Skip to content
Go to file
This branch is 2 commits ahead of opendns:master.

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Security Ninjas: An Open Source AppSec Training

This hands-on training lab consists of 10 fun real world like hacking exercises, corresponding to each of the OWASP Top 10 vulnerabilities. Hints and solutions are provided along the way. Although the backend for this is written in PHP, vulnerabilities would remain the same across all web based languages, so the training is still relevant even if you don't actively code in PHP.

This iteration of the course has been updated from the original verion published by OpenDNS. It can be run self-contained, or as the hand-on portion of a more complete training program.

To run the lab image

  1. Install docker and make sure it works.

  2. Start the container by running the following command (select an appropriate host port, 8000 here):

    docker run -it --rm -p 8000:80 siege/security-ninjas

  3. Determine the IP address of your container Likely, 'localhost' will do. If you're using 'docker-machine' you will need to determine the VM IP.

  4. The training should be running now.

To use the lab

  1. Select a browser to use during the lab. Chrome or Firefox are recommended.

  2. Install a cookie viewer/editor plugin such as Cookies for Chrome or Cookie Manager+ for Firefox.

  3. Install ZAP and start it

  4. Install the FoxyProxy plugin for your browser. Then:

    • Configure a new proxy to use for the pattern "http://localhost:8000/\*" (use the correct location of your docker container).
    • Tell FoxyProxy to "Use proxies based on their pre-defined patterns and priorities."
  5. Browse to http://localhost:8000 (or wherever the docker container is running).

  6. Click on the ninja to see the first exercise.

  7. Kill the docker container after you are done with ^c.

CSS credits:


OpenDNS application security training program




No releases published
You can’t perform that action at this time.