Laboratorio de máquinas para desarrollo seguro.
¿Cómo empezar?
Cada aplicacion tiene un Makefile que hay que ejecutar. Sólo hay que asegurarse de disponer de docker y docker-compose.
OWASP Top 10 2017:
| Vulnerability | Language | Application |
|---|---|---|
| A1 - Injection | Golang | CopyNPaste API |
| A1 - Injection | NodeJS | Mongection |
| A1 - Injection | Python | SSType |
| A2 - Broken Authentication | Python | Saidajaula Monster Fit |
| A2 - Broken Authentication | Golang | Insecure go project |
| A3 - Sensitive Data Exposure | Golang | SnakePro |
| A4 - XML External Entities (XXE) | PHP | ViniJr Blog |
| A5 - Broken Access Control | Golang | Vulnerable Ecommerce API |
| A5 - Broken Access Control | NodeJS | Tic-Tac-Toe |
| A6 - Security Misconfiguration | PHP | Vulnerable Wordpress Misconfig |
| A6 - Security Misconfiguration | NodeJS | Stegonography |
| A7 - Cross-Site Scripting (XSS) | Python | Gossip World |
| A7 - Cross-Site Scripting (XSS) | React | Comment Killer |
| A7 - Cross-Site Scripting (XSS) | Angular/Spring | Streaming |
| A8 - Insecure Deserialization | Python | Amarelo Designs |
| A8 - Insecure Deserialization | PHP | Admin Login |
| A9 - Using Components With Known Vulnerabilities | PHP | Cimentech |
| A9 - Using Components With Known Vulnerabilities | PHP | Admin PHP |
| A10 - Insufficient Logging & Monitoring | Python | GamesIrados.com |
| A10 - Insufficient Logging & Monitoring | PHP | My Blog |
Referencias
Basado en b3d3cLabs. Wordlist obtenidas de https://github.com/danielmiessler/SecLists.