WebApp Sec mailing list archives
Re: securing a deliberately vulnerable web app
From: Robin Wood <robin () digininja org>
Date: Tue, 5 Jul 2011 21:52:16 +0100
On 5 July 2011 16:56, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:
On Mon, Jul 4, 2011 at 4:21 AM, Robin Wood <robin () digininja org> wrote:This is a question for anyone who runs a deliberately vulnerable web app on a public facing site to allow people to test hacking it or to test vulnerability scanners against it. I'm thinking of things like http://test.acunetix.com/ .I'm not sure a lot of those (not necessarily the one you mentioned) are even rolled back any more. I could see plenty of popups the last time I went there.What I'd like to know is how you go about securing the box the sites are running on. Obviously you need the site running on its own server, preferably airgapped from the rest of your network but how do you protect yourself from attackers getting on the box then pivoting from it to do a real attack to someone else? I'm guessing it is something like a VM that is automatically rolled back periodically so even if someone tries then they only have a limited attack window but are there any other things people do?I'd do the following: a) Use a VM - try VirtualBox it has Python scripting inbuilt which allows you to restore snapshots etc every hour or whatever. b) Have the DB on the same machine as the app. Yes this breaks 'tiered architecture' - but it is a LAB in the end..and arch design is not what you're trying to teach here (I assume). The reason for the DB on the same machine is that it reduces complexity. c) If the DB on the same machine makes you uncomfortable; create a 'Host Only' network and have the DB on another host in your VM network. So it becomes - Webserver (VM1) , Appserver (VM2) , DB(VM3) d) Wrt the pivoting bit, I remember reading about Sebek on one of the Honeynet papers I read. You can install Sebek on whatever machines you want and rate limit outbound connections. e) Following up from that, it is in the end a Honeypot that you're creating..a Web Honey-pot... I recommend you read up on newer techniques Web based honey-pots follow..before being deployed. f) Have iptables or some other host based FW running on the host, which drops all connections "originating" from the VMs. If you have configured "Host Only networking" properly.. traffic shouldn't escape the VMs.. but its good to be sure. If at least 1 VM though has a public IP... you'll need to firewall a little more carefully than what I mentioned above. g) Make sure you have clean snapshots "offline". Those help :) Hope this helps.
A lot of good suggestions. For the actual hardware I'm thinking a dedicated machine running Virtualbox with a single machine to do all the web app stuff, web server, database and everything else. I hadn't thought of it being like a honeypot, I'll do some research on those. Robin
ArvindI'm asking because I've got an idea for a new public service which would involve putting up an app that is vulnerable but I'd like to make sure that if I do I protect myself as much as possible. Robin
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- securing a deliberately vulnerable web app Robin Wood (Jul 04)
- Re: securing a deliberately vulnerable web app Jeremiah Cornelius (Jul 05)
- DOS Web App elton Sheffield (Jul 07)
- RE: DOS Web App Rajesh Gopisetty (Jul 07)
- DOS Web App elton Sheffield (Jul 07)
- Message not available
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 05)
- Re: securing a deliberately vulnerable web app Jeremiah Cornelius (Jul 05)
- Message not available
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 05)
- Message not available
- Re: securing a deliberately vulnerable web app arvind doraiswamy (Jul 05)
- Re: securing a deliberately vulnerable web app Vedantam Sekhar (Jul 07)
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 07)
- Message not available
- Message not available
- Fwd: securing a deliberately vulnerable web app bournenapste () gmail com (Jul 11)
- Message not available
- Re: securing a deliberately vulnerable web app bournenapste () gmail com (Jul 12)
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 07)
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 11)