Web Application Security
securing a deliberately vulnerable web app Jul 03 2011 10:51PM
Robin Wood (robin digininja org) (2 replies)
Re: securing a deliberately vulnerable web app Jul 06 2011 01:35PM
Vedantam Sekhar (vedantamsekhar gmail com) (2 replies)
Re: securing a deliberately vulnerable web app Jul 08 2011 04:39PM
dreamwvr (dreamwvr dreamwvr com) (1 replies)
Re: securing a deliberately vulnerable web app Jul 11 2011 02:26PM
Robin Wood (robin digininja org)
On 8 July 2011 17:39, dreamwvr <dreamwvr (at) dreamwvr (dot) com [email concealed]> wrote:
> Hello,
>  Why not just create a virtual honeypot that has a watchdog that
> detects compromise. Then when the webapp is compromised and is used to
> island hop. Then just wipe virtual system flushing
> all processes and connections?
> Best Regards,
> dreamwvr (at) dreamwvr (dot) com [email concealed]

The whole point of the app would be to allow it to be partially
compromised so this probably won't work. If I get around to building
the app I'm thinking of then you'll understand. I will have a look at
the honeypot watchdog system and see if I can get anything from it
though.

Robin

> On 07/06/2011 07:35 AM, Vedantam Sekhar wrote:
>> One method is to restrict the "Outbound" connections "orginating" from
>> the server at Firewall that does the statefull inspection.In this way,
>> i think though attacker/user compromise the OS , he would not be able
>> to attack other external networks as outbound TCP connections from
>> that server is not allowed.
>> And also, as you know very well what are the vulnerabilities you are
>> providing on your vulnerable application, you will have an idea to
>> what extent an attacker can go, therefore you can restrict/place
>> additional security controls.For example, if the vulnerable
>> application demonstrates an OS command injection, you may restrict the
>> users what are all the commands they can execute on the target OS.In
>> hackthissite.org, i know i can execute OS commands through SSI
>> injection, but i am restricted to specific OS commands only,. May be
>> you have to modify the kernal or something like that. You also may
>> have to run the Application with minimum previliges & Jailed
>> environment on the target webserver just in case. Be prompt in
>> Patching of all the technologies exposed at Internet is required so
>> that attacker do practice otherthan what you want to teach them :-)
>>
>> This is just my idea on how they might be doing it :-)
>>
>> Thanks,
>>
>> Sekhar
>>
>> On Mon, Jul 4, 2011 at 4:21 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>> This is a question for anyone who runs a deliberately vulnerable web
>>> app on a public facing site to allow people to test hacking it or to
>>> test vulnerability scanners against it. I'm thinking of things like
>>> http://test.acunetix.com/ .
>>>
>>> What I'd like to know is how you go about securing the box the sites
>>> are running on. Obviously you need the site running on its own server,
>>> preferably airgapped from the rest of your network but how do you
>>> protect yourself from attackers getting on the box then pivoting from
>>> it to do a real attack to someone else? I'm guessing it is something
>>> like a VM that is automatically rolled back periodically so even if
>>> someone tries then they only have a limited attack window but are
>>> there any other things people do?
>>>
>>> I'm asking because I've got an idea for a new public service which
>>> would involve putting up an app that is vulnerable but I'd like to
>>> make sure that if I do I protect myself as much as possible.
>>>
>>> Robin
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>>>
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: securing a deliberately vulnerable web app Jul 06 2011 02:45PM
Robin Wood (robin digininja org)
Re: securing a deliberately vulnerable web app Jul 05 2011 01:52AM
Jeremiah Cornelius (jeremiah nur net) (1 replies)
DOS Web App Jul 07 2011 12:08PM
elton Sheffield (qawsedr1234 hotmail co uk) (1 replies)
RE: DOS Web App Jul 08 2011 01:35AM
Rajesh Gopisetty (rgopise microsoft com)


 

Privacy Statement
Copyright 2010, SecurityFocus