SecDim Play Level Builder

It is very easy to make game levels for SecDim Play. A level is an app with tests and runs in a container.

Each level contains an app with a security bug and two sets of tests: usability and security. Usability tests are always given to the player, while security tests, depending on the level difficulty, may not be given.

Usability tests should always pass, however security tests should fail as they test for a security bug in the app.

Step 1: Pre-requisites

Fork and clone this repository.

Install docker and make and development environment for the language that you are going to build a level.

Step 2: Initialise

To get the SDK, in a terminal, run ./build.sh, then select init and enter a language.

This will create a directory called level with a sample vulnerable app and test suites.

Currently supported languages are:

python, go, typescript, javascript, C# (csharp), java, solidity

Step 3: Create a private repository

Create a private repository on github and clone it.

cd ../
git clone github.com/my-user/my-private-repo

From SDK copy the level directory and build.sh to your private repository.

cp -r ../sdk/level .
cp ../sdk/build.sh .
cd level/

Step 4: Add a security bug

In this task you will modify the sample app to introduce a security bug.

make build To build the app’s container image.
make run to run the container.
make test to run the usabiity tests.
make securitytest to run security tests. Security tests fail because sample app has a security bug. This is intended.
make debug give a shell from container and maps src directory from host to the container.

To begin:

Review the code and tests in src/ directory.
Modify it to introduce a security bug:
1. You can completely refactor the app and tests.
2. You can add a new functionality or modify existing functionalities.
3. Add a usability test for new or modified functionalities.
4. Remember your bug must be a security vulnerability.

Tip	Looking for an idea? CWE Top 25 or SemGrep Registry have sample codes with security bugs.

Step 5: Add security test(s)

In this task you will add security test(s) to test for the security bug

make build && make securitytest to run security tests. They should fail.

Note

Depending on the level complexity, security tests will be treated differently:

Trivial: security tests are given to the player.
Easy: security tests are not given but security test title should be clear as what is being expected.
Medium: security test title should give some clue.
Hard: No test output will be shown to the player.

Step 6: Create a patch

In this task you will create a patch for the security bug.

git checkout -b patch to create a patch branch
Patch the program
make build && make test && make securitytests to run all tests. They should pass.

Note	This patched branch will NOT be provided to the players and it is only used to verify if level is solvable.

Step 7: Verify

❏ ./build.sh > verify: to verify if everything is okay
❏ Update level/Readme.adoc (NOT this file!) with a level story/incident, level and any pre-requisites.
❏ Remove unnecessary files and directories

Step 8: Push

git push both master and patch branches.

git push
git push -u origin patch

Add secdim as one of the contributers/collaborators to your private repository. A friendly SecDim team member will review your level and will be in touch for the next step.

Done!

Important notes

Remember to push both master and patch branches.
Usability tests must always pass.
Security tests must pass in patch branch and fail in master branch.

Troubleshooting

Ask your question on SecDim Discuss

About

SDK for SecDim Play Levels

Other

Languages

Language:Makefile 31.8%Language:Python 18.5%Language:TypeScript 11.3%Language:JavaScript 9.7%Language:Java 8.3%Language:C# 7.2%Language:Shell 5.2%Language:Dockerfile 4.1%Language:Go 3.9%