A platform to assess and measure security hard skills. Inspired by gen0cide/h3 a project made by Alex Levinson
securethebox-client
- This is the Frontend of the Application using Fuse Admin Template
securethebox-server
- Hosted on Heroku
- Python/Flask App
- Used as a REST API
- Has a gcloud + kubectl
securethebox-attacker
- Kali Linux Pod
- Automated exploiting vulnerabilities on Juice-Shop
- Uses python+metasploit
securethebox-engine
- Scoring engine service use to score uptime of Juice-Shop App
securethebox-challenge (deprecated)
- This is the MVP challenge (alpha version) using Docker-Compose environment
- View README.md inside directory for instructions for development environment setup
- System Design Infrastructure - https://sketchboard.me/pBw3UcaTPKfb#/
- Challenge Process - https://sketchboard.me/lBzYpOvyDoGv#/
- Challenge #1 - Exfiltration (Detection, Prevention, Monitoring)
- First Customers Identified (Friends & Coworkers)
- React Template
- Academy Page
- Overview
- Grading Critera
- Scenario
- Description
- Architecture
- Start Challenge
- Start Challenge
- End Challenge
- Resources
- Name
- Description
- Status
- URLS
- Submission Answers
- To Firebase Firestore DB
- Email Results
- SendGrid
- Ability to edit Application code
- Cloudcmd (Texteditor + Terminal) http://cloudcmd.io/
- Firebase Integration
- Firebase Hosting (React app in production)
- Python/Flask
- Flask RESTAPI created
- Heroku
- Heroku Server has gcloud+kubectl+service account
- Able to execute Kubectl commands over RESTAPI
- Cloudcmd exec install cloudcmd and open port
- Kubernetes
- Traefik: Routing traffic to proper container
- Namespace + Networking segmented per user/challenge
- Nginx logs to pvc
- Modsecurity logs to pvc
- Splunk Forwarder injects logs in pvc
- Splunk Universal Forwarder send logs to Splunk
- Nginx forwarding traffic to vulnerable application (on juiceshop app) (100%)
- Ability to modify vulnerable application code using Cloudcmd
- Dynamic YAML files for Kubectl deployments
- Add wireshark with xpra
- Google Cloud
- Google Service Account Provisioned for Heroku Server
- External-DNS create DNS records dynamically
- Docker
- Traefik (Container Reverse Proxy) https://hub.docker.com/_/traefik
- Nginx + Modsecurity (WAF Detection/Prevention) https://hub.docker.com/r/ncmd/nginx-modsecurity
- Juice-Shop (Vulnerable App) https://hub.docker.com/r/ncmd/juice-shop
- Splunk (Log Analysis) https://hub.docker.com/r/splunk/splunk
- Business Logic
- Send Invite to User Email
- Scoring engine
Challenges
- SQL Injection Detection
- SQL Injection Prevention
- Python Scripting
- Log Analysis
Management
- Domain Registered
- Automate DNS record provisioning using ExternalDNS
- Traefik - All http traffic forced to SSL/TLS
- Create an account with Email using Firebase
- Sign in with Email using Firebase
- Verify Email Address
- Stripe Subscriptions
- Log out account using Firebase
- Backend - Challenge Class
- Backend - Question Class
- Backend - Solution Class
- Backend - App Class
- Firebase Integration - Firestore
- Cloudflare DNS & WAF on Frontend
- CI/CD with Travis - Firebase Hosting
- CI/CD with Travis - Heroku Backend
- Architecture Frontend Design Mockup
- API Specificiation Draft
- Firebase Functions Draft
- Automated deployment
- Platform Self Service
- API to change rules in WAF
- CI/CD with Travis - Firebase Functions
- CI/CD with Travis - Dockerhub
- Create an account with OAuth2 (Google)
- Swagger API
- Sign in with Google
- Google Ads
- Amazon Ads
- Challenge #X - XXS Prevention
- Challenge #X - Credential Stuffing Detection
- Challenge #X - Business Logic Attacks
- Challenge #X - CSP bypass detection
- Challenge #X - WAF bypass detection
- Challenge #1 - Application Security: SQL Injection Detection - Documentation Script
- Challenge #1 - Application Security: SQL Injection Detection - Documentation Video
- Twitter Created
- Achievements system
- Websocket Real-time updates
- Discord Created
- Discord Mods
- Discord Channels - Important (Announcements, Rules, FAQ, Poll, Staff Voice, Server Announcements)
- Discord Channels - Challenge Discussions (General, Advice, Vote to Delist)
- Discord Channels - Feedback ()
- Discord Channels - Advertisements ()
- Discord Channels - Sponsorships ()
- Discord Channels - Patreons ()
- Discord Channels Voice (Clubs)
- Adding a Git Submodule example (DO NOT use this command if you do not know what you're doing...)
git submodule add https://github.com/ncmd/securethebox-attacker
git submodule add https://github.com/ncmd/securethebox-client.git