Vulnerable by definition
Many people who are in any way concerned with security periodically have a desire to do pentest, that is, a penetration test. And most often, everything starts with the pentest of web applications. The threshold of entry is quite small (the simplest sqli is determined by adding quotes to the parameter and is not particularly difficult to operate), but there are also quite complex tasks that make you spend a couple of days picking.
But the question arises - where to apply theoretical knowledge, without fear of the sudden appearance of a mask show? Under the cut I will conduct a small review of the polygons for experiments on pentest.
Polygons can be divided into the following categories and subcategories:
Vulnerable distributions provide the greatest freedom of action, because it is not necessary to create a sandbox for vulnerabilities, as it is with online applications.
The Mutillidae project implements vulnerabilities, which are described in OWASP Top 10. OWASP Top 10 is an annually updated list of 10 vulnerabilities that must be addressed by both developers and security professionals.
')
For each of the vulnerabilities in Top 10 there are several tasks available:
It is possible to switch the security level of the application, include hints:
All scripts are executed with full privileges, the result of a simple command injection on the face:
Version 2.0.7 is currently available .
This time, the project from OWASP, complete with scripts, also includes a web server (TomCat), you can simply launch it on your work computer with one bat file.
Significant differences from Mutillidae in that you need not just do something, but get a very specific result. When the result is achieved, it will be noted in the list of all tasks:
For the passage of some tasks need instead of hacking on the contrary to introduce protection into the code.
Information about the project is available here.
If during the passage there are difficulties, then for each of the tasks there is a video with the passage:
yehg.net/lab/pr0js/training/webgoat.php
The link itself can be found on the page by the task itself.
The project is similar to mutillidae, that is, there is no clearly set task that needs to be completed, but there is just a set of scripts with standard vulnerabilities:
The result is shown “as is”, that is, as close as possible to reality:
Version 1.0.7 is currently available.
The set of vulnerable sites where acunetix shows its tests:
testasp.vulnweb.com
testaspnet.vulnweb.com
testphp.vulnweb.com
But you can dig for vulnerabilities manually.
A set of several sites with the ability to conduct XSS. Moreover, for successful operation, it is necessary to bypass the filtration system, which is not always trivial.
canyouxssthis.com/HTMLSanitizer
html5sec.org/xssme.php
xssme.html5sec.org
The most tasty (in my opinion) part. Tasks are passed in the network, so do not need to put additional software. And there is a clear goal to reach (get the flag).
A set of so-called missions, divided by difficulty levels. There are basic missions, such as getting the contents of a certain file in a directory with a script and display its contents:
There are also missions that are close to real life, for example, to find out a list of all e-mail addresses of registered users of the site (the site, of course, with hackthissite))
For each mission, there is a forum where you can read tips or complete passage.
Register and pass the mission here
A similar project, there are various basic missions, where the password (flag) lies, for example, in the source code:
Or where you need to spend the simplest sql-injection:
And similarly, there are missions that are close to real sites, where you need to use various methods to search for the flag:
And finally, periodically competitions in the CTF format, tasks of various subjects, from web to reversing and forensic, are held. Calendar of upcoming events can be found here:
capture.thefl.ag/calendar
On the same site past tasks are available.
Descriptions of past CTFs with the passage of tasks (writeup) are usually laid out by winning teams (Leet More, EINDBAZEN, PPP), or can be read on specialized forums, for example, rdot:
rdot.org/forum/forumdisplay.php?f=64
In addition to the polygons described above, there are many more interesting things, but there is not enough time to test everything, so I’ll provide links to English-language blogs:
www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security
blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html
community.rapid7.com/community/infosec/blog/2011/12/23/where-can-i-find-vulnerable-machines-for-my-penetration-testing-lab
g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html
UPD : A couple more links from the user VladimirKochetkov :
www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list
code.google.com/p/pentest-bookmarks/wiki/BookmarksList
UPD : On the SecurityLab website you can see a description of the passage of the stages of HackQuest 2010 - an open competition for information security. Materials from the PHDays CTF 2011 qualifying round for the upcoming Positive Hack Days forum (with task options) are posted here .
But the question arises - where to apply theoretical knowledge, without fear of the sudden appearance of a mask show? Under the cut I will conduct a small review of the polygons for experiments on pentest.
Polygons can be divided into the following categories and subcategories:
- Full-fledged operating system images with a set of vulnerable services, including vulnerable web applications
- Distributions of vulnerable web applications (offline)
- Vulnerable web-applications (online), close to real
- Vulnerable web-applications (online) in CTF format
Distributions of vulnerable web applications (offline)
Vulnerable distributions provide the greatest freedom of action, because it is not necessary to create a sandbox for vulnerabilities, as it is with online applications.
Mutillidae
The Mutillidae project implements vulnerabilities, which are described in OWASP Top 10. OWASP Top 10 is an annually updated list of 10 vulnerabilities that must be addressed by both developers and security professionals.
')
For each of the vulnerabilities in Top 10 there are several tasks available:
It is possible to switch the security level of the application, include hints:
All scripts are executed with full privileges, the result of a simple command injection on the face:
Version 2.0.7 is currently available .
OWASP Webgoat
This time, the project from OWASP, complete with scripts, also includes a web server (TomCat), you can simply launch it on your work computer with one bat file.
Significant differences from Mutillidae in that you need not just do something, but get a very specific result. When the result is achieved, it will be noted in the list of all tasks:
For the passage of some tasks need instead of hacking on the contrary to introduce protection into the code.
Information about the project is available here.
If during the passage there are difficulties, then for each of the tasks there is a video with the passage:
yehg.net/lab/pr0js/training/webgoat.php
The link itself can be found on the page by the task itself.
Damn Vulnerable Web App (DVWA)
The project is similar to mutillidae, that is, there is no clearly set task that needs to be completed, but there is just a set of scripts with standard vulnerabilities:
- Brute force
- Command execution
- CSRF
- File inclusion
- SQL Injection
- SQL Injection (Blind)
- Upload
- XSS reflected
- XSS stored
The result is shown “as is”, that is, as close as possible to reality:
Version 1.0.7 is currently available.
Vulnerable web-applications (online), close to real
Acunetix test sites
The set of vulnerable sites where acunetix shows its tests:
testasp.vulnweb.com
testaspnet.vulnweb.com
testphp.vulnweb.com
But you can dig for vulnerabilities manually.
Xss
A set of several sites with the ability to conduct XSS. Moreover, for successful operation, it is necessary to bypass the filtration system, which is not always trivial.
canyouxssthis.com/HTMLSanitizer
html5sec.org/xssme.php
xssme.html5sec.org
Vulnerable web-applications (online) in CTF format
The most tasty (in my opinion) part. Tasks are passed in the network, so do not need to put additional software. And there is a clear goal to reach (get the flag).
Hack This Site
A set of so-called missions, divided by difficulty levels. There are basic missions, such as getting the contents of a certain file in a directory with a script and display its contents:
There are also missions that are close to real life, for example, to find out a list of all e-mail addresses of registered users of the site (the site, of course, with hackthissite))
For each mission, there is a forum where you can read tips or complete passage.
Register and pass the mission here
Enigma
A similar project, there are various basic missions, where the password (flag) lies, for example, in the source code:
Or where you need to spend the simplest sql-injection:
And similarly, there are missions that are close to real sites, where you need to use various methods to search for the flag:
Time-limited CTF
And finally, periodically competitions in the CTF format, tasks of various subjects, from web to reversing and forensic, are held. Calendar of upcoming events can be found here:
capture.thefl.ag/calendar
On the same site past tasks are available.
Descriptions of past CTFs with the passage of tasks (writeup) are usually laid out by winning teams (Leet More, EINDBAZEN, PPP), or can be read on specialized forums, for example, rdot:
rdot.org/forum/forumdisplay.php?f=64
Instead of conclusion
In addition to the polygons described above, there are many more interesting things, but there is not enough time to test everything, so I’ll provide links to English-language blogs:
www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security
blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html
community.rapid7.com/community/infosec/blog/2011/12/23/where-can-i-find-vulnerable-machines-for-my-penetration-testing-lab
g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html
UPD : A couple more links from the user VladimirKochetkov :
www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list
code.google.com/p/pentest-bookmarks/wiki/BookmarksList
UPD : On the SecurityLab website you can see a description of the passage of the stages of HackQuest 2010 - an open competition for information security. Materials from the PHDays CTF 2011 qualifying round for the upcoming Positive Hack Days forum (with task options) are posted here .
Source: https://habr.com/ru/post/138779/
All Articles