Welcome to another one of my inner recesses!
As I mentioned in my first post: Hello, World, Web App Security (precisely), and Penetration Testing (in general) are some of my priorities to learn. Today I’m going to make my first step in this learning adventure, and I would like to invite you to follow this path with me.
I would like to treat this group of posts as my personal notes. The point is to memorize better, shape the learning process step by step, or quickly remind me. I also hope you will find them helpful.
In my opinion, penetration tests are much more complex and assume the possibility of breaking into the box using the website channel.
For the time being, I would like to separate Web Application security from the ‘general’ penetration testing learning I will probably describe in the future.
My first idea was to find a vulnerable app, possibly with the described walkthrough. I will follow the instruction, experiment by myself, repeat it a few times, find another app, and try my best.
Turned out that there is an OWASP Vulnerable Web Applications Directory (VWAD) Project where there are a lot of vulnerable web applications available. I encourage you to visit the project site here.
Today, they have:
- 30 + online sites you can try yourself
- 70 + offline apps in many different technologies
And it’s so awesome!
So I started looking around. I wanted to find the one with a walkthrough; it was easy to install and quite comprehensive.
Then I started reading about the danger while running such VMs:
– You’re taking a machine that has known vulnerabilities in it and its purpose is to be broken into. As a result, you’ll be increasing the risk of the network it’s attached to.
– You’re running someone else’s code, so you’re trusting the author hasn’t made it perform/run in a malicious manner. Just like running an unknown/untrusted program, the virtual machine could:
— Try and attack the host and/or network in-which its been attached to
— Connect back to the author, becoming a ‘zombie’ in botnet.
– You could end up attacking yourself or the incorrect target. For example if the virtual machine network was set to ‘NAT’ and uses port forwarding for the guest system, any other open ports which haven’t been forwarded are services running on the host machine.Website: VulnHub FAQ
I didn’t want to disconnect my network before running VM (almost always, simple googling can increase the learning process). So I decided to deploy the solution on my RPi; I would connect via Ethernet.
The problem with RPi is that it does not efficiently support virtualization. There are some possible workarounds (e.g., use KVM + QEMU), but they are neither fast nor convenient.
The best solution is to use Docker images 😊
There 5 docker Vulnerable Apps in VWAD, are 3 of them developed by OWASP, and I decided to go with OWASP Juice Shop, which is described as:
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! (…)
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!Website: OWASP Juice Shop
I’ve found the perfect match ❤.
A very comprehensive book is included with the application – “Pwning OWASP Juice Shop” by Björn Kimminich.
The book contains 3 parts:
- Hacking preparation
- Challenge hunting
- Getting involved
Within the 1 part, we can find “step-by-step instructions to deploy a running instance of OWASP Juice Shop for your personal hacking endeavors.” and we can find out that it’s possible to deploy it to Heroku, as well as in many forms for local installation.
To install Juice Shop on my RPi, I need to:
- Install Docker with the guide:
So I started with regular update&upgrade:
sudo apt-get update && sudo apt-get upgrade
Then I’ve downloaded a script to installDockerr and executed it:
curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh
It’s required to add a user to the docker group:
sudo usermod -aG docker Pi
To finally check Docker Hello-World:
- It’s time to download the Juice Shop:
docker pull santosomar/juice-shop-arm64
- And finally run it:
docker run -d --rm -p 3000:3000 santosomar/juice-shop-arm64
- To use the Juice Shop in browser we need to type RPi’s IP into the browser:
As we can read in the manual, Juice Shop covers different risks and vulnerabilities found in OWASP Top 10, MITRE’s common weakness enumeration, and others.
Also, the app provides challenge tracking – a famous scoreboard. Its goal is to motivate to hunt for vulnerabilities and list all the app’s challenges, with hints or descriptions and ratings. The challenges are rated between 1⭐ to 6 ⭐⭐⭐⭐⭐⭐.
By the way, finding the scoreboard is the first challenge we have to get through, which is rated with 1 ⭐.
As you can see above app provides success feedback to make it a more game-like experience.
There are some rules we need to follow:
Use recommended tools:
- Browser – both Chrome and Firefox are recommended by the author
- Some tools for HTTP requests tampering e.g. browser add-ons
The authors recommend sticking with recommended tools, but some scripts or intercepting proxies might be helpful!
Things considered cheating (and forbidden!) :
- Reading the source code (black-box approach)
- Reading the solution before trying (so I need to verify my attitude and play by the rules 😉)
- SQL Injection on database table Challenge (we
cancannot set solved column to 1)
- Few others (not worth mention)
I think that the gamification of the learning process was looking for.
I’ve deployed a web sec testing environment, so that’s it for today!
I’m going to get my “happy path” around the application to get to know how where to start Juice Shopping 😉
That’s a good read! I’m definitely looking forward to the inner workings of pentests that you’re planning to post here.
Keep up the good work!
LikeLiked by 1 person