Dear participants,

Welcome to our “Secure Coding“ online course. Before you stretch your fingers and start rolling up your sleeves, we would like to mention a few things about this course.

As an application developer, you are implicitly tasked with protecting your software against malicious hackers. To prepare you for battle, we will have you check a credit card transaction payment application for vulnerabilities and fix your findings in the program code as part of the “Secure Coding“ course. You will have access to a virtual laboratory environment, which represents the test environment of the fictitious company Dubius Payment Ltd.

The virtual lab can be accessed via our OpenVPN server. First, you must schedule your lab start date in your MyPortal and choose between PHP, Java, Python, Perl, Go, Ruby and Node as your programming language:

Once your personal lab has been fully created, you can download your VPN configuration in your MyPortal and use the openvpn .ovpn command to connect to the OpenVPN server. Then you may immerse yourself in the world of Dubius Payment Ltd.

After successfully establishing a VPN connection, you will be able to access the source code of the so-called payment gateway via GitBucket (http://git.dubius-payment.com). With your access data (user name: cto and password: zeibaepohWei3aw) you can check out the source code, make changes and push on the server. In addition, you can trigger functional tests and vulnerability scans in your MyPortal, which will analyse and evaluate your latest status. However, before making any changes to the source code, we recommend to trigger a very first code check to initialize all tables with their initial values:

When you run a test, please note that it can take up to five minutes to complete. Your test results will be displayed not only in your MyPortal, but you can also view your changes on the deployment server (http://api.dubius-payment.com). The server is reinitialised before every test run. Of course, you may also install the payment gateway on your local computer, but no technical support is provided with this type of installation. To allow you to easily go back and forth between your Git Commits, we generate tags for each build, with the structure build/.

The payment gateway basically differentiates between two user roles, i.e. administrators and merchants. While administrators manage the users, merchants can make credit card payments via the API. The relevant API documentation can be found under http://doc.dubius-payment.com/merchant/ and http://doc.dubius-payment.com/admin/. Please note that the API documentation of the merchants is publicly available, whereas querying the Admin API documentation requires user authentication (user name: admin and password: admin1).

Generally speaking, each IT system in the lab has been assigned an IPv4 address from the private IPv4 network 10.0.0.0/8, so that this network is routed through our VPN server. If you also obtain IPv4 addresses from the above network range for your work network, you may need to create more specific routes to ensure proper function.

It is well known that self-generated knowledge through practical experience is retained faster and more deep-seated than presented material. This is why we provide you with the basic tools in our course chapters and downloads, but refer you to external standard documents or publications on the Internet for more in-depth information. For practical implementation, you can use an editor or an IDE of your choice. Beyond that, you only need the open source tools “OpenVPN“ and “Git“, as mentioned previously.

Before you start pulling out your hair looking for vulnerabilities, we would like to refer you to our help system. This is where you can unlock tips about the individual vulnerabilities, which will give you a clue to its location in the program code. Spoilers not only ruin the fun for film and TV, but they also lessen the sense of achievement of having recognized a vulnerability as such. This is why you can only use a limited number of tips, because our help system is tied to the Academy Coin: each time you wish to use a Joker, you must cash in Academy Coins. To this end, we have set up 6 Academy Coins as starting balance, which can be increased by solving our multiple-choice questions in the chapters. In addition, a tip is automatically unlocked if the associated vulnerability has been successfully fixed.

After your first successful fix of a vulnerability in the program code, you will get a confirmation of participation from us. It should be noted that many roads lead to Rome, so to speak. You are free to pick your method or technique to identify the vulnerability, as long as the functionality of the application is ensured. To that end, we will only score your fixed vulnerabilities if all function tests of your last commit passed successfully. We are providing a list of common libraries on our learning platform, which you can use for the task. It is not possible to install additional libraries. You will be rewarded for your freestyle exercise with our Binsec Academy Certified Secure Coding Professional (BACSCP) certificate once you have eliminated eight of the vulnerabilities that we integrated.

Enjoy, and we wish you the best of luck. :)

Last modified: Dec. 15, 2022

binsec GmbH
binsec GmbH is a consulting firm for information security and was founded in 2013 by security experts. Our team consists of experienced, certified specialists with different areas of expertise. Due to our extensive expertise in many different IT security fields, we can support our customers with a wide array of issues. Most of our customers are medium-sized companies, for whom security is pivotal to success.