A GitHub Security Lab initiative, providing an in-repo learning experience, where learners secure intentionally vulnerable code.
- Who is this for: Developers, students.
- What you'll learn: How to spot and fix vulnerable patterns in real-world code, build security into your workflows, and understand security alerts generated against your code.
- What you'll build: You will develop fixes on functional but vulnerable code.
- Prerequisites: In this course, you will need some knowledge of
python3
for most levels andC
for Level 2. - How long: This course is five levels long and takes 8-10 hours to complete.
- Right-click Start course and open the link in a new tab.
- In the new tab, follow the prompts to create a new repository.
- For owner, choose your personal account or an organization to host the repository.
- We recommend creating a public repository βprivate repositories will use Actions minutes.
- After your new repository is created, wait about 20 seconds, then refresh the page. Follow the step-by-step instructions in the new repository's README.
All levels are configured to run instantly with GitHub Codespaces. If you chose to use codespaces, be aware that this course will count towards your 60 hours of monthly free allowance. For more information about GitHub Codespaces, see the "GitHub Codespaces overview." If you prefer to work locally, please follow the local installation guide in the next section.
- To create a codespace, click the Code drop down button in the upper-right of your repository navigation bar.
- Click Create codespace on main.
- After creating a codespace wait for all background installations to complete. This should take less than two minutes.
Please note: You don't need a local installation if you are using GitHub Codespaces.
The following local installation guide is adapted to Debian/Ubuntu and CentOS/RHEL.
- Open your terminal.
- Install OpenLDAP headers needed to compile
python-ldap
, depending on your Linux distribution. Check by running:
uname -a
- For Debian/Ubuntu, run:
sudo apt-get update
sudo apt-get install libldap2-dev libsasl2-dev
- For CentOS/RHEL, run:
sudo yum install python-devel openldap-devel
- Then, for both Debian/Ubuntu and CentOS/RHEL, install
pyOpenSSL
by running:
pip3 install pyOpenSSL
- Install the other dependencies by running:
pip3 install -r requirements.txt
Once installation has completed, clone your repository to your local machine.
- From your repository, click the Code drop down button in the upper-right of your repository navigation bar.
- Select the
Local
tab from the menu. - Copy your preferred URL.
- In your terminal, change the working directory to the location where you want the cloned directory.
- Type
git clone
and paste the copied URL.
$ git clone https://github.com/YOUR-USERNAME/YOUR-REPOSITORY
- Press Enter to create your local clone.
For more information about cloning repositories, see "Cloning a repository."
Welcome to "Secure Code Game"! π
A few days before the massive shopping event Black Friday, an electronics shop without an online presence rushed to create a website to reach a broader customer base. As a result, they spent all their budget on development without investing in security. Do you have what it takes to fix the bug and progress to Level 2?
For each level, you will find the same file structure:
code
includes the vulnerable code to be reviewedhack
exploits the vulnerabilities incode
. Runninghack.py
will fail initially, your goal is to get this file to pass.hint
offers a hint if you get stuck.solution
provides one working solution. There are several possible solutions.tests
contains the unit tests that should still pass after you have implemented your fix.
- Review the code in
code.py
. Can you spot the bug? - Try to fix the bug. Ensure that unit tests are still passing.
- You successfully completed the level when both
hack.py
andtests.py
pass π’. - If you get stuck, read the hint in the
hint.js
file. - Compare your solution with
solution.py
.
You have completed Level 1: Black Friday! Welcome to Level 2: Matrix. π
At the time "The Matrix" was first released in 1999, programming was different. In the movie, a computer programmer named Thomas "Neo" Anderson leads the fight in an underground war against powerful computers who have constructed his entire reality with a system called the Matrix. Do you have what it takes to win that war and progress to Level 3?
For each level, you will find the same file structure:
code
includes the vulnerable code to be reviewedhack
exploits the vulnerabilities incode
. Runninghack.py
will fail initially, your goal is to get this file to pass.hint
offers a hint if you get stuck.solution
provides one working solution. There are several possible solutions.tests
contains the unit tests that should still pass after you have implemented your fix.
- Keep working inside the same environment as in Level 1
- If you skipped Level 1, go back and follow the π¦ Time to start guide
- Review the code in
code.h
. Can you spot the bug? - Try to fix the bug. Ensure that unit tests are still passing.
- The level is completed successfully when both
hack.c
andtests.c
pass. π’ - If you get stuck, read the hint in the
hint.txt
file. - Compare your solution with
solution.c
.
Nice work finishing Level 2: Matrix! It's now time for Level 3: Social Network. β¨
The following fictitious story takes place in the mid-2030s. Authorities worldwide have become more digitized. Various governments are adapting social network technology to fight crime. The goal is to establish local communities that foster collaboration by supporting citizens with government-related questions. Other features include profile pictures, hashtags, real-time support in comments, and public tip sharing. Do you have what it takes to secure the social network and progress to Level 4?
- For Levels 3-5, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."
For each level, you will find the same file structure:
code
includes the vulnerable code to be reviewedhack
exploits the vulnerabilities incode
. Runninghack.py
will fail initially, your goal is to get this file to pass.hint
offers a hint if you get stuck.solution
provides one working solution. There are several possible solutions.tests
contains the unit tests that should still pass after you have implemented your fix.
- The codebase generates several code scanning alerts. Your goal is to resolve these alerts for each level.
- Review the code in
code.py
. Can you spot the bugs? - If you get stuck, read the code scanning alert.
- Try to fix the bug. Make your changes and open a pull request to
main
or push your fix to a branch. - Check the tests and the code scanning results to confirm the alert for this level has now disappeared.
Nicely done! Level 3: Social Network is complete. It's time for Level 4: Database. π₯³
Databases are essential for our applications. However, malicious actors only need one entry point to exploit a database, so defenders must continuously protect all entry points. Can you secure them all?
For each level, you will find the same file structure:
code
includes the vulnerable code to be reviewedhack
exploits the vulnerabilities incode
. Runninghack.py
will fail initially, your goal is to get this file to pass.hint
offers a hint if you get stuck.solution
provides one working solution. There are several possible solutions.tests
contains the unit tests that should still pass after you have implemented your fix.
For Levels 3-5, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."
- The codebase generates several code scanning alerts. Your goal is to resolve these alerts for each level.
- Review the code in
code.py
. Can you spot the bugs? - If you get stuck, read the code scanning alert.
- Try to fix the bug. Make your changes and open a pull request to
main
or push your fix to a branch. - Check the tests and the code scanning results to confirm the alert for this level has now disappeared.
Almost there! One level to go! β€οΈ
It's a common myth that passwords should be complex. In reality, it's more important that passwords are long. Some people choose phrases as their passwords. Users should avoid common expressions from movies, books, or songs to safeguard against dictionary attacks. Your password may be strong, but for this exercise, a website you have registered with has made a fatal but quite common mistake. Can you spot and fix the bug? Good luck!
For each level, you will find the same file structure:
code
includes the vulnerable code to be reviewedhack
exploits the vulnerabilities incode
. Runninghack.py
will fail initially, your goal is to get this file to pass.hint
offers a hint if you get stuck.solution
provides one working solution. There are several possible solutions.tests
contains the unit tests that should still pass after you have implemented your fix.
For Levels 3-5, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions setting up code scanning, see "Setting up code scanning using starter workflows."
- The codebase generates several code scanning alerts. Your goal is to resolve these alerts for each level.
- Review the code in
code.py
. Can you spot the bugs? - If you get stuck, read the code scanning alert.
- Try to fix the bug. Make your changes and open a pull request to
main
or push your fix to a branch. - Check the tests and the code scanning results to confirm the alert for this level has now disappeared.
Congratulations, you've completed this course!
Here's a recap of all the tasks you've accomplished in your repository:
- You practiced secure code principles by spotting and fixing vulnerable patterns in real-world code
- You assessed your solutions against exploits developed by GitHub Security Lab experts.
- You utilized GitHub code scanning features and understood the security alerts generated against your code.
- Follow GitHub Security Lab for the latest updates and announcements about this course.
- Share your feedback on this course by emailing us at securitylab-social@github.com.
- Take another skills course.
- Read more about code security.
- To find projects to contribute to, check out GitHub Explore.
Get help: Email us at securitylab-social@github.com β’ Review the GitHub status page
Β© 2023 GitHub β’ Code of Conduct β’ MIT License