WebApp Sec mailing list archives
Re: securing a deliberately vulnerable web app
From: Robin Wood <robin () digininja org>
Date: Tue, 5 Jul 2011 22:35:34 +0100
On 5 July 2011 22:32, Charlie Belmer <charlie.belmer () gmail com> wrote:
Hi Robin, A couple of suggestions: Definitely VM it and roll it back frequently. You might want a list of warnings to watch for, like someone trying to install root kits or run certain shell commands, at which point it could trigger a roll back to remove any custom malicious software. Don't allow any connections out from the server, aside from the HTTP (or whatever) connections initiated by the web browsers. this goes a long way to preventing pivot attacks.(would have to be an external firewall device) Make sure permissions on the web user are extremely low. Use a bare bones server image - strip out anything unnecessary from the image which isn't required for your service. Especially things like compilers and libraries not used by your app. A lot of the test/practice apps just simulate security vulnerabilities to prevent this kind of thing - see http://zero.webappsecurity.com/rootlogin.asp.bak as case in point (which itself seems to be a security flaw..) I am sure there is more you can do, but this is what I could quickly come up with.
Thanks for the ideas. Robin
Charlie https://www.golemtechnologies.com On Sun, Jul 3, 2011 at 6:51 PM, Robin Wood <robin () digininja org> wrote:This is a question for anyone who runs a deliberately vulnerable web app on a public facing site to allow people to test hacking it or to test vulnerability scanners against it. I'm thinking of things like http://test.acunetix.com/ . What I'd like to know is how you go about securing the box the sites are running on. Obviously you need the site running on its own server, preferably airgapped from the rest of your network but how do you protect yourself from attackers getting on the box then pivoting from it to do a real attack to someone else? I'm guessing it is something like a VM that is automatically rolled back periodically so even if someone tries then they only have a limited attack window but are there any other things people do? I'm asking because I've got an idea for a new public service which would involve putting up an app that is vulnerable but I'd like to make sure that if I do I protect myself as much as possible. Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- securing a deliberately vulnerable web app Robin Wood (Jul 04)
- Re: securing a deliberately vulnerable web app Jeremiah Cornelius (Jul 05)
- DOS Web App elton Sheffield (Jul 07)
- RE: DOS Web App Rajesh Gopisetty (Jul 07)
- DOS Web App elton Sheffield (Jul 07)
- Message not available
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 05)
- Re: securing a deliberately vulnerable web app Jeremiah Cornelius (Jul 05)
- Message not available
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 05)
- Message not available
- Re: securing a deliberately vulnerable web app arvind doraiswamy (Jul 05)
- Re: securing a deliberately vulnerable web app Vedantam Sekhar (Jul 07)
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 07)
- Message not available
- Message not available
- Fwd: securing a deliberately vulnerable web app bournenapste () gmail com (Jul 11)
- Message not available
- Re: securing a deliberately vulnerable web app bournenapste () gmail com (Jul 12)
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 07)
- Re: securing a deliberately vulnerable web app Robin Wood (Jul 11)