Bypass Challenges for Learners
wyrmboy12 opened this issue · 6 comments
We are setting this up on an internal network for our development team. As a minimum requirement, we are setting goals for them to complete the Secure Code Review badge and get to Purple Belt in the Black belt course. I have 2 minor issues:
-
I'm not seeing any notification or receiving badges when you complete the various belts. Do you actually receive badges for competing yellow belt, orange belt, etc. ? If so, how do I turn that on or troubleshoot that aspect?
-
We are not allowing users to download tools on the device where we have the Dojo setup. Its not a problem in the Blackbelt course until you get to the Blackbelt section itself. For the [CWE 502] module it seems you need to download ysoserial and generate a base64 encoded gadget for users to try and upload as a bypass for this challenge. I'd like to manually mark this complete for users as we have no way to overcome this limitation right now and you cannot complete the black belt badge if you wanted to.
Is there some way to overcome this or mark this particular module completed for a user?
Hi @wyrmboy12
- It is not possible to issue badges for lower levels. Only the full module. To get notifications you will could to change the code here to call a Slack web hook https://github.com/OWASP/SecureCodingDojo/blob/main/trainingportal/challenges.js#L449
- You can remove challenges by editing the definitions file here https://github.com/OWASP/SecureCodingDojo/blob/main/trainingportal/static/lessons/blackBelt/definitions.json
You can remove the 502 challenge and you can as a matter of fact remove anything else following Purple belt. Then people can receive a badge. You can modify the Badge to be Purple here https://github.com/OWASP/SecureCodingDojo/blob/main/trainingportal/static/lessons/modules.json#L23
Appreciate the feedback. I'll test that out. One other questions for you. When logging into the Dojo, I cannot see the RedBlue Team App, or anything other than the Security Code Review / BlackBelt I modules. How do I open up and make the other resources available to the Devs?
I made the changes you suggested for defintions.json file in the training portal /static/lessons/blackbelt directory. I verified the file again before bringing the environment up (the CWE502 is removed in the file, there are no bracket / syntax errors in the file) but the module is still present when i login. Do i have to restart the environment in a certain way to make the changes take effect?
@wyrmboy12 If you don't rebuild the whole project then you can put the config.json file in the $DATA_DIR and restart the trainingportal container for changes to take effect. Otherwise you need to rebuild using ./trainingportal/buildTrainingPortal.sh
In my case the java -jar ysoserial.jar CommonsCollections6 'touch /tmp/YOUR_FILE_NAME'|base64 is not doing anything... Is this normal?
In my case the
java -jar ysoserial.jar CommonsCollections6 'touch /tmp/YOUR_FILE_NAME'|base64is not doing anything... Is this normal?
@aralroca when I ran java -jar ysoserial.jar CommonsCollections6 'touch /tmp/YOUR_FILE_NAME'|base64 on an M1 Mac, I had the same experience. But when I ran the command on Ubuntu Linux, it worked.