Web Application Security
Re: securing a deliberately vulnerable web app Jul 05 2011 08:52PM
Robin Wood (robin digininja org)
On 5 July 2011 16:56, arvind doraiswamy <arvind.doraiswamy (at) gmail (dot) com [email concealed]> wrote:
> On Mon, Jul 4, 2011 at 4:21 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>> This is a question for anyone who runs a deliberately vulnerable web
>> app on a public facing site to allow people to test hacking it or to
>> test vulnerability scanners against it. I'm thinking of things like
>> http://test.acunetix.com/ .
> I'm not sure a lot of those (not necessarily the one you mentioned) are even
> rolled back any more. I could see plenty of popups the last time I went
> there.
>> What I'd like to know is how you go about securing the box the sites
>> are running on. Obviously you need the site running on its own server,
>> preferably airgapped from the rest of your network but how do you
>> protect yourself from attackers getting on the box then pivoting from
>> it to do a real attack to someone else? I'm guessing it is something
>> like a VM that is automatically rolled back periodically so even if
>> someone tries then they only have a limited attack window but are
>> there any other things people do?
> I'd do the following:
> a) Use a VM - try VirtualBox it has Python scripting inbuilt which allows
> you to restore snapshots etc every hour or whatever.
> b) Have the DB on the same machine as the app. Yes this breaks 'tiered
> architecture' - but it is a LAB in the end..and arch design is not what
> you're trying to teach here (I assume). The reason for the DB on the same
> machine is that it reduces complexity.
> c) If the DB on the same machine makes you uncomfortable; create a 'Host
> Only' network and have the DB on another host in your VM network. So it
> becomes - Webserver (VM1) , Appserver (VM2) , DB(VM3)
> d) Wrt the pivoting bit, I remember reading about Sebek on one of the
> Honeynet papers I read. You can install Sebek on whatever machines you want
> and rate limit outbound connections.
> e) Following up from that, it is in the end a Honeypot that you're
> creating..a Web Honey-pot... I recommend you read up on newer techniques Web
> based honey-pots follow..before being deployed.
> f) Have iptables or some other host based FW running on the host, which
> drops all connections "originating" from the VMs. If you have configured
> "Host Only networking" properly.. traffic shouldn't escape the VMs.. but its
> good to be sure. If at least 1 VM though has a public IP... you'll need to
> firewall a little more carefully than what I mentioned above.
> g) Make sure you have clean snapshots "offline". Those help :)
> Hope this helps.

A lot of good suggestions. For the actual hardware I'm thinking a
dedicated machine running Virtualbox with a single machine to do all
the web app stuff, web server, database and everything else.

I hadn't thought of it being like a honeypot, I'll do some research on those.


> Arvind
>> I'm asking because I've got an idea for a new public service which
>> would involve putting up an app that is vulnerable but I'd like to
>> make sure that if I do I protect myself as much as possible.
>> Robin

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus