Please find below a sample list of secure coding challenges for Go and their alignment with OWASP Top 10. The goal in each challenge is to fix the security vulnerability in the app. These are mix of free and Pro challenges.
To get started with SecDim’s challenges, first complete Start Here.go.
A01:2021-Broken Access Control
- Bad Token.go: A token can be used for a one time operation: password reset, email verification, setting up multi factor authentication, etc. Therefore, secure generation and handling of the token is very important. In this challenge we will learn key security features that every token and token handling system must have.
- No Sutpo.go: This appsec challenge is inspired after Optus API incident. It has a number of security vulnerabilities in relation to API.
- Steam.go: This appsec challenge is inspired by the Steam client privilege escalation vulnerability. It showcases Time of Check, Time of Use (ToCToU) vulnerability. It is a hard to discover race condition vulnerability.
A02:2021-Cryptographic Failures
- Randomness.go: While there are libraries to generate random numbers, not all of them are suitable for security. This challenge will explore this weakness and ways to address it.
- Bad Token.go: A token can be used for a one time operation: password reset, email verification, setting up multi factor authentication, etc. Therefore, secure generation and handling of the token is very important. In this challenge we will learn key security features that every token and token handling system must have.
A03:2021-Injection
- Command Injection.go: when untrusted data is used as an argument to an external program, command injection can happen. In this appsec challenge, we explore how to exploit and fix command injection vulnerability.
- SQL Injection.go: This is a classic security challenge where an app uses a SQL database and does not use parametrised query or ORM.
- Log Injection.go: Although the Log4Shell RCE vulnerability took many by surprise, log injection has been a known vulnerability, and there are numerous other edge cases that can lead to the exploitation of log aggregators. In this challenge, we will explore how to construct a resilient logger.
- Ubor.go: This challenge is inspired by Uber RCE on rider.uber.com. We learn how to exploit and fix Server Side Template Injection (SSTI).
- Pollution.go: This challenge is inspired by the Android Master Key security flaw. We learn a popular security design flaw that is related to misinterpretation between different parsers.
A04:2021-Insecure Design
- Energy.go: This challenge is inspired by the Energy Australia security incident. It showcases a number of security vulnerabilities on an authentication functionality.
- Bad Password.go: A password or a memorized secret must possess a variety of security features. In addition to preventing users from selecting weak passwords, the program should implement crucial security checks on the chosen password and securely store it. This challenge explores essential security controls for a change password API.
- Bad Token.go: A token can be used for a one time operation: password reset, email verification, setting up multi factor authentication, etc. Therefore, secure generation and handling of the token is very important. In this challenge we will learn key security features that every token and token handling system must have.
- StackOverflow.go: This challenge is inspired by the StackOverflow outage security incident. It showcases insecure usage of regular expression engines to perform security validation. This can result into a different class of security vulnerability.
A05:2021-Security Misconfiguration
- Secret Leak.go: Secrets such as an API or encryption key are used for various security operations. Disclosure of the secret can severely undermine the security of the app. When a secret is mistakenly disclosed, it is not trivial to remove. This challenge examines key activities that must be performed to handle a leaked/disclosed secret.
- No Sutpo.go: This appsec challenge is inspired after the Optus API incident. It has a number of security vulnerabilities in relation to API.
A07:2021-Identification and Authentication Failures
- JWT.go: Official JWT libraries have done a good job in enforcing token security by default. However, there are still a number of weaknesses that can be introduced when signing and verifying JWT. This challenge examines a JWT vulnerability that could allow unauthorised access and a number of insecure configurations when generating a token.
- Bad Password.go: A password or a memorized secret must possess a variety of security features. In addition to preventing users from selecting weak passwords, the program should implement crucial security checks on the chosen password and securely store it. This challenge explores essential security controls for a change password API.
- Bad Token.go: A token can be used for a one time operation: password reset, email verification, setting up multi factor authentication, etc. Therefore, secure generation and handling of the token is very important. In this challenge we will learn key security features that every token and token handling system must have.
- No Sutpo.go: This appsec challenge is inspired after the Optus API incident. It has a number of security vulnerabilities in relation to API.
A08:2021-Software and Data Integrity Failures
- Command Injection.go: when untrusted data is used as an argument to an external program, command injection can happen. In this appsec challenge, we explore how to exploit and fix command injection vulnerability.
A09:2021-Security Logging and Monitoring Failures
- Log injection.go: Although the Log4Shell RCE vulnerability took many by surprise, log injection has been a known vulnerability, and there are numerous other edge cases that can lead to the exploitation of log aggregators. In this challenge, we will explore how to construct a resilient logger.
A10:2021-Server-Side Request Forgery
- SSRF.go. In this challenge we learn how to exploit and fix Server Side Request Forgery.
- Capital0.go: This challenge is inspired by the Capital One hack. It highlights a number of security checks that must be in place to protect against SSRF.
We host many other challenges that are not part of OWASP Top 10 but appears in today’s modern apps. You can find these challenges by
- Browsing through vulnerabilities related to Go apps: Browse Challenges
- Viewing the Go game
Finally, you can win SecDim OWASP TOP 10 Secure Developer in Go Badge to show your proficiency in building secure apps aligned with OWASP TOP 10 recommendations.