We know how important it is to stay up to date on security issues and vulnerabilities. We also know that cybersecurity training needs to be continuous. That’s why we’re constantly adding new content to the Adversary training platform. We recently added 6 new missions which address the OWASP Top 10 in new and different ways. The types of issues include:
- Unvalidated redirects/Forwards (OWASP 2013 A10)
- Insufficient Logging and Monitoring (OWASP 2017 A9)
- Insecure Deserialization (OWASP 2017 A8)
- Sensitive Data Exposure (OWASP 2017 A3)
- Broken Authentication (OWASP 2013 A2)
If you are already a customer of Adversary, you can jump right in and try them out. If not, sign up for a trial to try out our free missions.
On top of that, we’ve added some exciting new features for supervisors including campaign templates and the ability to allow your team members to use a nickname when playing in Adversary.
Read on to find out more.
Trivia: Unvalidated redirects and forwards
Forwards and redirects are commonly used in web applications to forward users to other parts of the website. If an attacker is able to trick a website into redirecting users to places that were not intended, it could allow an attacker to steal user credentials, launch a successful phishing scam, or more.
To demonstrate this, we built the Trivia mission. Trivia is a website that utilizes redirects incorrectly. Within this website there is a private space, which is not meant to be accessed by the average user. The goal of this mission is to gain unauthorized access to this private space.
System breach: Insufficient logging and monitoring
In the 2017 OWASP Top 10, the “Insufficient logging and monitoring” item was added in 10th place. Why? Because regardless of how well you secure your application, it will get attacked. Thus, your ability to respond to possible security incidents is critical. Accurately logging server requests is important but doesn’t have a use if that data is not monitored continuously. Most studies on security breaches show that the time it takes to detect a breach is 196 days on average, according to IBM. This is too long and reacting quickly is extremely important when it comes to stopping or mitigating the damage caused by a system breach.
In this mission, you are placed in a shell with a log file containing all requests to your website. There has been a system breach and it is now up to you to analyze the log and locate the suspicious activity.
Vap0r Forums: insecure deserialization
Pickle is a module used to serialize objects in python so that objects can be stored efficiently. However, it’s not designed with security in mind and its documentation explicitly states to never “unpickle data received from an untrusted or unauthenticated source”. But because developers don’t always read documentation, this type of issue is seen regularly.
Deserializing an unsafe object can lead to remote code execution, which is one of the most serious attacks possible.
Vap0r Forums is a website we created within Adversary where users can make posts for others to read. The session data, however, has been stored in an insecure way. Your goal for this mission is to exploit the vulnerability hidden within the session in order to gain access to sensitive information.
Insecure storage: sensitive data exposure
Insecure cryptographic storage occurs when sensitive data is not stored securely. Weak or home-grown algorithms should never be used to encrypt data. Certain types of data should also never be stored, for example, the security code on a credit card.
In the insecure storage mission, we created an online shopping website that holds users' data that should never be kept, such as the security code on a credit card. Your goal is to find this repository of data and crack the insecure encryption scheme the data is held in.
Email 1.5: broken authentication
A Broken authentication and session management attack takes advantage of a bad implementation of authentication or session management. The vulnerability usually occurs when a developer implements their own (insecure) authentication and session management scheme instead of utilizing an existing library for it.
Web sessions/cookies store information about the session’s owner, such as access rights, their password, username, and certificates. When the session ID is used in an insecure fashion, a hacker can do things such as steal a users’ account by changing values in their own session to a value owned by that user.
In the Email 1.5 mission, you are tasked with gaining access to an Email account with its own Email client. Do you think you can hack it?
The book basement: sensitive data exposure
Sometimes certain areas of a website should only be accessible with particular access rights. One way of limiting access to outside users is by only accepting requests from localhost. If configured incorrectly, an access check can be bypassed. This will open up parts of the website to the public which should never have been accessible.
In the book basement mission, the object of the game is to get access to the private space of a website with a library of fantasy books. Do you think you can penetrate it and wreak some havoc?
New features for supervisors
On top of the new missions, we’ve also added a couple of new features for supervisors to more quickly set up campaigns and also let them customize how their team member’s names appear in the platform.
One of the great things about the Adversary training platform is that supervisors can set up custom campaigns for their team members. Creating a campaign allows you to pick and choose the topics and missions you’d like your team to learn more about and set up a time frame for it to be completed.
Setting up campaigns, however, can be time consuming, so we’ve gone ahead and added a campaign template covering the OWASP Top 10 essentials and we plan on adding more templates in the near future. To use the template, simply click USE A TEMPLATE in the campaign creation view.
Nicknames for users
We all know that sometimes it's more fun to play a game using a different name. As supervisors, however, that is not always practical. You need to be able to see the performance of your team. As a response, we've made it possible for supervisors to choose to allow their team members to use a nickname in Adversary. This allows users to have fun with their names without being allowed to change their real name in their profile.
If you choose to enable this feature, then you will still see the real name of the user when you hover over their nickname.
To enable this, simply navigate to the ORGANIZATION SETTINGS under organization in the menu on the left and click the box to allow user nicknames. After doing so, users will be able to modify their nickname in their profile settings.
Now that you know what’s new, go and check them out and feel free to let us know what you think.
We’re constantly updating the Adversary training platform for development teams. Stay tuned for future updates, or go ahead and sign up to get notified.