Getting Started
===============


Learn Python basics
-------------------

You should know enough <a href=\"https://www.python.org/\">Python</a> to
be able to write and debug short scripts. Get comfortable reading
documentations for the things you don't know. You need to have an
understanding of Python concepts in order to learn Hylang, which is
essential if you want to use Raider.

Learn Hylang basics
-------------------

Raider's configuration files are written in <a
href=\"https://docs.hylang.org/en/stable\">Hylang</a>, a Lisp dialect
on top of Python. You can't really use Raider if you skip this
step. But you also don't have to learn macros or other exotic features
the language offers, you just have to learn to accept the Lisp
paranthesis and write simple scripts like you should already be able
to do with Python. If you're already familiar with Lisp and Python,
this step will be easy for you.

Get comfortable with a web proxy
--------------------------------

Pick up a web proxy you like, and learn how to use it properly. We
recommend <a href=\"https://portswigger.net/burp\">BurpSuite</a>, <a
href=\"https://www.zaproxy.org/\">ZAProxy</a> or <a
href=\"https://mitmproxy.org/\">mitmproxy</a>. You will need this to
reverse engineer the authentication process of arbitrary web
applications.


Learn the basics of authentication
----------------------------------

Now that you already know how to use a web proxy, you should learn how
the authentication works on web applications. Log into different
websites while using the web proxy, and try to understand how it
works, i.e. what information is being sent to the server, what does
the server responds with, and where each piece of information comes
from. Try first with simple websites, and gradually move to more
complicated until you understand the process.


Read Raider documentation
-------------------------

Start by reading the <a
href=\"https://docs.raiderauth.com/en/latest/tutorials/getting_started.html\">Getting
Started</a> part of the documentation.

Explore <a
href=\"https://docs.raiderauth.com/en/latest/examples">examples</a>
and <a
href=\"https://docs.raiderauth.com/en/latest/tutorials">tutorials</a>

Read <a
href=\"https://docs.raiderauth.com/en/latest/overview/architecture.html\">Raider's
architecture</a>.


Configure your first application
--------------------------------

Pick up a web application with a simple authentication mechanism
first. When you learn how to do it you can move to more complex
ones. Use the web proxy to check the traffic generated by the
application when you log in. Remove the HTTP requests that are
irrelevant to the authentication process, like the static files. Now,
the easiest way to proceed is by going backwards. Pick up one HTTP
request that can be completed only with an authenticated user, and try
to find out what piece of information in that request indicates the user
is authenticated by removing piece by piece the irrelevant
information. It's usually a header, a cookie, or both. Identify where
this piece of data comes from. Define it using Raider Plugins. When this
is done, move on to the next request, until you reach a HTTP request
that needs no inputs. At this point, the normal authentication flow is
complete. Expand the configuration to cover other flows (Multi-factor
authentication, bad credentials, etc...). When you're satisfied with the
current setup, move on by building attack scenarios.


Write attack/automation scenarios
---------------------------------

At this point you have a configured application in Raider. Using
Python, you can already successfully authenticate and do other cool
stuff, like fuzzing inputs. By now you should already know what you
want to achieve with raider, and you'll only need to write the Python
code to do that.


Write your own Plugins/Operations
---------------------------------

If you feel like you need more from Raider than it currently supports,
good news! Raider provides you with an API to easily extend it and write
your own Plugins and Operations, so you don't have to mess with the main
code to do that. Expanding with new features only requires you to write
a simple class in Hylang.

Help others in the community
----------------------------
With your current knowledge you can already help others learn Raider and
you're encouraged to do so in our <a
href=\"https://github.com/OWASP/raider/discussions\">Github discussions</a>. Join us
there, write your own tutorials, engage in discussions, leave feedback,
and help us make Raider even better.

Contribute to the development
-----------------------------

If you've reached this far, you probably want to help us make Raider
better, so the next logical step would be for you to read the source
code and make improvements to the code. Start by writing new Plugins and
Operations to extend Raider's existing features. Open Github issues, fix
bugs, and tell us what can be improved.
