Interactive learning platform offers introduction to core web hacking themes
YesWeHack has launched a tool to help bug bounty hunters hone their ethical hacking skills and optimize their vulnerability exploits.
YesWeHack Dojo features introductory courses and training challenges focused on specific security vulnerability types, as well as a playground in which payloads can be road-tested.
The platform, which was launched yesterday (October 22), has four training ‘themes’ – SQL injections, MongoDB injections, XPATH injections, and cross-site scripting (XSS) flaws – with YesWeHack planning to add further bug types over time.
“Dojo lets you practice while getting direct feedback on your parameters”, which “are parsed inside the back-end code in real time”, according to a YesWeHack blog post.
Hackers can also create their own capture-the-flag (CTF) challenges without having to set up a server.
YesWeHack Dojo was launched earlier this week
YesWeHack says the tool supports a wide range of backends with which users can build their own labs.
Users can share exploits with fellow bug hunters “without compromising the privacy of your target program” by sharing a private link.
Seeking to allay bug hunters’ security concerns, YesWeHack says the challenges and exploits fashioned by users are not stored server-side.
Lucas Philippe, tech ambassador at YesWeHack, devised and coded the tool.
The goal of YesWeHack Dojo was “to allow bug hunters to reproduce bugs they found in the wild and share them without sharing the real bug,” he told The Daily Swig during a demonstration.
“The main thing is being able to see injection in real time,” he added. “I see a lot of people sharing payloads without really understanding the payload.
“I wanted to focus on the code, so you can really understand how the code is changing based on the inputs.”
Philippe, who is also a security researcher, author of YesWeBurp, and member of CTF team Hexpresso, added:
“We don’t offer very realistic challenges. It’s more focused on the exploitation than the discovery.”
YesWeHack Dojo is free to use for all bug hunters who are registered with the Paris-based bug bounty platform.
It’s not the first tool launched by YesWeHack this year to support the efforts of security researchers.
In July, the crowdsourced security platform launched The Pwning Machine, a Docker-based pwning environment with an “all-in-one, customizable, and extensible suite of tools” including a DNS server, HTTP router, web server, and pipeline runner.