Security Shepherd is a web and mobile application security training platform developed by OWASP (Open Web Application Security Project). It's designed to help individuals learn and practice various aspects of web and mobile application security through a hands-on and interactive approach. The platform provides a range of intentionally vulnerable applications and challenges that allow users to improve their skills in identifying, exploiting, and mitigating security vulnerabilities. This project is geared towards both those who are new to application security (AppSec) and seasoned engineers, aiming to refine their penetration testing skills and elevate them to the level of security experts.


Key Benefits of Security Shepherd

1. Interactive Learning: Security Shepherd offers an interactive environment where users can engage with real-world security challenges and vulnerabilities. This practical approach helps learners gain a deeper understanding of security concepts and techniques.
2. Realistic Scenarios: The platform provides realistic web and mobile application scenarios that mimic actual security vulnerabilities found in the wild. This authenticity enhances the learning experience by simulating real-world situations.
3. Safe Environment: Since Security Shepherd is designed with intentional vulnerabilities, users can practice their skills without affecting real systems or applications. This controlled environment ensures that learning occurs in a safe and risk-free setting.
4. Progressive Difficulty: The challenges on Security Shepherd are designed with varying levels of difficulty. This allows users to start with basic concepts and progressively tackle more advanced security issues as they gain confidence and knowledge.
5. Immediate Feedback: Security Shepherd provides immediate feedback to users when they attempt to exploit vulnerabilities or solve challenges. This helps users understand their mistakes and learn from them in real-time.
6. Comprehensive Coverage: The platform covers a wide range of security topics, including but not limited to SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), authentication bypass, and more. This ensures that users get exposure to different types of vulnerabilities.
   
   

Key Features of Security Shepherd

1. Vulnerability Variety: Security Shepherd offers a diverse set of intentionally vulnerable applications and challenges, covering a wide array of web and mobile application security vulnerabilities.
2. Scoring and Progress Tracking: Users can track their progress and scores as they work through challenges. This feature encourages users to improve their skills and strive for better results.
3. Hints and Solutions: The platform provides hints and solutions for each challenge, enabling users to get assistance when they're stuck and learn from the correct approaches.
4. Built-in Documentation: Security Shepherd comes with detailed documentation explaining the vulnerabilities, the challenges, and the recommended ways to mitigate them. This educational material enhances the learning process.
5. User-Friendly Interface: The platform features an intuitive and user-friendly interface that facilitates easy navigation and access to challenges.
6. Open Source: Just like many OWASP projects, Security Shepherd is open-source, which means that the community can contribute to its development and improvement.
7. Adoption and Integration: Security Shepherd is used by educational institutions, security training programs, and workshops to teach and assess application security. It can also be integrated into larger security training curricula.

Overall, Security Shepherd serves as a valuable resource for those interested in learning and enhancing their web and mobile application security skills in a practical and engaging manner.


Installing Security Shepherd

• Using Docker (Running on Windows)
  
  
  • Pull MariaDb Server 10.6 image from hub.docker.com repository then run.
    
    

    $ docker pull mariadb:10.6 $ docker run --detach --name mariadb10.6 --env MARIADB_USER=testuser --env MARIADB_PASSWORD=testuserpassword --env MARIADB_ROOT_PASSWORD=rootpassword  -p 3306:3306 mariadb:10.6

    
    
  • Check IP Address of the MariaDB Server container.
    
    

    $ docker inspect mariadb10.6 | find /i "IPAddress"

    
    
  • Pull latest Security Shepherd image from hub.docker.com repository then run.
    
    

    $ docker pull owasp/security-shepherd:latest $ docker run --detach --name security-shepherd -p 80:80 -p 443:8443 owasp/security-shepherd:latest

    
    
  • Get Authentication token from Security Shepherd container.
    
    

    $ docker exec -it security-shepherd cat /usr/local/tomcat/conf/SecurityShepherd.auth

    
    
  • On the host machine, point the browser to https://localhost or  https://HostIPAddress
    
  • Supply the needed information and click submit.
    
    
    
    
  • Once the database is setup, it's ready to start the enjoyable hacking journey!
    
    To login use the following default credentials (it will be asked to update password after login):
    
    Username: admin
    Password: password
    
    
    
    
• Using Docker (Running on Ubuntu)
  
  
  • Follow the instruction from the following link:
    
    https://github.com/OWASP/SecurityShepherd/wiki/Docker-Environment-Setup
    

1. 1. Install prerequisites using the following command:
      
      

      $ sudo apt install git maven docker docker-compose openjdk-8-jdk

      
      
   2. Clone Security Shepherd project github repository
      
      

      $ git clone https://github.com/OWASP/SecurityShepherd.git

      
      
   3. Change directory into the local copy of the Security Shepherd project github repository.
      
      

      $ cd SecurityShepherd

      
      
   4. Add current user to the docker group
      
      

      $ sudo gpasswd -a $USER docker

      
      
   5. Run maven to generate the WAR and HTTPS Cert.
      
      

      $ mvn -Pdocker clean install -DskipTests

      
      
   6. Run the following command to build docker images and bring containers up.
      
      

      $ docker-compose up

      
      
   7. Confirm all containers are running.
      
      
   8. On the host machine, point your browser to https://localhost or https://HostIPAddress
      
      
   9. Sign in with the default credentials and update the password when prompted
      
      Username: admin
      Password: password
      
      
   10. Start the enjoyable hacking journey!
       
       

• Using the Shepherd VM
  
  
  • Follow the instruction from the following link:
    
    https://github.com/OWASP/SecurityShepherd/wiki/Using-the-Shepherd-VM
    
    
    1. Download Virtual Box from the link below:
       
       https://www.virtualbox.org/wiki/Downloads
       
       
    2. Download the latest version of Security Shepherd from the link below:
       
       https://github.com/OWASP/SecurityShepherd/releases
       
       
    3. Import the Security Shepherd VM into Virtual box
       
    4. Before starting the VM, ensure the Network Adapter has been configured
       
       • Bridged Adapter: This setup does expose Shepherd to other machines on the network  and will able to access the Shepherd VM.
         
       • Host Only Adapter: This setup does not expose Shepherd on any networks.
         
       • NAT: This setup the Shepherd will be accessible from a browser on the host machine.
         
    5. Start the VM
       
    6. Sign in with the default credentials included in the VM Download .txt file
       
    7. Change the password by running: passwd
       
    8. Find out the machines IP address by running: ifconfig
       
    9. On the host machine, point your browser to https://localhost or https://HostIPAddress
       
    10. Sign in with the default credentials and update the password when prompted
        
        Username: admin
        Password: password
        
        
• Manual Shepherd Set Up (Windows)
  
  Follow the instruction from the following link:
  » https://github.com/OWASP/SecurityShepherd/wiki/Manual-Shepherd-Set-Up-(Windows)
  » https://github.com/OWASP/SecurityShepherd/wiki/Manual-Shepherd-Setup
  

For more installation options and informational guides, visit the following links:
https://github.com/OWASP/SecurityShepherd
https://owasp.org/www-project-security-shepherd
https://hub.docker.com/r/owasp/security-shepherd