CSP Hash Incorrect Despite Correct Script and Hash (CSP Lab Issue?)
Hello all! I'm working on Introduction to Content Security Policy (CSP) Lab: Content Security Policy: Hashes exercise that requires generating the correct hash for an inline script like: <script>document.body.style.backgroundColor = "#ADDADE";</script> I’ve used both CyberChef and the SHA-256 JavaScript snippet to generate hashes like: sha256-+BWzTX+GJrse8ifajvHg6QFPdmE+JjXYmrYBn+kLITo= sha256-Msn/9dD1zBN7LGZyQyglKL9JMVyCsVqvZ7MAkmm/BpU= I've accounted for trailing newlines and whitespaces (CRLF, LF), used View Source (not dev tools), and verified that I'm hashing the exact script content. However, the lab continues to mark the answer as “incorrect.” Is this likely a glitch in the lab setup, or is there a common mistake I might be overlooking? Would appreciate any help or confirmation from someone who’s completed this lab or run into a similar problem
Having problems running the Python Expert Challenge 4 in OWASP Training: Access Control
Hi, I've just tried running the code in the Python Expert Challenge 4 in OWASP Training: Access Control. When I first tried to test the code, the error I saw in Preview said that I needed to add 1120418.proxy-http.us.immersivelabs.com to ALLOWED_HOSTS. I've added that but it's now giving me the message below. Could you tell me what I need to do to get the Preview working, please ?Thanks Dave ImproperlyConfigured at / The included URLconf '<module 'apps.siteadmin.urls' from '/app/rentaride/apps/siteadmin/urls.py'>' does not appear to have any patterns in it. If you see the 'urlpatterns' variable with valid patterns in the file then the issue is probably caused by a circular import.Mastercard & Immersive: Turn Cyber Threats into a Competitive Advantage
A cyberattack is no longer a possibility so much as an inevitability. Is your crisis plan a playbook on the shelf or a capability that’s regularly practiced and proven? Join experts from Mastercard and Immersive as we unveil critical, data-driven insights from our joint research, Fail to Prepare, Prepare to Fail: Cyber Crisis Exercising for Operational Resilience. You’ll come away with actionable recommendations to help your organization bridge the gap between basic risk management and proven operational stability in today's high-risk environment. Discover why proactive, regular crisis exercises don't just reduce risk—they generate massive returns. In this exclusive webinar, you'll learn how Immersive’s AI-powered cyber resilience platform and Mastercard’s advisory experience and expertise can empower you to create a data-backed strategy that Dramatically reduces financial costs, saving organizations an average of $1.49 million Accelerates response capabilities by cutting average breach resolution times by 54 days. Achieves a massive return on investment, with our research showing the potential for up to 5x ROI from effective cyber crisis exercising.
TLS Fundamentals: Ep.8 – Final Challenge
TLS Fundamentals: Ep.8 – Final Challenge the 15th question Connect to the localhost using the answer from the previous task as the port. What is the six character token value embedded in the ticket name? The hint is : Hint Look at the session ticket data. The token is a random six character string that is prefixed with "TOKEN=". the answer from the previous task as the port is 64321, but no token with prefix "TOKEN=" I doubt there is no correct answer, looking forward your feedback. iml-user@secure-ops-wireshark-with-nginx:~$ openssl s_client -connect localhost:64321 CONNECTED(00000003) Can't use SSL_get_servername depth=2 O = TLS Fundamentals, CN = TLS Fundamentals Root CA verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=2 O = TLS Fundamentals, CN = TLS Fundamentals Root CA verify return:1 depth=1 O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA verify return:1 depth=0 CN = admin.immersive.local verify return:1 --- Certificate chain 0 s:CN = admin.immersive.local i:O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Dec 5 12:16:11 2025 GMT; NotAfter: Dec 6 12:16:11 2025 GMT 1 s:O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA i:O = TLS Fundamentals, CN = TLS Fundamentals Root CA a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Dec 5 12:16:10 2025 GMT; NotAfter: Dec 3 12:16:10 2035 GMT 2 s:O = TLS Fundamentals, CN = TLS Fundamentals Root CA i:O = TLS Fundamentals, CN = TLS Fundamentals Root CA a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Dec 5 12:16:09 2025 GMT; NotAfter: Dec 3 12:16:09 2035 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIICwzCCAmqgAwIBAgIQMMvZLi8quT3QmIsn4NgfcDAKBggqhkjOPQQDAjBGMRkw FwYDVQQKExBUTFMgRnVuZGFtZW50YWxzMSkwJwYDVQQDEyBUTFMgRnVuZGFtZW50 YWxzIEludGVybWVkaWF0ZSBDQTAeFw0yNTEyMDUxMjE2MTFaFw0yNTEyMDYxMjE2 MTFaMCAxHjAcBgNVBAMTFWFkbWluLmltbWVyc2l2ZS5sb2NhbDCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBANZ3bl6LliwxKY10jKAMcpBEb/GqrQJugR3+ sUD7JarTRNYKPG3rGuDbDabVytl8Oc8/VnTQuzulPyPeFSufsxki+3WgrFGBcK+5 mxoQrR7zAl0p4l+jzR6uSxnh5vSoMaPpnlIGqW6Ipw5SR5SGTyp4jSh/xwbxDY4U 8vKeIu1fvgAADRDrZ4XzUAlNGw6nTBdEj/TV03cbE7RDJwrsahi/w9pDi3vkeQCW ftD/ZMV7vLFrl5MkeFmKV2guI8+HBUXRt9fx6ilu5016Atzl5VMGDOOkufXNnZGq Sh3J2PCcR5uheFFllk9dkgwfqdNevqBgzL5VZUyxKzbv3tY/86ECAwEAAaOBlDCB kTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MB0GA1UdDgQWBBRhm48B5yPrTvgjlo5f5bJPihOJ4TAfBgNVHSMEGDAWgBTVISkB T81TtwfzgFQI18fLxUMLIDAgBgNVHREEGTAXghVhZG1pbi5pbW1lcnNpdmUubG9j YWwwCgYIKoZIzj0EAwIDRwAwRAIgOf6y/oGxlmuKuLrGMzIjq+y2OgqVXThzXr2d x/CHgMICIFJhSxJSPeSIyobZKC0QmB+057ns1NI27oOMuR1fjax7 -----END CERTIFICATE----- subject=CN = admin.immersive.local issuer=O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2219 bytes and written 373 bytes Verification error: self-signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: DF37EF25B8F57F8A61A64BE228EC58AC2B113B991479961CBDAFC029B9482892 Session-ID-ctx: Resumption PSK: E230CD3D18A2BB48A51A7C04EE16FDAF79EFBEEA3D8605B70FFC0DEB68098CF355060AF8DF360EACFBC480C5B3AFE462 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 4a ac bb b1 83 bd fc b7-ed 94 ea db b1 10 60 48 J.............`H 0010 - 82 38 28 98 95 e3 7b 18-6f e7 0c c8 54 ef 3d 1f .8(...{.o...T.=. 0020 - b9 2c aa b2 b2 57 d8 5e-4e aa e9 75 c0 68 7c ce .,...W.^N..u.h|. 0030 - 00 c6 85 ae 2c 96 26 44-54 88 a1 d1 b0 58 a9 d3 ....,.&DT....X.. 0040 - 88 1c 2a d8 85 a3 f1 a2-09 a8 33 9e 1f b1 db af ..*.......3..... 0050 - 84 f9 92 b3 78 2c 17 7e-11 87 12 1c 49 81 e1 2d ....x,.~....I..- 0060 - 08 79 00 e8 9d bf 7e fb-10 41 ec 93 c1 5e 30 a4 .y....~..A...^0. 0070 - 61 92 2a 79 a2 09 2d 66-97 f8 d9 fa bb b3 c8 a2 a.*y..-f........ 0080 - d3 e3 ab bd 45 36 68 00-11 98 0e 68 ea 1e 52 ee ....E6h....h..R. 0090 - 08 7b 2b aa 80 42 31 b0-ec 9b 51 ae b1 ca cf ee .{+..B1...Q..... 00a0 - d8 bd c5 31 dd b9 22 c3-8a 0b 76 c3 a6 ca 50 e2 ...1.."...v...P. 00b0 - 2a 85 f8 9e 68 0b 13 cb-bf 92 c7 0e 4f ad 49 ab *...h.......O.I. 00c0 - c5 57 20 55 c5 47 6a b1-34 f1 1d 19 c3 5f 6f dd .W U.Gj.4...._o. 00d0 - c8 38 01 7c 62 11 74 ef-f1 17 15 6d a7 7a 7c d5 .8.|b.t....m.z|. Start Time: 1764942947 Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 6D76BD7F89AB457ACE03494B528103EF5A71D03E1434867610C4751172D68E4A Session-ID-ctx: Resumption PSK: 0CDCF4F49EB91C1A74B76442B31D70C8976BD6EA6ECD52B47BC84A10EE151BD8EFA32134A678784FB138B0AAB2F4DB21 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 4a ac bb b1 83 bd fc b7-ed 94 ea db b1 10 60 48 J.............`H 0010 - c6 a4 ef 5d c9 62 7a 08-15 66 b9 8c 24 1e f3 17 ...].bz..f..$... 0020 - b1 1f 84 10 60 b0 fb c7-2b 03 1d 79 2e 97 ca 52 ....`...+..y...R 0030 - 14 5c d8 aa 8b 3a ae 37-93 c0 73 dd c5 b7 7f f0 .\...:.7..s..... 0040 - 2a 1f 6a 14 25 8b d3 ed-3c 60 33 fb 11 64 05 26 *.j.%...<`3..d.& 0050 - b3 9f 9c 8f 64 23 ca b5-5a 13 c5 d2 22 5f 92 b6 ....d#..Z..."_.. 0060 - fd 40 9e b4 f0 5e 42 40-79 d5 18 c6 ba 6a 0e fe .@...^B@y....j.. 0070 - 7b 38 c5 9b 87 e9 b1 1b-e8 5d 98 7c a4 51 a6 9c {8.......].|.Q.. 0080 - d5 4a 75 40 22 b6 62 4f-00 b2 54 30 a1 3f 8d b8 .Ju@".bO..T0.?.. 0090 - 07 c2 6b 67 64 d2 c3 2d-e1 d1 ae 70 e3 0d 2b 54 ..kgd..-...p..+T 00a0 - f2 5f 4c 96 25 2c 77 43-1d a4 e8 67 0b 1e d0 10 ._L.%,wC...g.... 00b0 - 9f 40 cb 85 52 01 47 9d-07 0d c7 3c 7d 13 64 2f .@..R.G....<}.d/ 00c0 - ee 13 36 6e 7c 0b d7 16-d0 e6 94 ef f8 99 9e 16 ..6n|........... 00d0 - 95 c3 21 8a 3c af f4 4b-09 2d 14 a0 3d 22 58 db ..!.<..K.-..="X. Start Time: 1764942947 Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: no Max Early Data: 0 --- read R BLOCKArchitecting at Speed: Mastering Secure Development with OpenAI Codex
Welcome back to our series, “Behind the Scenes of Immersive One”! The following is a conversation with BenMcCarthy, Lead Cybersecurity Engineer for Immersive One, and RebeccaSchimmoeller, Lead Product Marketing Manager. Today, we’re continuing the discussion on our Secure AI capability. There is a misconception that security is the enemy of development speed. But with AI, the opposite is true. If you don't have security engineered into your AI workflow, you can't actually go fast—because you’re constantly stopping to fix 'trash code' or patch vulnerabilities. The developers who win in this era aren't just the ones coding faster; they are the ones architecting systems that are secure by design, even at AI speeds.” Rebecca: That’s a crucial distinction, Ben. We often hear that AI is a "firehose" of productivity, but without control, that firehose just creates a mess. It seems like the role of the developer is shifting from "writing lines" to managing this high-velocity output. How does the new Building with AI: Codex CLI collection help them make that shift? Ben: By giving them the controls they need to harness that speed safely. If you let OpenAI’s Codex run without guardrails or understanding, you get velocity, sure—but you also get risk. We designed this collection to empower developers to become their own Security Architects for their workflows. We are leveraging the Azure AI Foundry capability to give learners real, secure access to these models. The goal isn't to teach you how to hit "Tab" to autocomplete; it's to teach you how to rigorously evaluate, guide, and constrain what the AI produces using the command line tool like Codex so you can ship code that is both fast and bulletproof. Rebecca: So it’s about elevating the human’s role to "Architect." Let’s talk specifics given what the collection covers—how did you instill that mindset? Ben: We start by ensuring developers know the power of what you can do with Codex. How to get the best out of your models in this CLI tool. We go over effective prompt engineering, tool usage, and how AI can help with "Greenfield" projects (net-new builds) and "Brownfield" projects (legacy codebases). This is a critical skill for a lead engineer. AI is great at generating new code (greenfield), but it can be dangerous when it doesn't understand the hidden dependencies of a ten-year-old application (brownfield). We teach engineers how to spot those context gaps, key stuff that the AI might miss. Rebecca: I saw "specification-driven development" was a big part of your roadmap, too. How does that fit into the "speed" theme? Ben: This is the ultimate accelerator. Instead of writing the code line-by-line, you write the "spec"—the blueprint—and let Codex handle the implementation details. It’s not about doing less work; it’s about doing higher-leverage work. You define the logic and security constraints, and the AI handles the boilerplate. It shifts the developer’s brain from "how do I type this function?" to "what should this system actually do?" Rebecca: That sounds like a powerful approach, Ben. But what about the security risks? If developers are offloading implementation to Codex, how do they avoid leaking data or introducing bugs? Ben: That’s non-negotiable. In the Guardrails lab, we show learners how to build a safety net. We teach practical methods for stripping PII (Personally Identifiable Information) and using hooks to sanitize inputs before they reach the model. It gives developers the confidence to use these tools freely, knowing they have already engineered the safety mechanisms to protect their org. Rebecca: I saw a lab in the collection called "Tools and MCP" (Model Context Protocol). Is that where you get into advanced workflows? Ben: Exactly. This is where we give developers the keys to become a force multiplier. We show users how to connect Codex to other tools. This is the ideal definition of ROI for developers. You’re automating the tedious "check your work" phase, allowing you to ship secure code faster without burning out on manual review. Rebecca: It feels like that approach accepts today’s AI era realities for what they are and finds the strategic advantages… pushing developers towards productivity and security gains with real mastery. And just like the Claude collection, users have access to a Demonstrate Lab, to prove that mastery, am I right? Ben: Absolutely. The Demonstrate Lab challenges users to build a solution that’s efficient, functional, and secure. It proves that you aren't just an "AI user"—you are an AI Engineer who understands the capabilities the collection covers. Final Thought Our Building with AI: Codex collection is about upgrading the developer’s toolkit. For the organization, it ensures AI adoption is secure and scalable. For the engineer, it removes the drudgery of boilerplate, freeing you to focus on the creative, architectural challenges that drive real value. Ready to upgrade your workflow? [Access Collection]
IoT & Embedded Devices: Certificate Underpinning
I am also stuck on Step 5 and having trouble with the trigger. I have self-signed certs, an HTTP server listening on 443 (bound to 0.0.0.0) as well as a sniffer for anything coming from the target. I have tried to trigger the target to connect using: for i in {1..5}; do echo '{"Update":"1","ClientId":"AXG1337VFXL","Server Ip":"<KALI_IP>"}' | nc -u <TARGET_IP> 8080; sleep 2; done Can anyone point me in the right direction?Beyond the Chat Window: How to Securely Vibe Code with Anthropic’s Claude
Welcome back to our series, “Behind the Scenes of Immersive One”! The following is a conversation with RobertKlentzeris, Application Security Content Engineer for Immersive One, and RebeccaSchimmoeller, Lead Product Marketing Manager. Today, we’re deep diving into one facet of our Secure AI capability. “We are seeing a shift from ‘chatting with AI’ to ‘inviting AI into the terminal.’ With the release of tools like Claude Code, developers aren't just copying and pasting snippets from a browser anymore. They are letting an agent live directly in their CLI, giving it permission to read file specs, run commands, and architect entire features. It’s a massive leap in capability—but also in trust.” Rebecca: That is the big shift we’re hearing about, Rob. The market is obsessed with the idea of "vibe coding" right now—just describing what you want and letting the AI handle the implementation details. But for a security leader, the idea of an AI agent having direct access to the CLI (Command Line Interface) sounds terrifying. It feels less like a helper and more like handing a stranger your SSH keys. Rob: That is exactly what makes Claude Code different from your standard autocomplete tools. You aren't just getting code suggestions; you are interacting with an agent that has tooling capabilities—like using MCP (Model Context Protocol) or running slash commands. If you don't know what you're doing, you might accidentally let the agent produce insecure code or mishandle PII in a way that’s harder to spot than a simple copy-paste error. This new collection is about bridging that gap: how do we embrace the speed of vibe coding without sacrificing the security of our platform? Rebecca: So it’s about safe integration. Let’s get into the weeds—what does the "safe" version of this look like in the actual Immersive One labs you created? Rob: We start by defining common patterns used in AI coding agents such as manual prompts and how you can write them so Claude generates secure code. We then go a little deeper and explore how you can let your agents start coding securely with more autonomy and less intervention while staying secure with spec-driven development. From there, we move to the components of Claude Code and show how to leverage these advanced features, such as custom slash commands and skills that can enhance the security of both large legacy and greenfield projects. Rebecca: I noticed your roadmap included a focus on "Guardrails" and "Claude Agents." Is this where we stop "trash code" from hitting production? Rob: Exactly. This is unique to the agentic workflow. In the Claude Agents lab, we teach users how to set up a "Reviewer Agent" that audits the code generated by the first agent. We also have a dedicated lab on Guardrails, focusing on stripping PII (Personally Identifiable Information) before Claude ever sees the data. It’s about ensuring that even if the AI is "vibing," the security protocols remain rigid. Rebecca: That sounds incredible for the security team, but what about the developer? If I’m used to just doing my thing, head down to deliver on time, won’t specification-driven development cramp my style? Rob: Fun fact: It actually makes you faster. Think of the 'spec' as the prompt that saves you ten revisions. At Immersive, we focus heavily on ROI and removing pain for users. In this case, we show developers how to use slash commands and hooks to automate the boring stuff. When you learn to use these tools properly, you stop wrestling with the AI and start conducting it. And because these labs are hands-on with real Claude Code access in a secure sandbox, you can experiment with these powerful agents without worrying about breaking your own local environment. Your manager will love that too. Rebecca: Ha! You’re right. It sounds like we’re giving users a safe place to crash-test the car before they drive it. And I see you wrap it all up with a "Demonstrate" lab? Rob: We do. We want to prove competence. The Demonstrate Lab is a capstone where you have to combine everything—usage, security, and productivity. You have to prove you know how to use Claude Code to build something functional and secure. It validates that you aren't just generating code; you're engineering with it. Final Thought Our Building with AI: Claude Code collection isn't just another coding tutorial. It is a blueprint for the agentic future of development. For you the developer, it turns Claude from a vibe code buddy into a fully integrated, secure pair programmer. For your organization, it transforms a potential security risk into a governed, high-speed workflow. Want to get started? [Access Collection]
Trick or Treat on Specter Street: Widow's Web
I am very stucked in Trick or Treat on Specter Street: Widow's Web I can't do none of the questions, but in any case I start by 4th that is the first answerable one Your first task is to simulate the loyal Crawlers. Run legitimate-crawler and inspect the output in Lab-Files to observe their behavior. To simulate the rogue Crawlers, you must discover the hidden paths on the website. Read the blog posts – they contain clues. Disallow these in Website-Files/robots.txt and run malicious-crawler. Inspect the output in Lab-Files. What is the token? I have created the robots.txt file since I understand that malicious-crawler goes expressedly there. My robots.txt contains all url's I can imagin Disallow: /secret Disallow: /treat Disallow: /hidden Disallow: /crypt Disallow: /warden Disallow: /rituals Disallow: /witch-secrets Disallow: /admin Disallow: /vault Disallow: /uncover Disallow: /post1 Disallow: /post2 Disallow: /post3 Disallow: /post4 Disallow: /contact Disallow: /drafts/rituals But the result of malicious-crawler.txt doesn't give me either a token nor a hint I have curl-ed all pages looking for words as token and nothing. I have found some key words in http://127.0.0.1:3000/witch-secrets as intercepted-incantations, decoded them and nothing. I have searched in spider-sigthings.log what hapened at 3.00 am but nothing Can someone gime me a hint?
