Getting to know web applications on a vulnerable virtual machine
OWASP BWA contains many web applications, intentionally rendered vulnerable to the most common attacks. Some of them are focused on the practice of some specific technique, while others try to replicate real-world applications that happen to have vulnerabilities.
In this recipe, we will take a tour of our vulnerable_vm and get to know some of the applications it includes.
Getting ready
We need to have our vulnerable_vm running and its network correctly configured. For this book, we will be using 192.168.56.10 as its IP address.
How to do it...
The steps that need to be performed are as follows:
- With
vm_1running, open your Kali Linux host's web browser and go tohttp://192.168.56.10. You will see a list of all the applications that the server contains:
- Let's go to
Damn Vulnerable Web Application. - Use
adminas a username andadminas a password. We can see a menu on the left; this menu contains links to all the vulnerabilities that we can practice in this application:Brute Force,Command Execution,SQL Injection, and so on. Also, theDVWA Securitysection is where we can configure the security (or complexity) levels of the vulnerable inputs:
- Log out and return to the server's homepage.
- Now, we click on
OWASP WebGoat.NET. This is a .NET application where we will be able to practice file and code injection attacks, cross-site scripting, and encryption vulnerabilities. It also has aWebGoat Coins Customer Portalthat simulates a shopping application and can be used to practice not only the exploitation of vulnerabilities, but also their identification:
- Now, we click on
- Now return to the server's home page.
- Another interesting application included in this virtual machine is BodgeIt, which is a minimalistic version of an online store based on JSP. It has a list of products that we can add to a shopping basket, a search page with advanced options, a registration form for new users, and a login form. There is no direct reference to vulnerabilities; instead, we will need to look for them:
- We won't be able to look at all the applications in a single recipe, but we will be using some of them in this book.
How it works...
The applications in the home page are organized in the following six groups:
- Training applications: These are the ones that have sections dedicated to practice-specific vulnerabilities or attack techniques; some of them include tutorials, explanations, or other kinds of guidance.
- Realistic, intentionally vulnerable applications: Applications that act as real-world applications (stores, blogs, and social networks) and are intentionally left vulnerable by their developers for the sake of training.
- Old (vulnerable) versions of real applications: Old versions of real applications, such as WordPress and Joomla, are known to have exploitable vulnerabilities; these are useful to test our vulnerability identification skills.
- Applications for testing tools: The applications in this group can be used as benchmarks for automated vulnerability scanners.
- Demonstration pages/small applications: These are small applications that have only one or a few vulnerabilities, for demonstration purposes only.
- OWASP demonstration application: OWASP AppSensor is an interesting application; it simulates a social network and could have some vulnerabilities in it. But it will log any attack attempts, which is useful when trying to learn, for example, how to bypass some security devices such as a web application firewall.
See also
Even though OWASP BWA is one of the most complete collections of vulnerable web applications for testing purposes, there are other virtual machines and web applications that could complement it as they contain different applications, frameworks, or configurations. The following are worth a try:
- OWASP Bricks, included in BWA, also has an online version: http://sechow.com/bricks/index.html.
- Hackazon (http://hackazon.webscantest.com/) is an online testing range meant to simulate a modern web application. According to its Wiki (https://github.com/rapid7/hackazon/wiki), it can also be found as a virtual machine OVA file.
- Acunetix's Vulnweb (http://www.vulnweb.com/) is a collection of vulnerable web applications, each one using a different technology (PHP, ASP, JSP, HTML5) created to test the effectiveness of the Acunetix web vulnerability scanner.
- Testfire (http://testfire.net/) is published by Watchfire and simulates an online banking application. It uses the .NET framework.
- Hewlett Packard also has a public testing site created to demonstrate the effectiveness of its Fortify WebInspect products; it is called ZeroBank (http://zero.webappsecurity.com/).
