Reintroducing TarantuLabs – free web app CTF labs!

Comments Off on Reintroducing TarantuLabs – free web app CTF labs!

I got into cybersecurity 4 years ago – back when I was still doing night shifts as a security guard. During my learning, I remember that the THM and HTB paywalls were fairly annoying.

4 years later, with a few years as a security researcher on my CV, I thought it’s time to give back.

TarantuLabs is a site where you can practice your web app bug bounty skills, for free. Currently there are 12 labs there, and more will be added every week!

The labs are AI generated, but each have passed a comprehensive test suite to make sure they work, and for the first batch I also solved them manually and verified they work as well.

The labs load client-side, meaning you don’t need to wait for a Docker or VM to boot up somewhere. Just wait for a few seconds in your browser for all the dependencies to be installed, and you’re good to go! This approach solves multiple problems I’ve had when I first started this project, and I’ll elaborate more below. Read if you’re interested. If not, go ahead to:

www.tarantulabs.com

For those who’ve stayed and who may remember when I first started – and then scrapped – this project, here were my challenges, and how I solved each of them:

  1. An AI bottleneck: a year ago, the models that generated the labs, have created dull, boring labs, which were either technically unsolvable, or solved via a single basic SQL query.
  2. Cloud costs: using AI to generate the labs solved the cost of work of generating these labs. But hosting them proved to be more expensive than I expected, and ended up costing me enough for me to shut this down.
  3. Security: even if I were to bear the cloud costs, I still didn’t have the time to build proper security and virtualization infra to make sure no user can access another user’s resources, and escalate from there.
  4. And, honestly, UX: even after I finished the previous iteration, I found myself stopping and looking at the site and… didn’t really want to use it.

These problems, primarily the AI bottleneck one, have forced me to wait almost a year for the models to be capable enough to produce labs worth solving. After that, here were my solutions to the problems:

  1. AI bottleneck was solved. Better, more consistent, and diverse labs, which were actually solvable and interesting.
  2. Cloud costs and security were solved with the decision to run the labs client-side. These labs are run in your browser via an iframe – so I bear no cloud costs, and there’s no real security risk of any user breaking into another user’s resource.
  3. Moving away from clumsily routing from my site, to the cloud, to spinning up the labs, which would all take a few mins – to loading everything client-side, made everything buttery smooth. Also, the UI now looks better.

The downside of moving everything to be client-side is that I had to give up on certain vulnerability classes and specific labs I had in mind, so bear that in mind.

I hope you like it and try it out, and if you know anyone wishing to break into the field, go ahead and share it with them!

submitted by /u/dvnci1452
[link] [comments]

Read More >>