Cyber Range

OWASP Top 10

Each security domain contains labs representative of the ten categories of web application security risks presented by OWASP – Injection, Insecure Design, Identification/Authentication Failures, Broken Access Control, Software/Data Integrity, Security Logging/Monitoring Failures, Cryptographic Failures, Vulnerable/Outdated Components, Security Misconfiguration, Server-Side Request Forgery

The labs

Train hands-on

  • Security+ – Cryptography

    When using the Internet, users retrieve or share information. Depending on the application, purpose, and implementation methods, the need to provide data confidentiality, integrity, and authenticity emerges. To ensure these requirements are fulfilled and that only authorized parties have access to the data, the information transmitted over the Internet is obfuscated.

  • Privilege Escalation – Path Interception

    In this lab, students will learn how to identify, exploit, and finally mitigate a path injection vulnerability. 

    By the end of this lab, a student will…

    1. Be able to identify code that allows for Path Injections.

    2. Be able to exploit said code to escalate from an unprivileged user to an administrator.

    3. Be able to implement a secure code solution.

  • Advanced Adversary Tactics – Privilege Escalation XSS

    This lab will cover using XSS techniques to steal tokens from other users and using these tokens to escalate to admin privileges.

  • Penetration Testing with Metasploit – 4 – Post-Exploitation with the Meterpreter Lab

  • Secure JavaScript programming – prototype pollution

  • Systems Administration – Access Control Lists

    Learn about access control lists (ACL), including file and directory ACLs, and default ACLs, as you practice in the Linux Cyber Range.

  • Secure Coding – Python

    This lab covers multiple secure coding errors commonly found in Python, including deserialization and XML based attacks.

  • PenTest+ – Applied Nmap

    A vast number of tools were developed to aid pentesters in identifying and exploiting vulnerabilities ranging from reconnaissance to scanning and persistence. Knowing which tool to use depends on the services running on the target and the vulnerabilities identified. One way to get this information is by using Nmap, a network mapper that identifies active hosts, open ports, software versions, and known vulnerabilities associated with the software.

    This lab uses Nmap scans and results to provide practical examples on identifying the right tools to use based on the services running on the target machine. The categories covered include:

    ● Scanners

    ● Credential testing tools

    ● OSINT

    ● Web proxies

    ● Social engineering tools

    ● Remote access tools

    ● Networking tools

    ● Mobile tools

    ● MISC

  • Common Attack Types – HTML & SQL Injections

    In this lab you will walkthrough an example of both HTML and SQL injections.

    HTML injections are vulnerabilities created from poor coding techniques and failure to sanitize user input that allow attackers to inject malicious payloads into the website’s HTML code and modify its content. Based on the vulnerability, an attacker can change a few code lines, add entire forms that can then be used to trick users into providing sensitive information or change the website’s entire layout.

    SQL injection is a web security vulnerability that permits an adversary to inject malicious SQL statements in the queries that an application makes to its database. It allows an unauthorized entity to view data to which they should not have access, like other users’ information

  • Common Attack Types – File Inclusion & Cross-Site Request Forgery (CSRF)

    In this lab you will learn about File Inclusion and Cross-Site Request Forgery attacks.

    File Inclusion vulnerabilities are caused when unvalidated input parameters are passed to back-end programming functions that access server files. The back end represents the server-side of the application, specifically its code and database. An attacker can change the file name in an HTTP request and include malicious scripts instead. Depending on the script, the attacker can:

    ● Execute code on the server

    ● Perform XSS attacks

    ● Cause a Denial of Service (DOS)

    ● Manipulate data

    ● Access sensitive information

    ……………………………………………………………………………………………………………….

    Cross-site request forgery (CSRF), also known as XSRF, Sea Surf, or Session Riding, is a vulnerability where unauthorized commands are submitted from a user that the web application trusts. The delivery mechanisms for CSRF attacks are similar to those for Reflected XSS. An attacker uses social engineering to trick the victim into sending a forged request to a server. The server does not block the request since it is made from an authenticated user.

  • Command Line Basics – User Accounts and Privileges

    This lab focuses on creating and assigning users to groups as well as changing the privileges of said users and groups.

  • Security+ – AAA

    CompTIA Security+ establishes the core knowledge required of any cybersecurity role and provides a jumping point to intermediate-level cybersecurity jobs. Security+ Lab incorporates best practices in hands-on trouble-shooting to ensure security professionals have practical security problem-solving skills. This Lab aids the CompTIA Security+ training set by providing several challenges specially crafted to convey the concept of Authentication Management and Access Control Schemes clearly and comprehensively.

    ‘AAA is a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.’

  • CySA+ Log, SIEM, and Email Analysis

    This lab showcases the importance of log files in maintaining security and identifying potential breaches and incidents. The lab also provides an overview of rule writing in Security Information and Event Management (SIEM) platforms, using logs that contain traces of a brute-force attack as an example.

  • CySA+ Infrastructure Management

    Infrastructures include different devices, topologies, logical constructions and separations, protocols, user authentication and monitoring services, logging, and security constructs. Maintaining security in such homogeneous environments means that several types of technologies, tools, and defense practices must be combined. Active defense practices aim to outmaneuver adversaries by implementing multiple layers of security and using offensive tools to prevent cyber attacks. These layers of security consist of decoy hosts and traps that are heavily monitored.

  • CySA+ CTF

    This CTF mainly focuses on the forensic side of security, meaning that it will be on the defending part. Challenges can include file format analysis, steganography, memory dump analysis, or network packet capture analysis.

  • MITRE ATT&CK – Reconnaissance – Website Enumeration

    This lab incorporates a series of Mitre ATT&CK techniques and sub techniques to show how website enumeration can discover resources and underlying technology that the webserver is using

  • MITRE ATT&CK – Initial Access – Exploiting Web Apps

  • Command Line Basics – File Transfer Protocol (FTP)

    This lab uses an FTP server to demonstrate some of the utilities of the FTP protocol as well as some of the weaknesses.

  • MITRE ATT&CK – Initial Access – Exploiting Public-Facing Applications

  • MITRE ATT&CK – Initial Access – Broken Access Control

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. lnfosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Plans & pricing

  • Infosec Skills Personal

    $299 / year

    • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Custom certification practice exams (e.g., CISSP, Security+)
    • Skill assessments
    • Infosec peer community support
  • Infosec Skills Teams

    $799 per license / year

    • Team administration and reporting
    • Dedicated client success manager
    • Single sign-on (SSO)
      Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
    • Integrations via API
      Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
    • 190+ role-guided learning paths and assessments (e.g., Incident Response)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Create and assign custom learning paths
    • Custom certification practice exams (e.g., CISSP, CISA)
    • Optional upgrade: Guarantee team certification with live boot camps

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

You're in good company

CY

We use Infosec Skills to provide continuous training to our technicians and to prepare them for various certifications. Infosec Skills allows us to create personalized training programs that focus on each of our technicians’ particular roles and see their progress as they take courses. We also, recommend it to clients to make their IT support teams better.

Caleb Yankus

DS

This has been utilized to bridge the skills gap across our cyber team and to aid them as they prepare for their various certifications. It also has provided a nice learning foundation for our various cyber team members to utilize as we continue to find ways for cross-utilization with operations while minimizing the downtime needed to ensure everyone’s knowledge is the same.

Daniel Simpson

IS

We use Infosec Skills to provide base level knowledge for employees. We also use the services to provide in depth learning for employees as they encounter new technologies. If an employee is is assigned to a new project, we can rely on Infosec Skills to provide a rapid concentrated learning environment. This rapid concentrated learning positions our employees for success.

Infosec Skills Teams client