Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information most likely containing personally identifiable information.
While traditional firewalls and other network security controls are an important layer of any Information Security Program, they can’t defend or alert against many of the attack vectors specific to web applications. It is critical for an organisation to ensure that its web applications are not susceptible to common types of attack.
Best Practice suggests that an organisation should perform a web application test in addition to regular security assessments in order to ensure the security of its web applications.
In this article i will explain to you a lists of common vulnerable web applications to built your first web penetration testing lab in Kali Linux.
Read my previous article to know more about kali linux: An Introduction To Hacker’s OS: Kali Linux And Setup Tutorial.
Mantra – Free and Open Source Browser based Security Framework, is a collection of free and open source tools integrated into a web browser.
OWASP Mantra is a version of Firefox dedicated security technology that integrates an arsenal of tools to do a complete audit and debug your applications online.
Mantra is a security framework that can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, access, escalation of privileges, maintaining access , and backing tracks. Apart from this, it also contains a set of tools targeted for web developers and code debuggers which makes it very convenient for both the offensive and defensive security related security tasks.
Read my previous article to setup OWASP Mantra: How to install OWASP Mantra in kali linux
Try below command to download DVWA
Unzip download file and copy dvwa folder into Computer → File system → var → www
Set permission of DVWA into 755 for this open Termianl and type
#chmod -R 755 /var/www/dvwa
Run Apache for this go to Application → kali linux → System Service → HTTP → apache2start
Run My SQL for this go to Application → kali linux → System Service → MySQL → mysql start
Now Create Database for dvwa
Open Terminal and type
#mysql -u root -p
#create database dvwa;
Configuration is done by opening the /var/www/dvwa/config/config.inc.php and add your mysql password.
You have successfully logged in.
Download latest version of Mutillidae
#wget -c http://ncu.dl.sourceforge.net/project/mutillidae/mutillidae-project/LATEST-mutillidae-2.6.10.zip
Unzip the latest version (the only folder in the ZIP file is the “mutillidae” folder)
#unzip -q LATEST-mutillidae-2.6.10.zip
Copy the latest version to /var/www
#cp -R mutillidae /var/www/
Now Create Database for mutillidae
Open Terminal and type
#mysql -u root -p
#create database mutillidae;
Configuration is done by opening the /var/www/mutillidae/classes/MySQLHandler.php and add your Mysql root password
Starting the project is done by browsing to http://localhost/mutillidae and clicking the Reset-DB button on the menu bar.
Browse to http://localhost/mutillidae
WebGoat is an OWASP project and a deliberately insecure J2EE web application designed to teach web application security lessons and concepts. What’s cool about this web application is that it lets users demonstrate their understanding of a security issue by exploiting a real vulnerability in the application in each lesson.
#wget -c https://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.3_RC1.7z
WebGoat is a platform independent environment. It utilizes Apache Tomcat and the JAVA development environment.
For installing JAVA, try below command
#apt-get install openjdk-6-jre
#p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z
Set JAVA_HOME to point to your JDK installation
#chmod +x webgoat.sh
Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.
#sh webgoat.sh start
#sh webgoat.sh stop
start your browser and browse to… http://localhost/webgoat/attack
Login in as: user = guest, password = guest
Congratulations !, Now you are done creating your first web penetration testing lab.
That’s it, make use the vulnerable systems and understand vulnerabilities.
How To Become A Hacker – Complete Guide For Beginners 2015