Right now, we know what is our goal, but we need to setup the security lab containing OWASPBWA for free and cross plateform (tested on Ubuntu and Windows 7).
Prerequisites are (links are provided in the detail below):
- Virtualization software (VM Player for Windows used in my example but virtualbox support as well the VM format natively)
- Firefox Portable
- Firebug plugin
- OWASP Zed Attack Proxy Project
- Java 1.7.0
Setup the target
We need first to install the target VM:
- Download the VM from the official website : http://sourceforge.net/projects/owaspbwa/files/
- Unzip it to the wanted directory (be careful VM grows on the first startup)
- Launch the VM Player and select Open a Virtual Machine, browse to the directory and select the vmx file
- Launch the newly created VM
Note: in VMWare Player, you need to press “ctrl + alt” to free your mouse from the VM
You should see a screen like this:
You don’t have to login, just note the IP adress which have been setup, you will need it afterward.
You can try to connect to the URL to check that the VM is working correctly, you should see something like this:
It means that the VM is working correctly, so the target is set we can now switch to the second part, the attacker.
Setup the attacker
To create a specific attacker setup, I personally prefer to dedicate a browser to this topic but on the other I would like to use Firefox with some plugin.
The solution come with Firefox Portable
You can have a standalone browser with specific plugin without sharing your usual profile, plus it can be specifically configured as an attack browser without having to reconfigure it everytime.
Note: It is not possible to launch at the same time Firefox Portable and Firefox Desktop (physically we can with some easy manipulation but there is a risk that it corrupt one or both of the profiles).
Note: Here all installation are made on the host machine not in the VM previously setup
- Download and install Firefox portable http://portableapps.com/apps/internet/firefox_portable
- Launch it
- Install Firebug as plugin
- Download and install Java at least V1.7.0. BE CAREFUL, there are some unwanted software usually you have to uncheck when installing (yahoo toolbar for example) so don’t click Next to quickly http://java.com/fr/download/
- Download and install ZAP https://github.com/zaproxy/zaproxy/wiki/Downloads
We just have to setup ZAP, just start it.
Once it is opened, copy the URL in the red square below and paste it into Firefox portable.
You will be proposed to install an addon to auto-configure the proxy to use ZAP.
Just a reminder: only install this in your firefox portable version used for PenTest, never on a browser used for something else!
Right now you have the security lab installed and ready to be used.
Next post for an example on how to use this security lab on basic case