SlideShare ist ein Scribd-Unternehmen logo
1 von 17
Downloaden Sie, um offline zu lesen
Virtual Security
Training Lab Setup
OWASP BWA & OWASP ZAP
!

Michael Coates
@_mwc
michael-coates.blogspot.com
Software
•

Vulnerable Server: OWASP’s Webgoat

•

Proxy Tool - OWASP’s ZAP (Zed Attack Proxy)

•

Browser

•

Virtual Machine: OWASP Broken Web App VM
Setup Virtual Environment
Part 1: Setup Virtual Environment
•

Open Virtual Box & import OWASP BWA

•

Select “New”, Type “Linux”, Version “Ubuntu”

•

Memory Size: >512MB

•

Hard Drive: Use existing virtual hard drive file
•

Navigate to the downloaded OWASP BWA and
select “OWASP Broken Web Apps-cl1.vmdk”
Setup Virtual Environment
Click on the preferences for Virtual
Box (not the settings of a VM)
•

Click on Network, click the tab
“Host-only Networks”

•

Click the green plus

•

“vboxnet0” should now appear

•

Click on and exit this
preference menu
Setup Virtual Environment
Right click on OWASP-BWA in the left pane
of the Oracle VM VirtualBox Manager App
and select "Settings" (also available via
menu Machine->Settings)
•

Go to Settings->Network->Adapter 1.

•

Make sure the checkmark for enabled is
checked.

•

Change "Attached to:" from "NAT: to "HostOnly Adapter" ← This is important to
ensure the vulnerable web application is
isolated from any other devices.

•

Click OK
Start Up Virtual Machine
•

Right click on OWASP-BWA in the
left pane of the Oracle VM VirtualBox
Manager App and hit "Start"

•

The OWASP-BWA login page will
provide the following message

•

You can access the web apps at
http://192.168.56.101 (or whatever ip
is displayed)

•

Note: You don't need to login or
interact with the virtual machine after
it is running. The webserver starts up
when the virtual server is booted.
Test Connectivity to VM
1.Open Browser
2.Browse to your VM ip (listed in
VM login page)

•

e.g. http://192.168.56.101

3.Should see OWASP BWA
welcome page
4.Error? Check ip address of VM
WebGoat
•

Click First Link - OWASP
WebGoat version 5.3.x

•

Username / Password is
guest / guest
Understanding the Proxy
•

Proxy is middle-man between browser and web
server

•

Assists with traffic manipulation & inspection

Attacker’s
Browser

Web Proxy

Web Server
Understanding the Proxy
Primary OS

Browser

Web Proxy

Your Computer

VM

Web Server
Next Steps
1.Open ZAP - no changes needed
2.Configure Firefox to use proxy
3.Resend Request if browser
4.Confirm received by proxy
5.Forward to web server (vm)
Set Firefox Proxy
•

Set Firefox proxy to 8080
•

Preferences 

-> Advanced 

-> Network 

-> Settings

•

Set HTTP Proxy

•

Important - clear 

“No Proxy for” line
ZAP Proxy - Default 8080
•

ZAP - Configure to listen on 8080
Confirm Setup Works
•

Refresh Web Browser

•

Go to ZAP

•

See site in left-hand column
Intercepting Traffic
•

Add a “breakpoint” by right clicking on the page and choosing
“Break...”
!
!
!
!

•

Refresh the webpage - it will hang

•

Modify the request as needed, then press the “Continue” button
“Hello World” of Proxies
•

Lesson: General->Http Basic

•

Objective:
•

Enter your name into text box

•

Intercept with proxy & change entered name to different value

•

Receive response & observe modified value is reversed

Joe

Sue

euS
Attacker’s euS
Web Proxy
Browser

Web Server
Additional Information
•

http://code.google.com/p/zaproxy/wiki/
Introduction

•

https://www.owasp.org/index.php/
OWASP_Broken_Web_Applications_Project

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Demystifying Initial Access in Azure
Demystifying Initial Access in AzureDemystifying Initial Access in Azure
Demystifying Initial Access in AzureGabriel Mathenge
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 

Was ist angesagt? (20)

OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Application Security
Application SecurityApplication Security
Application Security
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Demystifying Initial Access in Azure
Demystifying Initial Access in AzureDemystifying Initial Access in Azure
Demystifying Initial Access in Azure
 
Security testing
Security testingSecurity testing
Security testing
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
WannaCry Ransomware
 WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 
Security testing ?
Security testing ?Security testing ?
Security testing ?
 

Andere mochten auch

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unixJavin Paul
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line toolsEric Wilson
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure  V1.0Defeating The Network Security Infrastructure  V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity TipsKeith Bennett
 
Sed & awk the dynamic duo
Sed & awk   the dynamic duoSed & awk   the dynamic duo
Sed & awk the dynamic duoJoshua Thijssen
 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awkYogesh Sawant
 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processingAnton Arhipov
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014iimjobs and hirist
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 

Andere mochten auch (20)

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unix
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line tools
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure  V1.0Defeating The Network Security Infrastructure  V1.0
Defeating The Network Security Infrastructure V1.0
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity Tips
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Sed & awk the dynamic duo
Sed & awk   the dynamic duoSed & awk   the dynamic duo
Sed & awk the dynamic duo
 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awk
 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processing
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
SSH
SSHSSH
SSH
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 

Ähnlich wie Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP

Nordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerNordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerAndrea Mauro
 
Varying WordPress Development Environment WordCamp Cincinnati 2016
Varying WordPress Development Environment WordCamp Cincinnati 2016Varying WordPress Development Environment WordCamp Cincinnati 2016
Varying WordPress Development Environment WordCamp Cincinnati 2016David Brattoli
 
1 - demo lab using vmware workstation
1 - demo lab using vmware workstation1 - demo lab using vmware workstation
1 - demo lab using vmware workstationMangat R K
 
Varying wordpressdevelopmentenvironment wp-campus2016
Varying wordpressdevelopmentenvironment wp-campus2016Varying wordpressdevelopmentenvironment wp-campus2016
Varying wordpressdevelopmentenvironment wp-campus2016David Brattoli
 
Auto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag StyleAuto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag StyleRobert Nelson
 
2016.07.20 indy vmug usercon - vsphere 6 upgrade
2016.07.20   indy vmug usercon - vsphere 6 upgrade2016.07.20   indy vmug usercon - vsphere 6 upgrade
2016.07.20 indy vmug usercon - vsphere 6 upgradePaul Woodward Jr
 
Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...
Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...
Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...Paulraj Pappaiah
 
2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23   wivmug user con - vsphere 6 upgrade2016.05.23   wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgradePaul Woodward Jr
 
12 Things About WebLogic 12.1.3 #oow2014 #otnla15
12 Things About WebLogic 12.1.3 #oow2014 #otnla1512 Things About WebLogic 12.1.3 #oow2014 #otnla15
12 Things About WebLogic 12.1.3 #oow2014 #otnla15Frank Munz
 
Dev ops & laas fundamental
Dev ops & laas fundamentalDev ops & laas fundamental
Dev ops & laas fundamentalKanin Kearpimy
 
Powering Development and Testing Environments with Vagrant
Powering Development and Testing Environments with VagrantPowering Development and Testing Environments with Vagrant
Powering Development and Testing Environments with VagrantCoen Jacobs
 
Meetup - DevCloud and CloudStack 4.2
Meetup - DevCloud and CloudStack 4.2Meetup - DevCloud and CloudStack 4.2
Meetup - DevCloud and CloudStack 4.2amoghvk
 
Varying WordPress Development Environment WordCamp Columbus 2016
Varying WordPress Development Environment WordCamp Columbus 2016Varying WordPress Development Environment WordCamp Columbus 2016
Varying WordPress Development Environment WordCamp Columbus 2016David Brattoli
 
WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008SolarWinds
 
Fusion Middleware 11g How To Part 2
Fusion Middleware 11g How To Part 2Fusion Middleware 11g How To Part 2
Fusion Middleware 11g How To Part 2Dirk Nachbar
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows codeandyou forums
 

Ähnlich wie Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP (20)

VM.ppt
VM.pptVM.ppt
VM.ppt
 
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerNordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
WAF deployment
WAF deploymentWAF deployment
WAF deployment
 
Varying WordPress Development Environment WordCamp Cincinnati 2016
Varying WordPress Development Environment WordCamp Cincinnati 2016Varying WordPress Development Environment WordCamp Cincinnati 2016
Varying WordPress Development Environment WordCamp Cincinnati 2016
 
1 - demo lab using vmware workstation
1 - demo lab using vmware workstation1 - demo lab using vmware workstation
1 - demo lab using vmware workstation
 
Varying wordpressdevelopmentenvironment wp-campus2016
Varying wordpressdevelopmentenvironment wp-campus2016Varying wordpressdevelopmentenvironment wp-campus2016
Varying wordpressdevelopmentenvironment wp-campus2016
 
Auto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag StyleAuto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag Style
 
2016.07.20 indy vmug usercon - vsphere 6 upgrade
2016.07.20   indy vmug usercon - vsphere 6 upgrade2016.07.20   indy vmug usercon - vsphere 6 upgrade
2016.07.20 indy vmug usercon - vsphere 6 upgrade
 
Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...
Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...
Simple ways to deploy VM Images from Self Service UI in IBM Cloud Orchestrato...
 
2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23   wivmug user con - vsphere 6 upgrade2016.05.23   wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgrade
 
12 Things About WebLogic 12.1.3 #oow2014 #otnla15
12 Things About WebLogic 12.1.3 #oow2014 #otnla1512 Things About WebLogic 12.1.3 #oow2014 #otnla15
12 Things About WebLogic 12.1.3 #oow2014 #otnla15
 
Dev ops & laas fundamental
Dev ops & laas fundamentalDev ops & laas fundamental
Dev ops & laas fundamental
 
Powering Development and Testing Environments with Vagrant
Powering Development and Testing Environments with VagrantPowering Development and Testing Environments with Vagrant
Powering Development and Testing Environments with Vagrant
 
Meetup - DevCloud and CloudStack 4.2
Meetup - DevCloud and CloudStack 4.2Meetup - DevCloud and CloudStack 4.2
Meetup - DevCloud and CloudStack 4.2
 
Varying WordPress Development Environment WordCamp Columbus 2016
Varying WordPress Development Environment WordCamp Columbus 2016Varying WordPress Development Environment WordCamp Columbus 2016
Varying WordPress Development Environment WordCamp Columbus 2016
 
WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008WSUS Deployment on Windows Server 2008
WSUS Deployment on Windows Server 2008
 
Fusion Middleware 11g How To Part 2
Fusion Middleware 11g How To Part 2Fusion Middleware 11g How To Part 2
Fusion Middleware 11g How To Part 2
 
Weblogic
WeblogicWeblogic
Weblogic
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows
 

Mehr von Michael Coates

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIMichael Coates
 

Mehr von Michael Coates (9)

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Kürzlich hochgeladen

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Kürzlich hochgeladen (20)

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP

  • 1. Virtual Security Training Lab Setup OWASP BWA & OWASP ZAP ! Michael Coates @_mwc michael-coates.blogspot.com
  • 2. Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
  • 3. Setup Virtual Environment Part 1: Setup Virtual Environment • Open Virtual Box & import OWASP BWA • Select “New”, Type “Linux”, Version “Ubuntu” • Memory Size: >512MB • Hard Drive: Use existing virtual hard drive file • Navigate to the downloaded OWASP BWA and select “OWASP Broken Web Apps-cl1.vmdk”
  • 4. Setup Virtual Environment Click on the preferences for Virtual Box (not the settings of a VM) • Click on Network, click the tab “Host-only Networks” • Click the green plus • “vboxnet0” should now appear • Click on and exit this preference menu
  • 5. Setup Virtual Environment Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings) • Go to Settings->Network->Adapter 1. • Make sure the checkmark for enabled is checked. • Change "Attached to:" from "NAT: to "HostOnly Adapter" ← This is important to ensure the vulnerable web application is isolated from any other devices. • Click OK
  • 6. Start Up Virtual Machine • Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start" • The OWASP-BWA login page will provide the following message • You can access the web apps at http://192.168.56.101 (or whatever ip is displayed) • Note: You don't need to login or interact with the virtual machine after it is running. The webserver starts up when the virtual server is booted.
  • 7. Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
  • 8. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  • 9. Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
  • 10. Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
  • 11. Next Steps 1.Open ZAP - no changes needed 2.Configure Firefox to use proxy 3.Resend Request if browser 4.Confirm received by proxy 5.Forward to web server (vm)
  • 12. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
  • 13. ZAP Proxy - Default 8080 • ZAP - Configure to listen on 8080
  • 14. Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
  • 15. Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
  • 16. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server