Security Awareness for Developer Part 2: Setup a Security Lab

Right now, we know what is our goal, but we need to setup the security lab containing OWASPBWA for free and cross plateform (tested on Ubuntu and Windows 7).

Prerequisites are (links are provided in the detail below):

  • Virtualization software (VM Player for Windows used in my example but virtualbox support as well the VM format natively)
  • Firefox Portable
    • Firebug plugin
  • OWASP Zed Attack Proxy Project
  • Java 1.7.0

Setup the target

We need first to install the target VM:

  1. Download the VM from the official website : http://sourceforge.net/projects/owaspbwa/files/
  2. Unzip it to the wanted directory (be careful VM grows on the first startup)
  3. Launch the VM Player and select Open a Virtual Machine, browse to the directory and select the vmx file
  4. Launch the newly created VM

Note: in VMWare Player, you need to press “ctrl + alt” to free your mouse from the VM

You should see a screen like this:

VM_OWASPBWA

You don’t have to login, just note the IP adress which have been setup, you will need it afterward.

You can try to connect to the URL to check that the VM is working correctly, you should see something like this:

VM_OWASPBWA_Web

 

It means that the VM is working correctly, so the target is set we can now switch to the second part, the attacker.

Setup the attacker

To create a specific attacker setup, I personally prefer to dedicate a browser to this topic but on the other I would like to use Firefox with some plugin.

The solution come with Firefox Portable

You can have a standalone browser with specific plugin without sharing your usual profile, plus it can be specifically configured as an attack browser without having to reconfigure it everytime.

Note: It is not possible to launch at the same time Firefox Portable and Firefox Desktop (physically we can with some easy manipulation but there is a risk that it corrupt one or both of the profiles).

Note: Here all installation are made on the host machine not in the VM previously setup

  1. Download and install Firefox portable http://portableapps.com/apps/internet/firefox_portable
  2. Launch it
  3. Install Firebug as pluginFirefox_Addon
  4. Download and install Java at least V1.7.0. BE CAREFUL, there are some unwanted software usually you have to uncheck when installing (yahoo toolbar for example) so don’t click Next to quickly http://java.com/fr/download/
  5. Download and install ZAP https://github.com/zaproxy/zaproxy/wiki/Downloads

We just have to setup ZAP, just start it.

Once it is opened, copy the URL in the red square below and paste it into Firefox portable.

ZAP Installer

You will be proposed to install an addon to auto-configure the proxy to use ZAP.

Just a reminder: only install this in your firefox portable version used for PenTest, never on a browser used for something else!

Once it is installed, you can opened the URL to your OWASPBWA VM, it should open and appears in ZAP.ZAP Opened

Right now you have the security lab installed and ready to be used.

Next post for an example on how to use this security lab on basic case

Posted in Security for Web Developpers Tagged with: , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*