This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Security Shepherd

Revision as of 15:10, 19 May 2015 by Mark Denihan (talk | contribs) (Topic Coverage)

Jump to: navigation, search
OWASP Project Header.jpg
Lab big.jpg

OWASP Security Shepherd

OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take any user, from AppSec novice to experienced engineer, and sharpen their penetration testing skillset to security expert status.


OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and help them exploit a text book version of the issue. Challenges include poor security mitigations to the security risk which have left room for user's to exploit.

Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Security Shepherd's security risks are delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response.

Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition.

Layout Options

An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:

CTF Mode

When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.

Open Floor

When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks.

Tournament Mode

When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition.

What is Security Shepherd?

OWASP Security Shepherd provides:

  • Teaching Tool for All Application Security
  • Web Application Pen Testing Training
  • Mobile Application Pen Testing Training
  • Safe Playground to Practise AppSec Techniques
  • Real Security Risk Examples

Topic Coverage

The Security Shepherd project covers the following web and mobile application security topics;

Related Projects


The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See .



AppSecEU 2014 Video

AppSecEU 2014 Presentation

Project Leaders

Mark Denihan - [email protected]

Sean Duggan - [email protected]

Recent News and Events

  • [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit
  • [May 2015] Shepherd v2.3 Released
  • [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF
  • [December 2015] Shepherd V2.2 Released


Owasp-labs-trans-85.png Owasp-breakers-small.png
Project Type Files TOOL.jpg
Q1 Can I Re-Skin Shepherd and then Train People With it?
A1 Yes! Shepherd plans to include this in-app in version 2.4
Q2 Where can I access Security Shepherd?
A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.


OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Mark Denihan
  • Sean Duggan
  • Ciaran Napier
  • Jason Flood
  • Patrick Hanily
  • Peter Dolan

The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact [email protected]

New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on [email protected] The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project GitHub and find some issues that you can help with right away.

To contribute right away, pull the source from GitHub


Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.

Project Sponsors

The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the AppSec EU 2015 conference as well as follow them on Twitter.



Security Shepherd v2.3 VM Setup:

To get a Security Shepherd VM ready to rock, follow these steps;

Setting up your instance of Security Shepherd with the VM: In Steps!

  • Import the VM to your hyper visor (Eg: Virtual Box)
  • Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)
  • Boot the VM
  • Sign in with securityshepherd / owaspSecurityShepherd
  • Change the user password with the passwd command
  • In the VM, run "ifconfig" to find the IP address. Make note of this
  • On your host machine, open http://<VM IP Address>/
  • Sign in with admin / password
  • Change the admin password (cannot be password again)
  • Time to play!

Security Shepherd v2.3 Manual Pack:

The manual release is a single download, unrar, and follow the steps release.

  • Download the Security Shepherd Manual Pack
  • Install Apache Tomcat 7
  • Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!
  • Extract the Security Shepherd Manual Pack
  • Copy the sql files extracted from the pack to the bin directory of MySql
  • Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )
  • Type the following commands to execute the Shepherd Manual Pack SQL files;

source core.sql source exposedSchema.sql

  • Open the webapps directory of your Tomcat instance
  • Delete any directories that are there already
  • Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat
  • Start Tomcat
  • Open the temp directory of Tomcat
  • If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/ to point at your local DB with your MySql settings. Leave the Driver alone!
  • If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.
  • Open your the root context of your Tomcat server (eg: )
  • Sign into Security Shepherd with the default admin credentials (admin / password)
  • Change the admin password
  • Follow in application prompts for further configuration
Detailed vulnerability explainations
Competitive Learning Environment
Easy configuration to suit every use