Skip to content
No description, website, or topics provided.
JavaScript Ruby HTML CSS Shell
Branch: master
Clone or download
This branch is 7 commits ahead, 1 commit behind appfolio:master.

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
app
bin
config
db
docker
lib
log
public
scripts
test
vendor/assets
.DS_Store
.gitignore
.ruby-version
Gemfile
Gemfile.lock
README.md
Rakefile
config.ru

README.md

destiny_app

destiny_app is a web application security training tool with a focus on ruby on rails applications that can be ran locally on your mac or linux box. It covers relevant security issues from OWASP's Top Ten Project and the Rails Security Guide for rails 4. It also has Docker images that are plug and play!

Quick Start

Prereqs: install ruby, rails, and mysql for this app to work without modification. (using the Docker images may be easier and quicker)

You can run the rails destiny_app locally by...

git clone git@github.com:appfolio/destiny_app.git

cd destiny_app && bundle

rake db:create && rake db:migrate

./script/start_dev

And navigating to http://localhost:4000

###Google API Keys

Setup your own keys for google oauth at the Google Developer Console

With the Authorized redirect URI as http://localhost:4000/users/auth/google_oauth2/callback

Place the credentials in config/google_oauth_secrets.yml

#config/google_oauth_secrets.yml

client_id: "your-credentials.apps.googleusercontent.com"
client_secret: "yoursecret"

Running destiny_app in production

When running in production you will need to set the following environment variables.

  • HOST
  • PORT
  • SECRET_KEY_BASE (Can be generated with rake secret)
  • SECRET_KEY (Can be generated with rake secret)
  • PEPPER (Can be generated with rake secret)
  • GUARD_PASS (Can be generated with rake secret)

Additional parameters that you can set in all environments...

  • ALLOW_REGISTRATION (FALSE by default)
    • TRUE allows registration through registerable and omniauthable.
    • FALSE allows registration through omniauthable only.

YAML Files you may want to modify...

  • allowed_domains.yml (will only be applied in production environment)
    • Contains an array of strings that are domains that users are allowed to authenticate through omniauthable from. The default domain is "gmail.com", so everyone with an address ending in that will be able to authenticate.

Experimenting with Sqlmap

After gaining a good understanding of the basics from the SQL Injection Reference you can learn about Sqlmap to get a thorough guideline for digging deeper into SQLI. Here's a sample command to run against destiny_app with Sqlmap. Your CSRF token in the header and session cookie will be different.

python sqlmap.py -u http://localhost:4000/sql_injection/where \
				 -t ex_traffic \
				 --data="column=" \
				 --headers="X-Requested-With: XMLHttpRequest\nX-CSRF-Token: +ZZhAHJpNbvD99YcQHSxNhp6pTn/ICaXzVcABMs1gRY=" \
				 --cookie="_destiny_app_session=R0ZoYzlHK3hMMzBjV004UHdUOXA2SVFCekNTdHVCUk96S2JSRUxkazFDc0d6eWxDaDE3TFJDQUlOdjU5TEFuREY2SW5LSkFwMzJjN0FSR3ZoZXdNOTdEL0NDcE5rdUczNnkvbmg2L1lGdWFrQTJyS3ZuamRId2g3L0h4d2dRTXJzTkpINUxZODN5dUFiOWxSS1dML2NXSkxla1FRZGRUb3VQSG9saTlzT0toZ0N2VUJnUXhWMFp5Qk92c0gvY2xGQ1lHTktweCtmM09veFVHMnp3MkRVVGo3dXA3NnZPamtIWEJUeGxtaHpjVUF0RDlGaXAvdVRQOTlYVUp1RjlSbkpxTnU5dDVGN2h6SlE1NTJtRi9VNUFVaUR6VzJiYTdRL0dsTitHWjZzRTBVNHYvZDI1M3EyUFZ0YlJ6bTFVMkZKd3ZlNUkyVjZxeFVHTm9YODBFb1N0K0NUNmphTlpyWDk2dHQ5UUVJbERFPS0tV2FacmhyUFdFaGpBaFcwRGszaGRpUT09--272dc3389c727588a9c642902b814b35c0fb6efc" \
				 --prefix="')" \
				 --delay="0.4" \
				 --string="success"

Sqlmap has a lot of great features, check out the site here.

Sources and Credit

destiny_app makes use of phantomjs with poltergeist and capybara to make the challenges section more interactive and realistic.

phantomjs

Sql Injection Reference section was inspired by the Inject Some SQL project.

Image used in Challenge taken from Clip Art Lord.

You can’t perform that action at this time.