/skills-secure-code-game

My clone repository

Primary LanguagePythonMIT LicenseMIT

Secure Code Game

A GitHub Security Lab initiative, providing an in-repo learning experience, where learners secure intentionally vulnerable code. At the same time, this is an open source project that welcomes your contributions as a way to give back to the community.

Welcome

  • Who is this for: Developers, students.
  • What you'll learn: How to spot and fix vulnerable patterns in real-world code, build security into your workflows, and understand security alerts generated against your code.
  • What you'll build: You will develop fixes on functional but vulnerable code.
  • Prerequisites: In this course, you will need some knowledge of python3 for most levels and C for Level 2.
  • How long: This course is five levels long and takes 8-10 hours to complete.

How to start this course

start-course

  1. Right-click Start course and open the link in a new tab.
  2. In the new tab, most of the prompts will automatically fill in for you.
    • For owner, choose your personal account or an organization to host the repository.
    • We recommend creating a public repository, as private repositories will use Actions minutes.
    • Scroll down and click the Create repository button at the bottom of the form.
  3. After your new repository is created, wait about 20 seconds, then refresh the page. Follow the step-by-step instructions in the new repository's README.

🛠️ The set up

🖥️ Using codespaces

All levels are configured to run instantly with GitHub Codespaces. If you chose to use codespaces, be aware that this course will count towards your 60 hours of monthly free allowance. For more information about GitHub Codespaces, see the "GitHub Codespaces overview." If you prefer to work locally, please follow the local installation guide in the next section.

  1. To create a codespace, click the Code drop down button in the upper-right of your repository navigation bar.
  2. Click Create codespace on main.
  3. After creating a codespace wait for all background installations to complete. This should take less than two minutes.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

💻 Local installation

Please note: You don't need a local installation if you are using GitHub Codespaces.

The following local installation guide is adapted to Debian/Ubuntu and CentOS/RHEL.

  1. Open your terminal.
  2. Install OpenLDAP headers needed to compile python-ldap, depending on your Linux distribution. Check by running:
uname -a
  • For Debian/Ubuntu, run:
sudo apt-get update
sudo apt-get install libldap2-dev libsasl2-dev
  • For CentOS/RHEL, run:
sudo yum install python-devel openldap-devel
  • For Archlinux, run:
sudo pacman -Sy libldap libsasl
  • Then, for all of the above Linux distributions install pyOpenSSL by running:
pip3 install pyOpenSSL

Once installation has completed, clone your repository to your local machine and install required dependencies.

  1. From your repository, click the Code drop down button in the upper-right of your repository navigation bar.
  2. Select the Local tab from the menu.
  3. Copy your preferred URL.
  4. In your terminal, change the working directory to the location where you want the cloned directory.
  5. Type git clone and paste the copied URL.
$ git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY
  1. Press Enter to create your local clone.
  2. Change the working directory to the cloned directory.
  3. Install dependencies by running:
pip3 install -r requirements.txt

For more information about cloning repositories, see "Cloning a repository."

Level 1: Black Friday

Welcome to "Secure Code Game"! 👋

📝 Storyline

A few days before the massive shopping event Black Friday, an electronics shop without an online presence rushed to create a website to reach a broader customer base. As a result, they spent all their budget on development without investing in security. Do you have what it takes to fix the bug and progress to Level 2?

⌨️ What's in the repo?

For each level, you will find the same file structure:

  • code includes the vulnerable code to be reviewed.
  • hack exploits the vulnerabilities in code. Running hack.py will fail initially, your goal is to get this file to pass.
  • hint offers a hint if you get stuck.
  • solution provides one working solution. There are several possible solutions.
  • tests contains the unit tests that should still pass after you have implemented your fix.

🚦 Time to start!

  1. Review the code in code.py. Can you spot the bug?
  2. Try to fix the bug. Ensure that unit tests are still passing.
  3. You successfully completed the level when both hack.py and tests.py pass 🟢.
  4. If you get stuck, read the hint in the hint.js file.
  5. Compare your solution with solution.py.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Level 2: Matrix

You have completed Level 1: Black Friday! Welcome to Level 2: Matrix. 🎉

By the way, we welcome contributions for new game levels! Learn more here.

📝 Storyline

At the time "The Matrix" was first released in 1999, programming was different. In the movie, a computer programmer named Thomas "Neo" Anderson leads the fight in an underground war against powerful computers who have constructed his entire reality with a system called the Matrix. Do you have what it takes to win that war and progress to Level 3?

⌨️ What's in the repo?

For each level, you will find the same file structure:

  • code includes the vulnerable code to be reviewed.
  • hack exploits the vulnerabilities in code. Running hack.c will fail initially, your goal is to get this file to pass.
  • hint offers a hint if you get stuck.
  • solution provides one working solution. There are several possible solutions.
  • tests contains the unit tests that should still pass after you have implemented your fix.

🚦 Time to start!

  1. Keep working inside the same environment as in Level 1
  2. If you skipped Level 1, go back and follow the 🚦 Time to start guide
  3. Review the code in code.h. Can you spot the bug?
  4. Try to fix the bug. Ensure that unit tests are still passing.
  5. The level is completed successfully when both hack.c and tests.c pass. 🟢
  6. If you get stuck, read the hint in the hint.txt file.
  7. Compare your solution with solution.c.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Level 3: Social Network

Nice work finishing Level 2: Matrix! It's now time for Level 3: Social Network. ✨

📝 Storyline

The following fictitious story takes place in the mid-2030s. Authorities worldwide have become more digitized. Various governments are adapting social network technology to fight crime. The goal is to establish local communities that foster collaboration by supporting citizens with government-related questions. Other features include profile pictures, hashtags, real-time support in comments, and public tip sharing. Do you have what it takes to secure the social network and progress to Level 4?

⌨️ Setup instructions

⌨️ What's in the repo?

For each level, you will find the same file structure:

  • code includes the vulnerable code to be reviewed.
  • hack exploits the vulnerabilities in code. Running hack.py will fail initially, your goal is to get this file to pass.
  • hint offers a hint if you get stuck.
  • solution provides one working solution. There are several possible solutions.
  • tests contains the unit tests that should still pass after you have implemented your fix.

🚦 Time to start!

  1. The codebase generates several code scanning alerts. Your goal is to resolve these alerts for each level.
  2. Review the code in code.py. Can you spot the bugs?
  3. If you get stuck, read the code scanning alert.
  4. Try to fix the bug. Make your changes and open a pull request to main or push your fix to a branch.
  5. Check the tests and the code scanning results to confirm the alert for this level has now disappeared.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Level 4: Data Bank

Nicely done! Level 3: Social Network is complete. It's time for Level 4: Database. 🥳

By the way, we welcome contributions for new game levels! Learn more here.

📝 Storyline

Databases are essential for our applications. However, malicious actors only need one entry point to exploit a database, so defenders must continuously protect all entry points. Can you secure them all?

⌨️ What's in the repo?

For each level, you will find the same file structure:

  • code includes the vulnerable code to be reviewed.
  • hack exploits the vulnerabilities in code. Running hack.py will fail initially, your goal is to get this file to pass.
  • hint offers a hint if you get stuck.
  • solution provides one working solution. There are several possible solutions.
  • tests contains the unit tests that should still pass after you have implemented your fix.

⌨️ Setup instructions

For Levels 3-5, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."

🚦 Time to start!

  1. The codebase generates several code scanning alerts. Your goal is to resolve these alerts for each level.
  2. Review the code in code.py. Can you spot the bugs?
  3. If you get stuck, read the code scanning alert.
  4. Try to fix the bug. Make your changes and open a pull request to main or push your fix to a branch.
  5. Check the tests and the code scanning results to confirm the alert for this level has now disappeared.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Level 5: Locanda

Almost there! One level to go! ❤️

📝 Storyline

It's a common myth that passwords should be complex. In reality, it's more important that passwords are long. Some people choose phrases as their passwords. Users should avoid common expressions from movies, books, or songs to safeguard against dictionary attacks. Your password may be strong, but for this exercise, a website you have registered with has made a fatal but quite common mistake. Can you spot and fix the bug? Good luck!

⌨️ What's in the repo?

For each level, you will find the same file structure:

  • code includes the vulnerable code to be reviewed.
  • hack exploits the vulnerabilities in code. Running hack.py will fail initially, your goal is to get this file to pass.
  • hint offers a hint if you get stuck.
  • solution provides one working solution. There are several possible solutions.
  • tests contains the unit tests that should still pass after you have implemented your fix.

⌨️ Setup instructions

For Levels 3-5, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."

🚦 Time to start!

  1. The codebase generates several code scanning alerts. Your goal is to resolve these alerts for each level.
  2. Review the code in code.py. Can you spot the bugs?
  3. If you get stuck, read the code scanning alert.
  4. Try to fix the bug. Make your changes and open a pull request to main or push your fix to a branch.
  5. Check the tests and the code scanning results to confirm the alert for this level has now disappeared.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack, at the #secure-code-game channel.

Finish

Congratulations, you've completed this course!

Here's a recap of all the tasks you've accomplished in your repository:

  • You practiced secure code principles by spotting and fixing vulnerable patterns in real-world code.
  • You assessed your solutions against exploits developed by GitHub Security Lab experts.
  • You utilized GitHub code scanning features and understood the security alerts generated against your code.

What's next?


Get help: Email us at securitylab-social@github.comReview the GitHub status page

© 2023 GitHub • Code of ConductMIT License