Sunday, October 30, 2011

Working with Web Vulnerabilities and Web Application Firewalls [Part 2 - Test Environment]

[Note: this is part two of a multi-part series of posts detailing my experiences with securing web applications, creating test environments for practicing and installing and operating a web application firewall. Web security is an extremely important part of IT security since almost every major organization has a "web face." I will be exploring XSS, mySQL injection, and the use of web application firewalls to protect against these attacks.]

In this post, I will be discussing the test environment I am using to learn more about web security. I will only be discussing the most basic layers here, as the more advanced programs and the firewall itself will be discussed in an upcoming post.

Operating Systems
I am going to be using two operating systems during this learning experience. The first will be the operating system that is running my environment, the second will be a system that I use to attack it, simulating a remote attack. Before we begin, I encourage you to learn more about virtualization if you haven't done so already. All of my testing will be occurring in VMWare Workstation, an excellent product that is perfect for these situations. Virtual Box will work well also.

For the host operating system, I will be using Fedora 15, a Linux distribution. The attacking system will be Backtrack 5, a Ubuntu-based penetration testing distribution that has a number of pre-installed scripts and frameworks perfect for exploitation. Setting these systems up and connecting them within a virtual environment are a bit beyond the scope of this series / tutorials. However, the web is full of step-by-step guides to installing these systems and connecting them via a virtual network.

The Services
One extremely common set of services used to host websites is called LAMP. It stands for Linux (the operating system), Apache (the web server technology), mySQL (the database) and PHP (the web language used to code the pages and interact with the database and web application).

Beginning with Apache, we need to install our services onto the Fedora box. Luckily, installing them is extremely simple in Linux via the command-line. In lieu of retyping every step here, I am going to link to an excellent tutorial:

Remember that this series is going to be focusing on web application security. Whenever you install a web server, database, or web environment on a box and place it onto the public network, there are many security precautions that need to be taken at the OS level. That is beyond our scope right now. However, I caution you to read more about secure Apache and database configurations before running any public-facing website.

The Data
It's no fun exploiting web applications if there's no data to search for in the exploit. In order to create an environment, I found a sample mySQL database known as Sakila. It is essentially several hundred rows in multiple tables of random, sample data. The sample uses a number of mySQL features and is perfect for establishing a test environment.

Sakila can be downloaded here. Download the TGZ next to "sakila database." Save and untar the download inside of your Fedora box.

Installing Sakila is very simple, and luckily, the webpage has a step-by-step guide.

At this point you should have your Fedora (or alternative) distribution installed, your LAMP stack configured, and you should be able to access the "It Works!" webpage by going to your machine's IP inside of a browser. The Sakila sample database should be installed.

Next in the series I will be walking through some basic vulnerabilities and some extremely simple web pages. In a few posts, I will be talking about the use of a much better framework called "Damn Vulnerable Web App" that is essentially a purposefully insecure web application for the sole use of vulnerability testing. Later, we will be installing a web application firewall in front of the application and observing how it protects against our attacks.

No comments:

Post a Comment