Getting Started

Learn Python basics

You should know enough <a href="https://www.python.org/">Python</a> to be able to write and debug short scripts. Get comfortable reading documentations for the things you don’t know. You need to have an understanding of Python concepts in order to learn Hylang, which is essential if you want to use Raider.

Learn Hylang basics

Raider’s configuration files are written in <a href="https://docs.hylang.org/en/stable">Hylang</a>, a Lisp dialect on top of Python. You can’t really use Raider if you skip this step. But you also don’t have to learn macros or other exotic features the language offers, you just have to learn to accept the Lisp paranthesis and write simple scripts like you should already be able to do with Python. If you’re already familiar with Lisp and Python, this step will be easy for you.

Get comfortable with a web proxy

Pick up a web proxy you like, and learn how to use it properly. We recommend <a href="https://portswigger.net/burp">BurpSuite</a>, <a href="https://www.zaproxy.org/">ZAProxy</a> or <a href="https://mitmproxy.org/">mitmproxy</a>. You will need this to reverse engineer the authentication process of arbitrary web applications.

Learn the basics of authentication

Now that you already know how to use a web proxy, you should learn how the authentication works on web applications. Log into different websites while using the web proxy, and try to understand how it works, i.e. what information is being sent to the server, what does the server responds with, and where each piece of information comes from. Try first with simple websites, and gradually move to more complicated until you understand the process.

Read Raider documentation

Start by reading the <a href="https://docs.raiderauth.com/en/latest/tutorials/getting_started.html">Getting Started</a> part of the documentation.

Explore <a href="https://docs.raiderauth.com/en/latest/examples”>examples</a> and <a href="https://docs.raiderauth.com/en/latest/tutorials”>tutorials</a>

Read <a href="https://docs.raiderauth.com/en/latest/overview/architecture.html">Raider’s architecture</a>.

Configure your first application

Pick up a web application with a simple authentication mechanism first. When you learn how to do it you can move to more complex ones. Use the web proxy to check the traffic generated by the application when you log in. Remove the HTTP requests that are irrelevant to the authentication process, like the static files. Now, the easiest way to proceed is by going backwards. Pick up one HTTP request that can be completed only with an authenticated user, and try to find out what piece of information in that request indicates the user is authenticated by removing piece by piece the irrelevant information. It’s usually a header, a cookie, or both. Identify where this piece of data comes from. Define it using Raider Plugins. When this is done, move on to the next request, until you reach a HTTP request that needs no inputs. At this point, the normal authentication flow is complete. Expand the configuration to cover other flows (Multi-factor authentication, bad credentials, etc…). When you’re satisfied with the current setup, move on by building attack scenarios.

Write attack/automation scenarios

At this point you have a configured application in Raider. Using Python, you can already successfully authenticate and do other cool stuff, like fuzzing inputs. By now you should already know what you want to achieve with raider, and you’ll only need to write the Python code to do that.

Write your own Plugins/Operations

If you feel like you need more from Raider than it currently supports, good news! Raider provides you with an API to easily extend it and write your own Plugins and Operations, so you don’t have to mess with the main code to do that. Expanding with new features only requires you to write a simple class in Hylang.

Help others in the community

With your current knowledge you can already help others learn Raider and you’re encouraged to do so in our <a href="https://github.com/OWASP/raider/discussions">Github discussions</a>. Join us there, write your own tutorials, engage in discussions, leave feedback, and help us make Raider even better.

Contribute to the development

If you’ve reached this far, you probably want to help us make Raider better, so the next logical step would be for you to read the source code and make improvements to the code. Start by writing new Plugins and Operations to extend Raider’s existing features. Open Github issues, fix bugs, and tell us what can be improved.