Re: securing a deliberately vulnerable web app

[Robin Wood <robin () digininja org>]

On 5 July 2011 16:56, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:
> On Mon, Jul 4, 2011 at 4:21 AM, Robin Wood <robin () digininja org> wrote:
> > This is a question for anyone who runs a deliberately vulnerable web
> > app on a public facing site to allow people to test hacking it or to
> > test vulnerability scanners against it. I'm thinking of things like
> > http://test.acunetix.com/ .
>
> I'm not sure a lot of those (not necessarily the one you mentioned) are even
> rolled back any more. I could see plenty of popups the last time I went
> there.
> > What I'd like to know is how you go about securing the box the sites
> > are running on. Obviously you need the site running on its own server,
> > preferably airgapped from the rest of your network but how do you
> > protect yourself from attackers getting on the box then pivoting from
> > it to do a real attack to someone else? I'm guessing it is something
> > like a VM that is automatically rolled back periodically so even if
> > someone tries then they only have a limited attack window but are
> > there any other things people do?
>
> I'd do the following:
>
> a) Use a VM - try VirtualBox it has Python scripting inbuilt which allows
> you to restore snapshots etc every hour or whatever.
> b) Have the DB on the same machine as the app. Yes this breaks 'tiered
> architecture' - but it is a LAB in the end..and arch design is not what
> you're trying to teach here (I assume). The reason for the DB on the same
> machine is that it reduces complexity.
> c) If the DB on the same machine makes you uncomfortable; create a 'Host
> Only' network and have the DB on another host in your VM network. So it
> becomes - Webserver (VM1) , Appserver (VM2) , DB(VM3)
>
> d) Wrt the pivoting bit, I remember reading about Sebek on one of the
> Honeynet papers I read. You can install Sebek on whatever machines you want
> and rate limit outbound connections.
> e) Following up from that, it is in the end a Honeypot that you're
> creating..a Web Honey-pot... I recommend you read up on newer techniques Web
> based honey-pots follow..before being deployed.
>
> f) Have iptables or some other host based FW running on the host, which
> drops all connections "originating" from the VMs. If you have configured
> "Host Only networking" properly.. traffic shouldn't escape the VMs.. but its
> good to be sure. If at least 1 VM though has a public IP... you'll need to
> firewall a little more carefully than what I mentioned above.
>
> g) Make sure you have clean snapshots "offline". Those help :)
>
> Hope this helps.

A lot of good suggestions. For the actual hardware I'm thinking a
dedicated machine running Virtualbox with a single machine to do all
the web app stuff, web server, database and everything else.

I hadn't thought of it being like a honeypot, I'll do some research on those.

Robin

> Arvind
> > I'm asking because I've got an idea for a new public service which
> > would involve putting up an app that is vulnerable but I'd like to
> > make sure that if I do I protect myself as much as possible.
> >
> > Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------