VBD: Vulnerable by design

VBD: Vulnerable by design

Best regards, I understand that to develop VBD challenges, but what are these challenges
Thank you

VBD challenges are a bit more complex that the usual hacking challenges you made in the training repository, but the essence is the same. In these challenges you have to deal with a training application, full of bugs and vulnerabilities (on purpose) such as bwapp, dvwa, hack the box machines, or root me apps and you have not only to identify but also to exploit the vulnerabilities you find, understanding how to detect those vulnerabilities from a static(source code) and dynamic (environment) perspective, how to fix these vulnerabilities and their corresponding severity according to the CVSS 3.0 score. The purpose of this stage is to simulate the challenges that you will face daily at Fluid Attacks as a security analyst, giving you the necessary background to play your role efficiently.

I hope this solve your doubts :wink:

Thank you for your response, I have clarified the doubts a bit, but I forgot to ask in which platform the development, which are.
Thank you

If you are talking about the applications the platform may vary, some require containers or local installation, some others are online and require just a sign-up and log in (such as CTFs).

Once you’ve discovered a vulnerability you can submit it to the writeups repo via Merge Request following similar considerations and criteria as in the training repo, the process is the same:

submit MR -> peer review -> writeup accepted or closed

if closed, refactor and submit again :wink:

For example, in the case of the Root Me platform, in the space of challenges, several categories appear: Steganography, Forensic, Cracking, Networks, web server among many, my question is, any of the challenges you have these categories apply to challenges VBD
Thank you

These challenges apply for the training repo only, I suggest you to give a check on the existing sites in the vbd folder, there you can find the allowed sites and applications where you can start searching vulnerabilities.

hi @usual-fly

If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question (go to the answer, click on the ellipsis and then the solved button).