OWASP Resources for Security Education and Training
Introduction:
When we security engineers train our employees, it is better to give trainees hands-on experience of exploiting vulnerabilities, rather than just explaining the concepts. In this article, I am going to introduce both offline and online services for practice. But before that, need to explain OWASP first.
OWASP Top 10
The Open Web Application Security Project (OWASP) publishes research results and guidelines based on application security to help improve security worldwide. As well as research, it also publishes vulnerability assessment tools.
Every few years, OWASP announces a Top 10 ranking of the most frequent attack methods as "OWASP Top10" which is quite useful report for security engineers to know the trend of security threats. The latest report is for 2021.
In addition to the report, OWASP also publishes tools to experience these Top 10 attack methods. You can try all the Top 10 methods using the tools.
Punching bags for security engineers (offline)
The tools are web servers that are intentionally vulnerable to the OWASP top 10 attacks for security training and education. There are two forms of the the servers:
Juice Shopand OWASP BWA.:
Juice Shop
Juice Shop is a pseudo-online shopping site, which you can experience the attack method online so that you can learn what to be careful for. At first, just try to do normal shopping or fuzzing, and you can observe the click behavior, page loading, and an error alert. Juice Shop is still maintained, so updates will be expected. This is a more realistic scenario style than that of OWASP BWA.
Many options to build this. The easiest option is to use a Docker container. OWASP provides a demo site which you can see how it is like (but not supposed to be attacked).
OWASP BWA
This is an older project and looks like that the OWASP no longer maintains this. However, I think this is still useful — because the attack page is categorized by the OWASP Top10 methodology and easy to hack so that’s useful for the beginner’s education. The OWASP BWA has been removed from the official page, but you can still download the images from Source Forge.
.ova and .zip files are available. The .ova files can be used for any Virtualization platform. For example, if you use Oracle Virtual Box, in the File menu, select Import Appliance and choose the .ova file.
Launch OWASP BWA, and access to the console and locate the IP address to access. For example if it is 192.168.1.12, Open a browser on the host PC and access http://192.168.1.12/ and you will see the main menu.
Go to OWASP Multillidae II which you can experience the attack to the OWASP Top10 (older) vulnerabilities. For example, let's try SQL injection.
Navigate OWASP 2017 > A1 Injection > SQLi extract data > User info(SQL).
On the page, you can try to logon with username and password. Try guessing the bad password, brute force, and so on. Then input just " ' " in the username field. The error message suggests the SQL injection attack might work. Then the most typical one: "' OR 1 = 1 -- "(please add space in the last) should work.
Other online service
There are some online platform for security skills.
Hack the box and TryHackMe are security learning platforms especially for offensive security expertise. You can use it for free, but need registration and prepare Kali Linux Virtual Machine either on VMWare or Oracle Virtual Box.
- JanibashaEmployee
We also have some more articles on how to mitigate them using our F5 products as below