingenieriainformatica.uniovi.es/infoacademica/masterydoctorado, Accessed:

-05-21.

Trustwave SpiderLabs (2018). ModSecurity: Open Source Application Firewall,

https://modsecurity.org, Accessed: 2018-05-21.

OpenVAS (2018). Open Vulnerability Assessment System, http://www.openvas.org,

Accessed: 2018-05-21.

Tenable (2018). Nessus Vulnerability Scanner, https://www.tenable.com/products/

nessus-vulnerability-scanner, Accessed: 2018-05-21.

Doupe, A. Cova, M. and Vigna, G. (2010). Why Johnny Cannot Pentest: An Analysis

of Black-Box Web Vulnerability Scanners, Lect. Noter on Comp. Science, Vol. 6201,

pp. 111–131.

Leotta, M. Clerissi, D. Ricca, F. Tonella, P. (2016). Approaches and Tools for Automated

End-to-End Web Testing, Advances in Computers, Vol. 101, pp. 193–237.

Redondo, J. M. (2018). Improving Student Assessment of a Server Administration Course

Promoting Flexibility and Competitiveness, IEEE Transactions on Education, Article in

Press, doi: 10.1109/TE.2018.2816571

CTFTime (2018). CTFs, https://ctftime.org/ctfs, Accessed: 2018-05-17.

DVWA (2018). Damn Vulnerable Web Application, http://www.dvwa.co.uk, Accessed:

-05-21.

Mesellem, M. (2014). bWapp: an extremely buggy web app!, http://www.itsecgames.

com, Accessed: 2018-05-21.

OWASP (2016). OWASP Bricks, https://www.owasp.org/index.php/OWASP Bricks,

Accessed: 2018-05-21.

OWASP(2018).OWASPWebGoat project, https://www.owasp.org/index.php/Category:

OWASP WebGoat Project, Accessed: 2018-05-21.

OWASP (2015). OWASP Hackademic Challenges Project, https://www.owasp.

org/index.php/OWASP Hackademic Challenges Project, Accessed: 2018-05-21.

CheckMarx (2018). Game of Hacks: See how good you are, http://www.

gameofhacks.com/, Accessed: 2018-05-21.

Bennets, S. (2016). BodgeIt store, https://github.com/psiinon/bodgeit, Accessed: 2018-

-21.

Doupe, A. (2013). WackoPicko web site, https://github.com/adamdoupe/WackoPicko,

Accessed: 2018-05-21.

Intel Security (2006). Hacme Casino v1.0, https://www.mcafee.com/es/downloads/freetools/

hacme-casino.aspx, Accessed: 2018-05-21.

Kramer, A. (2015). Peruggia web site, https://sourceforge.net/projects/peruggia,

Accessed: 2018-05-21.

Davis, S. L. (2016). Hackazon: a modern vulnerable web app, https://github.

com/rapid7/hackazon, Accessed: 2018-05-21.

Intel Security (2006). Hacme Bank v2.0, https://www.mcafee.com/es/downloads/freetools/

hacme-bank.aspx, Accessed: 2018-05-21.

Intel Security (2006). Hacme Books v2.0, https://www.mcafee.com/es/downloads/freetools/

hacmebooks.aspx, Accessed: 2018-05-21.

OWASP (2017). OWASP Broken Web Applications Project, https://www.owasp.

org/index.php/OWASP Broken Web Applications Project, Accessed: 2018-05-21.

Santander, M. (2015). Vulnerable Web Apps VMWare appliance, https://source

forge.net/projects/vapps/files, Accessed: 2018-05-21.

de Oviedo, U. (2018). Escuela de Ingenieria Informatica, https://

ingenieriainformatica.uniovi.es/infoacademica/grado, Accessed: 2018-05-21.

de Oviedo, U. (2018). Master en Ciberseguridad en Ingenieria del Software,

http://www.mcis.uniovi.es/, Accessed: 2018-05-15.

Published
2018-09-28
Section
Articles