WebApp Sec mailing list archives

Re: securing a deliberately vulnerable web app

From: Robin Wood <robin () digininja org>
Date: Mon, 11 Jul 2011 15:26:57 +0100

On 8 July 2011 17:39, dreamwvr <dreamwvr () dreamwvr com> wrote:

Hello,
 Why not just create a virtual honeypot that has a watchdog that
detects compromise. Then when the webapp is compromised and is used to
island hop. Then just wipe virtual system flushing
all processes and connections?
Best Regards,
dreamwvr () dreamwvr com


The whole point of the app would be to allow it to be partially
compromised so this probably won't work. If I get around to building
the app I'm thinking of then you'll understand. I will have a look at
the honeypot watchdog system and see if I can get anything from it
though.

Robin

On 07/06/2011 07:35 AM, Vedantam Sekhar wrote:

One method is to restrict the "Outbound" connections "orginating" from
the server at Firewall that does the statefull inspection.In this way,
i think though attacker/user compromise the OS , he would not be able
to attack other external networks as outbound TCP connections from
that server is not allowed.
And also, as you know very well what are the vulnerabilities you are
providing on your vulnerable application, you will have an idea to
what extent an attacker can go, therefore you can restrict/place
additional security controls.For example, if the vulnerable
application demonstrates an OS command injection, you may restrict the
users what are all the commands they can execute on the target OS.In
hackthissite.org, i know i can execute OS commands through SSI
injection, but i am restricted to specific OS commands only,. May be
you have to modify the kernal or something like that. You also may
have to run the Application with minimum previliges & Jailed
environment on the target webserver just in case. Be prompt in
Patching of all the technologies exposed at Internet is required so
that attacker do practice otherthan what you want to teach them :-)

This is just my idea on how they might be doing it :-)

Thanks,

Sekhar

On Mon, Jul 4, 2011 at 4:21 AM, Robin Wood <robin () digininja org> wrote:

This is a question for anyone who runs a deliberately vulnerable web
app on a public facing site to allow people to test hacking it or to
test vulnerability scanners against it. I'm thinking of things like
http://test.acunetix.com/ .

What I'd like to know is how you go about securing the box the sites
are running on. Obviously you need the site running on its own server,
preferably airgapped from the rest of your network but how do you
protect yourself from attackers getting on the box then pivoting from
it to do a real attack to someone else? I'm guessing it is something
like a VM that is automatically rolled back periodically so even if
someone tries then they only have a limited attack window but are
there any other things people do?

I'm asking because I've got an idea for a new public service which
would involve putting up an app that is vulnerable but I'd like to
make sure that if I do I protect myself as much as possible.

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

DOS Web App, (continued)
- - DOS Web App elton Sheffield (Jul 07)
    - RE: DOS Web App Rajesh Gopisetty (Jul 07)
  - Message not available
    - Re: securing a deliberately vulnerable web app Robin Wood (Jul 05)
  - Message not available
    - Re: securing a deliberately vulnerable web app Robin Wood (Jul 05)
  - Message not available
    - Re: securing a deliberately vulnerable web app arvind doraiswamy (Jul 05)
- Re: securing a deliberately vulnerable web app Vedantam Sekhar (Jul 07)
  - Re: securing a deliberately vulnerable web app Robin Wood (Jul 07)
    - Message not available
    - Message not available
    - Fwd: securing a deliberately vulnerable web app bournenapste () gmail com (Jul 11)
    - Message not available
    - Re: securing a deliberately vulnerable web app bournenapste () gmail com (Jul 12)
  - Re: securing a deliberately vulnerable web app dreamwvr (Jul 11)
    - Re: securing a deliberately vulnerable web app Robin Wood (Jul 11)