- Date: 10 May 2023
- Topic: Common Vulnerabilities & Security Testing
- Authors: Ordina Pythoneers / Sebastiaan Zeeff & Jeremy Vriens
While you may want to immediately explore the repository, this will ruin most of the fun.
One of the goals today is to find vulnerabilities in websites using a security testing tool and your creativity. Since the source code of the views is available in this repository, looking at the implementation may already reveal those deliberate vulnerabilities.
Please don't explore the repository beyond this README-file before completing the exercises unless specifically instructed to do so.
- Go to https://www.hacksplaining.com/lessons
- Sign up for free with an OAuth account
- Learn about common vulnerabilities
- We recommend that you start with SQL Injection, Privilege Escalation, and Broken Access Control. These will be the most relevant for the second half of the workshop.
If you're done quickly and have already achieved your yellow belt in the security journey, check out the "Web App Testing" track.
First of all, make sure that you have a recent version of Python (3.10+) installed. We are not going to write code in Python today, but we are going to create a virtual environment to run an instance of the website that we're going to attack with our security testing tools.
If you've followed the instructions in the email, you should have already installed the OWASP ZAP application. If not, follow these instructions.
All instructions in this readme were written for ZAP 2.12.0, so I'd recommend making sure you install that version.
OWASP Zap requires Java 11+ to run. It's included in the Apple installer, but you need to install Java separately if you're using Windows or Linux.
- Please visit https://www.oracle.com/java/technologies/downloads/
- Install the JDK for either Java 17 LTS or Java 19 for your platform
- Please install OWASP Zap from https://www.zaproxy.org/download/
ZAP works by intercepting, and allowing you to modify, the traffic between your browser and a web server. This means that you need to configure your browser to use ZAP as an intermediate proxy.
Personally, I use Firefox, but the steps are similar for other browsers, such as Chrome and Edge.
- Open ZAP.
- Select "No, I do not want to persist this session at this moment in time" and click start.
- In the top menu, go to
Tools > Options
- Navigate to
Options > Network > Local Servers/Proxies
- Check that main proxy is configured as:
- Address: localhost
- Port: 8080 (or another port, as long as you remember it)
This step is optional, as our localhost webserver will not use SSL, but I've included these instruction for if you want to use ZAP on TLS-enabled connections in the future.
Full disclosure: This will install a Root CA Certificate for ZAP in your browser. This allows ZAP to proxy between your browser and a web server even if the connection is (supposed to be) secured with TLS.
- Open the options menu again (
Tools > Options
) - Navigate to
Options > Network > Server Certificates
- Click
Generate
to generate a new Root CA Certificate for ZAP - Click on
Save
to save the certificate to a file- Remember where you save the file! You'll need it later.
- Click "Ok" to exit the options menu
- Open Firefox
- Go to the Firfox Settings (
Hamburger Menu > Settings
) - Go to
Privacy & Security
- Scroll down to
Certificates
- Click on
View Certificates...
- Click on
Import...
- Navigate to the certificates file you exported from ZAP and import it
- Open the Firefox menu (
Hamburger Menu > Add-ons and themes
) - Search for "FoxyProxy Standard" in the
Find more add-ons
search bar - Install "FoxyProxy Standard" (author: Eric H. Jung) and enable it
- Click on the FoxyProxy and click on the
Options
button in the modal - Click on
+ Add
in the left-hand menu - Fill in these details:
- Title or Description: ZAP
- Proxy Type: HTTP
- Proxy IP address or DNS name: localhost
- Port: 8080 (or the other port from earlier)
- Click
Save & Edit Patterns
- In the
White Patterns
list, modify the first (and only) line:- Change the
Name
from "all URLs" to "localhost" - Change the pattern to
localhost
- Change the
Type
to "Reg Exp"
- Change the
- Click
Save
- You can now close the FoxyProxy settings screen
- Click on the FoxyProxy extension icon and select the option "Use Enabled
Proxies By Patterns and Order". This should make sure that FoxyProxy only
redirects traffic to
localhost
to the ZAP proxy.
Before you clone the repository, this is another friendly reminder not to browse the repository. It takes all the fun out of the challenges!
- Clone the repository using
git
- Create virtual environment with Python 3.10+ and activate it
- Install the requirements with
pip install -r requirements.txt
- Run
python manage.py start
to start the project - Visit http://localhost:8888
- Start with the tutorial
- Try other challenges afterwards
Tip: If you think you've screwed up the database, you can reset the project
by running python manage.py reset
.
If you're done quickly, consider doing a few modules of the Security Journey. I recommend "DevSecOps" and "Web App Testing" as highly relevant Green Belt tracks for developers.