Your SlideShare is downloading. ×
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP

8,801

Published on

These slides provide instructions on how to setup a virtual security training lab that uses OWASP Broken Web Apps, OWASP WebGoat, and OWASP ZAP running on top of Virtual Box.

These slides provide instructions on how to setup a virtual security training lab that uses OWASP Broken Web Apps, OWASP WebGoat, and OWASP ZAP running on top of Virtual Box.

Published in: Technology
2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total Views
8,801
On Slideshare
0
From Embeds
0
Number of Embeds
51
Actions
Shares
0
Downloads
108
Comments
2
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Virtual Security Training Lab Setup OWASP BWA & OWASP ZAP ! Michael Coates @_mwc michael-coates.blogspot.com
  • 2. Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
  • 3. Setup Virtual Environment Part 1: Setup Virtual Environment • Open Virtual Box & import OWASP BWA • Select “New”, Type “Linux”, Version “Ubuntu” • Memory Size: >512MB • Hard Drive: Use existing virtual hard drive file • Navigate to the downloaded OWASP BWA and select “OWASP Broken Web Apps-cl1.vmdk”
  • 4. Setup Virtual Environment Click on the preferences for Virtual Box (not the settings of a VM) • Click on Network, click the tab “Host-only Networks” • Click the green plus • “vboxnet0” should now appear • Click on and exit this preference menu
  • 5. Setup Virtual Environment Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings) • Go to Settings->Network->Adapter 1. • Make sure the checkmark for enabled is checked. • Change "Attached to:" from "NAT: to "HostOnly Adapter" ← This is important to ensure the vulnerable web application is isolated from any other devices. • Click OK
  • 6. Start Up Virtual Machine • Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start" • The OWASP-BWA login page will provide the following message • You can access the web apps at http://192.168.56.101 (or whatever ip is displayed) • Note: You don't need to login or interact with the virtual machine after it is running. The webserver starts up when the virtual server is booted.
  • 7. Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
  • 8. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  • 9. Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
  • 10. Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
  • 11. Next Steps 1.Open ZAP - no changes needed 2.Configure Firefox to use proxy 3.Resend Request if browser 4.Confirm received by proxy 5.Forward to web server (vm)
  • 12. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
  • 13. ZAP Proxy - Default 8080 • ZAP - Configure to listen on 8080
  • 14. Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
  • 15. Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
  • 16. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server
  • 17. Additional Information • http://code.google.com/p/zaproxy/wiki/ Introduction • https://www.owasp.org/index.php/ OWASP_Broken_Web_Applications_Project

×