Discord Exploitation Lab

Discord Exploitation Lab
Red teaming Hacking-Lab for Discord bots inspired by the OWASP Top Ten

Initial Situation: Discord is an instant messaging and VoIP based platform, popular in gaming, tech and communities of all kind. Servers created by users can have their functionalities extended and automated by community-made bots. These bots, while useful, can be vulnerable to issues like injection flaws and broken authentication, aligning with the vulnerabilities described in the newest OWASP Top Ten. There's a noticeable lack of practical, interactive training for securing Discord bots, even though there's plenty of theoretical information available. This highlights the need for hands-on learning experiences to effectively understand and address these vulnerabilities.

Approach / Technology: Our goal was not only to create an educational lab about Discord Bots but also to present it in a playful and game-like form. The aim was to make solving challenges enjoyable, resembling a role-playing game where students walk through an adventure, encountering five different characters represented by Discord bots, each with their own vulnerability and challenge. For the development of this lab we used Python in combination with the Nextcord library to develop our bots and Docker Compose for instance management, within the Hacking-Lab framework.

Result: In total 5 different challenges were implemented. The challenges are included in OST's Hacking-Lab and covers most of the OWASP Top Ten. The challenges each bot itself poses could be solved on it's own but in our lab we integrated each bot in a bigger story to make the journey more interesting. Within the bots, we made a clear distinction between singleton and pseudo-bots due to their significant operational differences. In the challenges where pseudo-bots are used, the student is in full control of the pseudo-bot, orchestrated by the management framework we developed. This allows us to display all the pseudo-bots as a single Discord bot, while ensuring that users can't interfere with each other.