Rewrite Samurai-Dojo / Dojo Basic

[JGillam]

A New Direction for Dojo Basic

Dojo Basic has been an invaluable resource for years, serving as an effective demonstration of how not to write a web application. Its age, however, is beginning to show. Built on PHP, Dojo Basic lacks examples of modern application features and vulnerabilities that are increasingly important in today's security landscape.

Despite this, we believe there's still a place for Dojo Basic as a resource for illustrating fundamental security concepts. While there's a growing emphasis on Single Page Applications (SPAs), we already have other robust applications serving this space within our portfolio. Therefore, Dojo Basic should continue to represent a classic application design, keeping its role as an entry-level tool for pentesting education.

Modernizing Dojo Basic with Flask and Jinja2

We're proposing a significant revamp of Dojo Basic, transitioning from PHP to a Python-based application using Flask and Jinja2. This modern stack will allow us to include more contemporary features and vulnerabilities, while maintaining the traditional server-side structure that Dojo Basic is known for.

The Flask Framework

Flask is a lightweight and flexible web framework for Python. It's easy to learn, making it a great choice for beginners, but it's also powerful and flexible enough to handle more complex applications. Flask's simplicity and flexibility will help us ensure that Dojo Basic remains accessible to newcomers, while still providing opportunities to demonstrate more complex vulnerabilities and security concepts.

Jinja2 Templating

We'll be using Jinja2 for our templating engine. This powerful and popular tool allows for dynamic generation of HTML content, and offers opportunities to demonstrate a variety of injection vulnerabilities, including server-side template injection (SSTI).

Demonstrating Modern Vulnerabilities

With this new setup, we'll be able to incorporate demonstrations of modern vulnerabilities, such as SSTI and insecure deserialization. We'll also continue to cover classic vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery.

Incorporating LDAP

Furthermore, we're planning to incorporate LDAP for user management. This will allow us to explore another common area of security vulnerability – improperly configured LDAP authentication. This feature will also lend a more realistic touch to the application, reflecting the kind of infrastructure that many real-world applications operate within.

Looking Forward

Our aim is to make Dojo Basic a more relevant, up-to-date learning tool for application security. By modernizing the platform and expanding the range of vulnerabilities it demonstrates, we can ensure it continues to serve as an essential part of pentesting education. We're excited to embark on this journey and welcome your thoughts and suggestions as we move forward.

[mgillam]

A few points on this that might affect direction, possibly not, but worth considering. These aren't really related to one another, so they're in no particular order.

1. I have work in progress on a Dojo Basic rewrite (I call it Flagstone) that uses Htmx for a modern pseudo HATEOS-style app. This would modernize it using a framework that seems to be growing in popularity, but would be a less extreme change for instructors already familiar with it. One of the stated goals for it is to keep the existing vulnerability types in the same places (although actual behaviors may not be identical).
2. Flask feels out of step with the intent of making it more representative of the infrastructure of real-world applications. I like Flask, it'd be my choice for developing a python API quickly, but Django feels more appropriate for this within the Python ecosystem, just . Good alternatives in the Go, Kotlin, and .Net Core spaces as well.
3. While SPAs are still widespread and certainly worth training on, there's a lot of push away from them at this point, and toward more streaming and render-at-edge type approaches. React is still huge (specifically Next.js), but Solid has seen significant growth, Vue still a stalwart, Svelte seems to be eating Angular's lunch, and Qwik is noteworthy as well, looking further forward.

[JGillam]

That's a good point with respect to Flask vs Django. I'm not attached to a particular framework, I just want to use something that's in common use and will be relatively straightforward to build out a simplistic app with. I do think sticking to Python is a wise choice. Its a very mature, well established language that (as you pointed out offline) is becoming more popular recently due to interactions with LLMs.

As for the purpose of dojo-basic. First, I think we need to make a clear distinction between Dojo-Basic and Wayfarer.

• Dojo-Basic: Intro-level demonstrations of common vulnerabilities. The app does not need to reflect a technology stack we see in a modern typical application. It serves mainly to provide an exaggerated and simplified demonstration platform (as it always did). It just desperately need some updating to make it more relevant for today's classes.
• Wayfarer: A modern functional application that reflects a more realistic technology stack and architecture. Wayfarer's flaws are not exaggerated to the extent they are in Dojo-Basic.

So if you consider Dojo-Basic to be the entry-level app, then Wayfarer would be more of an intermediate app. Any vulnerability we can demonstrate in Dojo-Basic should be available in some form in Wayfarer, though it may be more complicated to produce or may be a variation. Wayfarer may also include certain vulnerabilities that are missing from Dojo-Basic.

That, at least, is what I was envisioning. From the instructor perspective, you would demonstrate with Dojo-Basic, and lead student exercises in Wayfarer to help encourage students to think through the problems rather than outright copying the teacher.