Skip to content
Repo for all the OWASP-SKF Docker lab examples
Python
Branch: master
Clone or download
Latest commit f24fe65 Nov 13, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitbook/assets graphql Oct 8, 2019
1-Docs Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
32_bufferOverflow last fix Apr 8, 2019
AUTH-missing Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
Auth-bypass-1 3 more labs (#44) Sep 27, 2019
Auth-bypass-2 3 more labs (#44) Sep 27, 2019
Auth-bypass-simple Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Auth-bypass Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
CMD-Blind Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
CMD graphql Oct 8, 2019
CMD2 Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
CMD3 Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
CMD4 Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
CORS graphql Oct 8, 2019
CSP Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
CSRF-SameSite fix small typo Oct 1, 2019
CSRF-weak Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
CSRF graphql Oct 8, 2019
CSSI Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
CSTI Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Clickjacking Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Content-type Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
DES-Pickle-2 3 more labs (#44) Sep 27, 2019
DES-Pickle Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
DES-Yaml Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
DNS-rebinding Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
DoS-regex 6 new write-ups, 1 lab and other little changes (#38) Jul 30, 2019
File-upload Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Formula-injection Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
IDOR Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
JWT-null
JWT-secret Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
LFI-2 3 more labs (#44) Sep 27, 2019
LFI-3 3 more labs (#44) Sep 27, 2019
LFI graphql Oct 8, 2019
Ldap-injection-harder Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Ldap-injection Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
RFI Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
RTLO Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
RaceCondition Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
SQLI-blind CSRF-Samesite challenge and write-up (#45) Sep 27, 2019
SQLI-like Update SQLI-like.py Sep 6, 2019
SQLI CSRF-Samesite challenge and write-up (#45) Sep 27, 2019
SSRF Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
SSTI Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
SessionPuzzle fix missing requirements.txt Oct 1, 2019
Tabnabbing Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Url-redirection-harder Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Url-redirection-harder2 Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
Url-redirection Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
X-allow-origin Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
XSS-DOM-2 Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
XSS-DOM Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
XSS-attribute Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
XSS-url Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
XSS Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
XXE Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
client-side-restriction-bypass Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
credentials-guessing-1 Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
credentials-guessing-2 Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
credentials-guessing-3 Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
graphql-IDOR graphql Oct 8, 2019
graphql-dos-resource-exhaustion graphql Oct 8, 2019
graphql-info-introspection graphql Oct 8, 2019
graphql-injections graphql Oct 8, 2019
graphql-mutation graphql Oct 8, 2019
http-response-splitting Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
info-leakeage-comments Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
info-leakeage-metadata Hints providing system added and improved, OWASP S.K.F Labs - Guide a… Sep 6, 2019
parameter-binding move docker file to Docker dir May 21, 2019
ratelimiting Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
session-hijacking-xss Hints providing system implemented. Already available hints in info-l… Aug 21, 2019
.gitattributes enforce correct language in github Feb 22, 2019
.gitignore small fixes for IDOR Lab Feb 25, 2019
KBID-39-HttpOnly-Session-hijacking-xss.md session-hijacking write up Apr 15, 2019
LICENSE test LFI docker with docker hub Jan 8, 2019
README.md GitBook: [master] 3 pages modified Mar 19, 2019
SUMMARY.md Update SUMMARY.md Nov 13, 2019
docker.sh fix May 21, 2019
kbid-1-filename-injection.md Update kbid-1-filename-injection.md Sep 27, 2019
kbid-104-content-type-headers.md GitBook: [master] 20 pages and 47 assets modified Mar 23, 2019
kbid-109-privilege-escalation.md GitBook: [master] 66 pages and 76 assets modified Mar 18, 2019
kbid-112-cors-exploitation.md logos May 23, 2019
kbid-13-file-upload.md GitBook: [master] 66 pages and 76 assets modified Mar 18, 2019
kbid-140-client-side-caching.md GitBook: [master] 66 pages and 76 assets modified Mar 18, 2019
kbid-147-parameter-binding.md typo May 17, 2019
kbid-156-sqli-blind.md refactor docker name conventions Sep 27, 2019
kbid-156-sqli-like.md refactor docker name conventions Sep 27, 2019
kbid-166-client-side-input-validation.md Write-up for XSS (href and style) (#20) Mar 19, 2019
kbid-166-client-side-template-injection.md refactor docker name conventions Sep 27, 2019
kbid-173-LFI-2.md refactor docker name conventions Sep 27, 2019
kbid-173-LFI-3.md refactor docker name conventions Sep 27, 2019
kbid-173-local-file-inclusion.md refactor docker name conventions Sep 27, 2019
kbid-173-remote-file-inclusion.md refactor docker name conventions Sep 27, 2019
kbid-178-content-security-policy.md refactor docker name conventions Sep 27, 2019
kbid-20-clickjacking.md refactor docker name conventions Sep 27, 2019
kbid-250-session-puzzling.md refactor docker name conventions Sep 27, 2019
kbid-262-server-side-request-forgery.md
kbid-266-tabnabbing.md GitBook: [master] 13 pages and 2 assets modified Mar 19, 2019
kbid-267-server-side-template-injection.md refactor docker name conventions Sep 27, 2019
kbid-268-insecure-direct-object-references.md
kbid-285-Graphql-dos.md graphql Oct 8, 2019
kbid-285-Graphql-idor.md graphql Oct 8, 2019
kbid-285-Graphql-injections.md graphql Oct 8, 2019
kbid-285-Graphql-introspection.md graphql Oct 8, 2019
kbid-285-Graphql-mutations.md graphql Oct 8, 2019
kbid-29-ratelimiting.md GitBook: [master] 20 pages and 47 assets modified Mar 23, 2019
kbid-3-cross-site-scripting-attribute.md refactor docker name conventions Sep 27, 2019
kbid-3-cross-site-scripting-href.md refactor docker name conventions Sep 27, 2019
kbid-3-cross-site-scripting.md refactor docker name conventions Sep 27, 2019
kbid-40-external-session-hijacking.md GitBook: [master] 66 pages and 76 assets modified Mar 18, 2019
kbid-44-authorisation-missing.md Added logo to write-up kbid-44 Mar 27, 2019
kbid-45-exposed-docker.md GitBook: [master] 13 pages and 2 assets modified Mar 19, 2019
kbid-46-sqli-union-select.md refactor docker name conventions Sep 27, 2019
kbid-5-csrf-samesite.md refactor docker name conventions Sep 27, 2019
kbid-5-csrf.md refactor docker name conventions Sep 27, 2019
kbid-6-xxe.md refactor docker name conventions Sep 27, 2019
kbid-67-open-redirect-hard.md fix some typos Apr 12, 2019
kbid-7006-jwt-null.md CSRF-Samesite challenge and write-up (#45) Sep 27, 2019
kbid-7006-jwt-secret.md
kbid-95-formula-injection.md New lab - Formula-injection (#39) Jul 30, 2019
kbid-XXX-Auth-bypass-1.md graphql Oct 8, 2019
kbid-XXX-Auth-bypass-2.md graphql Oct 8, 2019
kbid-XXX-CSSI.md refactor docker name conventions Sep 27, 2019
kbid-XXX-DES-Pickle-2.md refactor docker name conventions Sep 27, 2019
kbid-XXX-blind-cmd-injection-1.md refactor docker name conventions Sep 27, 2019
kbid-XXX-client-side-restriction-bypass.md refactor docker name conventions Sep 27, 2019
kbid-XXX-cmd-injection-1.md graphql Oct 8, 2019
kbid-XXX-cmd-injection-2.md refactor docker name conventions Sep 27, 2019
kbid-XXX-cmd-injection-4.md refactor docker name conventions Sep 27, 2019
kbid-XXX-credentials-guessing-1.md refactor docker name conventions Sep 27, 2019
kbid-XXX-credentials-guessing-2.md refactor docker name conventions Sep 27, 2019
kbid-XXX-credentials-guessing-3.md refactor docker name conventions Sep 27, 2019
kbid-XXX-information-leakeage-comments.md refactor docker name conventions Sep 27, 2019
kbid-XXX-information-leakeage-metadata.md refactor docker name conventions Sep 27, 2019
kbid-xxx-deserialisation-yaml.md GitBook: [master] 66 pages and 76 assets modified Mar 18, 2019
kbid-xxx-dos-regex.md fix logo Apr 11, 2019
kbid-xxx-race-condition.md refactor docker name conventions Sep 27, 2019
kbid-xxx-right-to-left-override.md refactor docker name conventions Sep 27, 2019
template.md GitBook: [master] 66 pages and 76 assets modified Mar 18, 2019

README.md

Introduction

OWASP security knowledge framework

Here we find all the labs and write-ups for the security knowledge framework!
These labs are correlated to knowledge-base id's which are on their place
again correlated to security controls such as from the ASVS or NIST, etc.

The labs are all downloadable from the following Github repository:

{% hint style="info" %} https://github.com/blabla1337/skf-labs {% endhint %}

The images can also be found on the skf docker hub. These skf-labs images are automatically pushed to the docker registry on each commit to the Github repository.

Useful tools

First thing we need to do is to be able to investigate the requests that are being made by the labs/applications. We do this by setting up our intercepting proxy so we can gain more understanding of the application under test.

{% hint style="info" %} Burp suite:
https://portswigger.net/burp/communitydownload {% endhint %}

{% hint style="info" %} OWASP ZAP proxy:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project {% endhint %}

How to add a Lab & write-up

When you want to contribute and add your own labs then please make sure you use the styling template in one of the lab challenges. We think its really important to have one look and feel and for able to merge your lab its required to use the SKF template. You can copy this from any of the labs we currently already have.

For adding the write-up for the lab we advice to create a copy of on existing write-up and work from there or use the template.md file as a base. You can store all your images in .gitbook/assets/ and also make sure you correlate your lab to one of the knowledge base item identifier in SKF. When you completed the lab and the write-up you only have to add it to the SUMMARY.md file and you are ready to create your Pull Request.

After the pull request you can find your nice styled write-up here: https://owasp-skf.gitbook.io/asvs-write-ups/

You can’t perform that action at this time.