Re: securing a deliberately vulnerable web app

[Robin Wood <robin () digininja org>]

On 5 July 2011 22:32, Charlie Belmer <charlie.belmer () gmail com> wrote:
> Hi Robin,
>
> A couple of suggestions:
>
> Definitely VM it and roll it back frequently. You might want a list of
> warnings to watch for, like someone trying to install root kits or run
> certain shell commands, at which point it could trigger a roll back to
> remove any custom malicious software.
> Don't allow any connections out from the server, aside from the HTTP (or
> whatever) connections initiated by the web browsers. this goes a long way to
> preventing pivot attacks.(would have to be an external firewall device)
> Make sure permissions on the web user are extremely low.
> Use a bare bones server image - strip out anything unnecessary from the
> image which isn't required for your service. Especially things like
> compilers and libraries not used by your app.
> A lot of the test/practice apps just simulate security vulnerabilities to
> prevent this kind of thing - see
> http://zero.webappsecurity.com/rootlogin.asp.bak as case in point (which
> itself seems to be a security flaw..)
>
> I am sure there is more you can do, but this is what I could quickly come up
> with.

Thanks for the ideas.

Robin

> Charlie
> https://www.golemtechnologies.com
>
> On Sun, Jul 3, 2011 at 6:51 PM, Robin Wood <robin () digininja org> wrote:
> > This is a question for anyone who runs a deliberately vulnerable web
> > app on a public facing site to allow people to test hacking it or to
> > test vulnerability scanners against it. I'm thinking of things like
> > http://test.acunetix.com/ .
> >
> > What I'd like to know is how you go about securing the box the sites
> > are running on. Obviously you need the site running on its own server,
> > preferably airgapped from the rest of your network but how do you
> > protect yourself from attackers getting on the box then pivoting from
> > it to do a real attack to someone else? I'm guessing it is something
> > like a VM that is automatically rolled back periodically so even if
> > someone tries then they only have a limited attack window but are
> > there any other things people do?
> >
> > I'm asking because I've got an idea for a new public service which
> > would involve putting up an app that is vulnerable but I'd like to
> > make sure that if I do I protect myself as much as possible.
> >
> > Robin
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!
> > http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------