Web Application Security
securing a deliberately vulnerable web app Jul 03 2011 10:51PM
Robin Wood (robin digininja org) (2 replies)
Re: securing a deliberately vulnerable web app Jul 06 2011 01:35PM
Vedantam Sekhar (vedantamsekhar gmail com) (2 replies)
Re: securing a deliberately vulnerable web app Jul 08 2011 04:39PM
dreamwvr (dreamwvr dreamwvr com) (1 replies)
Re: securing a deliberately vulnerable web app Jul 11 2011 02:26PM
Robin Wood (robin digininja org)
Re: securing a deliberately vulnerable web app Jul 06 2011 02:45PM
Robin Wood (robin digininja org)
Thanks everyone for the good ideas, if I get around to building the
project I'll let you all know.

Robin

On 6 July 2011 14:35, Vedantam Sekhar <vedantamsekhar (at) gmail (dot) com [email concealed]> wrote:
> One method is to restrict the "Outbound" connections "orginating" from
> the server at Firewall that does the statefull inspection.In this way,
> i think though attacker/user compromise the OS , he would not be able
> to attack other external networks as outbound TCP connections from
> that server is not allowed.
> And also, as you know very well what are the vulnerabilities you are
> providing on your vulnerable application, you will have an idea to
> what extent an attacker can go, therefore you can restrict/place
> additional security controls.For example, if the vulnerable
> application demonstrates an OS command injection, you may restrict the
> users what are all the commands they can execute on the target OS.In
> hackthissite.org, i know i can execute OS commands through SSI
> injection, but i am restricted to specific OS commands only,. May be
> you have to modify the kernal or something like that. You also may
> have to run the Application with minimum previliges & Jailed
> environment on the target webserver just in case. Be prompt in
> Patching of all the technologies exposed at Internet is required so
> that attacker do practice otherthan what you want to teach them :-)
>
> This is just my idea on how they might be doing it :-)
>
> Thanks,
>
> Sekhar
>
> On Mon, Jul 4, 2011 at 4:21 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>> This is a question for anyone who runs a deliberately vulnerable web
>> app on a public facing site to allow people to test hacking it or to
>> test vulnerability scanners against it. I'm thinking of things like
>> http://test.acunetix.com/ .
>>
>> What I'd like to know is how you go about securing the box the sites
>> are running on. Obviously you need the site running on its own server,
>> preferably airgapped from the rest of your network but how do you
>> protect yourself from attackers getting on the box then pivoting from
>> it to do a real attack to someone else? I'm guessing it is something
>> like a VM that is automatically rolled back periodically so even if
>> someone tries then they only have a limited attack window but are
>> there any other things people do?
>>
>> I'm asking because I've got an idea for a new public service which
>> would involve putting up an app that is vulnerable but I'd like to
>> make sure that if I do I protect myself as much as possible.
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: securing a deliberately vulnerable web app Jul 05 2011 01:52AM
Jeremiah Cornelius (jeremiah nur net) (1 replies)
DOS Web App Jul 07 2011 12:08PM
elton Sheffield (qawsedr1234 hotmail co uk) (1 replies)
RE: DOS Web App Jul 08 2011 01:35AM
Rajesh Gopisetty (rgopise microsoft com)


 

Privacy Statement
Copyright 2010, SecurityFocus