This hands-on training lab consists of 10 fun real world like hacking exercises, corresponding to each of the OWASP Top 10 vulnerabilities. Hints and solutions are provided along the way. Although the backend for this is written in PHP, vulnerabilities would remain the same across all web based languages, so the training is still relevant even if you don't actively code in PHP.
This iteration of the course has been updated from the original verion published by OpenDNS. It can be run self-contained, or as the hand-on portion of a more complete training program.
-
Install docker and make sure it works.
-
Start the container by running the following command (select an appropriate host port, 8000 here):
docker run -it --rm -p 8000:80 siege/security-ninjas
-
Determine the IP address of your container Likely, 'localhost' will do. If you're using 'docker-machine' you will need to determine the VM IP.
-
The training should be running now.
-
Select a browser to use during the lab. Chrome or Firefox are recommended.
-
Install a cookie viewer/editor plugin such as Cookies for Chrome or Cookie Manager+ for Firefox.
-
Install ZAP and start it
-
Install the FoxyProxy plugin for your browser. Then:
- Configure a new proxy to use 127.0.0.1:8080 for the pattern "http://localhost:8000/\*" (use the correct location of your docker container).
- Tell FoxyProxy to "Use proxies based on their pre-defined patterns and priorities."
-
Browse to http://localhost:8000 (or wherever the docker container is running).
-
Click on the ninja to see the first exercise.
-
Kill the docker container after you are done with
^c.
CSS credits: html5up.net