Insecure and Unlocked

Purposeful Learning With Deliberately Insecure Applications

November 13, 2022 High Level Tech Intro Sales Engineers SE Skills No Comments

Most people learn better with hands-on purposeful learning.  But learning Hacking and Web Security becomes challenging to do without breaking laws.  Several applications have been created that are intentionally insecure.  Virtualization and Containers have accelerated this.  It has become easier to create, break and destroy applications – learning along the way.

Dozens are available  Here are some examples from OWASP®*:

  • crAPI simulates a platform for vehicle owners where they can register and manage their vehicles.  It is an intentionally vulnerable application.  It is filled with API vulnerabilities for teaching, learning, and practicing API security.
  • IoTGoat is a deliberately insecure firmware based on OpenWrt.  If you aren’t familiar, OpenWrt is a Linux operating system targeting embedded devices.  This is another platform maintained by OWASP®.  A great way to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
  • JuceShop was the first application written entirely in JavaScript listed in the OWASP® VWA Directory. Juice Shop is written in Node.js, Express and Angular.  It contains a vast number of hacking challenges with varying difficulty.  The user is supposed to exploit the underlying vulnerabilities.  And their hacking progress is tracked on a score board.
  • WebGoat allows interested developers to test vulnerabilities common to Java-based applications that use common/popular open source components.  There also is WebGoatPHP for the PHP space.  Several others exist for other platforms or languages.

Perspective is a key concept here.  For example, with crAPI it isn’t “to figure out how the APIs work.”  Come at it as “how can I use these for very bad things?”  Those very bad things extend beyond directly stealing money or information.  This stolen information can later be used for Social Engineering in creative ways.  With that Social Engineering even more damage can be done.

Want to learn a bit more about Information Security?  Check these applications out!

 

  • OWASP®  = Open Web Application Security Project

Photo by Hennie Stander on Unsplash.  Cropped by author.

In Sales? Never Say "Free"

Gut Punched Back into the Job Market
Leave a Reply