The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.
You can download Security Shepherd VM's or Manual Installation Packs from GitHub
# Install pre-reqs sudo apt install git maven docker docker-compose default-jdk # Clone the github repository git clone https://github.com/OWASP/SecurityShepherd.git # Change directory into the local copy of the repository cd SecurityShepherd # Adds current user to the docker group (don't have to run docker with sudo) sudo gpasswd -a $USER docker # Run maven to generate the WAR and HTTPS Cert. mvn -Pdocker clean install -DskipTests # Build the docker images, docker network and bring up the environment docker-compose up
Open up an Internet Browser & type in the address bar;
To login use the following credentials (you will be asked to update after login);
Note: Environment variables can be configured in dotenv
.env file in the root dir.
Note that none of the levels that interact with a separate database are working e.g. SQL injection levels. Also the backup database is not created.
We've got fully automated and step by step walkthroughs on our wiki page to help you get Security Shepherd up and running.
Security Shepherd can be used as a;
There are a lot of purposefully vulnerable applications available in the OWASP Project Inventory, and even more across the internet. Why should you use Security Shepherd? Here are a few reasons;