Coder Social home page Coder Social logo

lefty02w / play-sdk Goto Github PK

View Code? Open in Web Editor NEW

This project forked from secdim/play-sdk

0.0 0.0 0.0 49 KB

SDK for SecDim Play Levels

License: Other

Shell 5.19% JavaScript 9.66% Python 18.45% Java 8.34% Go 3.89% C# 7.22% TypeScript 11.34% Makefile 31.82% Dockerfile 4.07%

play-sdk's Introduction

SecDim Play Level Builder

It is very easy to make game levels for SecDim Play. A level is an app with tests and runs in a container.

Each level contains an app with a security bug and two sets of tests: usability and security. Usability tests are always given to the player, while security tests, depending on the level difficulty, may not be given.

Usability tests should always pass, however security tests should fail as they test for a security bug in the app.

Step 1: Pre-requisites

Fork and clone this repository.

Install docker and make and development environment for the language that you are going to build a level.

Step 2: Initialise

To get the SDK, in a terminal, run ./build.sh, then select init and enter a language.

This will create a directory called level with a sample vulnerable app and test suites.

Currently supported languages are:

python, go, typescript, javascript, C# (csharp), java, solidity

Step 3: Create a private repository

Create a private repository on github and clone it.

cd ../
git clone github.com/my-user/my-private-repo

From SDK copy the level directory and build.sh to your private repository.

cp -r ../sdk/level .
cp ../sdk/build.sh .
cd level/

Step 4: Add a security bug

In this task you will modify the sample app to introduce a security bug.

  1. make build To build the app’s container image.

  2. make run to run the container.

  3. make test to run the usabiity tests.

  4. make securitytest to run security tests. Security tests fail because sample app has a security bug. This is intended.

  5. make debug give a shell from container and maps src directory from host to the container.

To begin:

  1. Review the code and tests in src/ directory.

  2. Modify it to introduce a security bug:

    1. You can completely refactor the app and tests.

    2. You can add a new functionality or modify existing functionalities.

    3. Add a usability test for new or modified functionalities.

    4. Remember your bug must be a security vulnerability.

Tip
 Looking for an idea? CWE Top 25 or SemGrep Registry have sample codes with security bugs.

Step 5: Add security test(s)

In this task you will add security test(s) to test for the security bug

  1. make build && make securitytest to run security tests. They should fail.

Note

Depending on the level complexity, security tests will be treated differently:

  • Trivial: security tests are given to the player.

  • Easy: security tests are not given but security test title should be clear as what is being expected.

  • Medium: security test title should give some clue.

  • Hard: No test output will be shown to the player.

Step 6: Create a patch

In this task you will create a patch for the security bug.

  1. git checkout -b patch to create a patch branch

  2. Patch the program

  3. make build && make test && make securitytests to run all tests. They should pass.

Note
 This patched branch will NOT be provided to the players and it is only used to verify if level is solvable.

Step 7: Verify

  • ./build.sh > verify: to verify if everything is okay

  • ❏ Update level/Readme.adoc (NOT this file!) with a level story/incident, level and any pre-requisites.

  • ❏ Remove unnecessary files and directories

Step 8: Push

git push both master and patch branches.

git push
git push -u origin patch

Add secdim as one of the contributers/collaborators to your private repository. A friendly SecDim team member will review your level and will be in touch for the next step.

Done!

Important notes

  1. Remember to push both master and patch branches.

  2. Usability tests must always pass.

  3. Security tests must pass in patch branch and fail in master branch.

Troubleshooting

Ask your question on SecDim Discuss

play-sdk's People

Contributors

marktheunissen avatar pi3ch avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.