It is very easy to make game levels for SecDim Play. A level is an app with tests and runs in a container.
Each level contains an app with a security bug and two sets of tests: usability and security. Usability tests are always given to the player, while security tests, depending on the level difficulty, may not be given.
Usability tests should always pass, however security tests should fail as they test for a security bug in the app.
To get the SDK, in a terminal, run ./build.sh
, then select init
and enter a language.
This will create a directory called level
with
a sample vulnerable app and test suites.
Currently supported languages are:
python
, go
, typescript
, javascript
,
C# (csharp)
, java
, solidity
Create a private repository on github and clone it.
cd ../
git clone github.com/my-user/my-private-repo
From SDK copy the level
directory and build.sh
to your private
repository.
cp -r ../sdk/level .
cp ../sdk/build.sh .
cd level/
In this task you will modify the sample app to introduce a security bug.
-
make build
To build the app’s container image. -
make run
to run the container. -
make test
to run the usabiity tests. -
make securitytest
to run security tests. Security tests fail because sample app has a security bug. This is intended. -
make debug
give a shell from container and mapssrc
directory from host to the container.
To begin:
-
Review the code and tests in
src/
directory. -
Modify it to introduce a security bug:
-
You can completely refactor the app and tests.
-
You can add a new functionality or modify existing functionalities.
-
Add a usability test for new or modified functionalities.
-
Remember your bug must be a security vulnerability.
-
Tip
|
Looking for an idea? CWE Top 25 or SemGrep Registry have sample codes with security bugs. |
In this task you will add security test(s) to test for the security bug
-
make build && make securitytest
to run security tests. They should fail.
Note
|
Depending on the level complexity, security tests will be treated differently:
|
In this task you will create a patch for the security bug.
-
git checkout -b patch
to create a patch branch -
Patch the program
-
make build && make test && make securitytests
to run all tests. They should pass.
Note
|
This patched branch will NOT be provided to the players and it is only used to verify if level is solvable. |
-
❏
./build.sh
> verify: to verify if everything is okay -
❏ Update
level/Readme.adoc
(NOT this file!) with a level story/incident, level and any pre-requisites. -
❏ Remove unnecessary files and directories
git push both master and patch
branches.
git push
git push -u origin patch
Add secdim
as one of the contributers/collaborators to your private repository.
A friendly SecDim team member will review your level
and will be in touch for the next step.
Done!
-
Remember to push both
master
andpatch
branches. -
Usability tests must always pass.
-
Security tests must pass in
patch
branch and fail inmaster
branch.
Ask your question on SecDim Discuss