Necessary skills for test and development: actual combat of security test vulnerability shooting range

Security in the Internet industry , It's a professional one , And a sensitive area , So-called " A thought becomes a Buddha , I'm obsessed with it ", Security technology is used properly , For your product 、 Website better escort , And if the mind is not right , Take advantage of security loopholes to make profits , It is easy to cause unnecessary illegal liability .

In daily life, it's easy to be ignored , Without authorization , Test the website for penetration attack , It's also a non compliant operation , It's about laws and regulations . So for you in the process of learning security testing , Generally, it is recommended to set up a safety drill shooting range environment locally , Try to avoid testing unauthorized websites directly .

Mastering security testing is a hard skill for advanced test development engineers , Today's article , Let's share two common safety test and drill range projects .

▌ WebGoat

WebGoat By OWASP Developed by the organization to carry out Web The loophole experiment is Java Range procedures . The training courses offered are 30 Multiple , These include ： Cross site scripting attacks （XSS）、 Access control 、 Thread safety 、 Operations hide fields 、 Control parameters 、 Weak conversation cookie、SQL Blind note 、 Digital SQL Inject 、 String type SQL Inject 、web service 、Open Authentication invalid 、 dangerous HTML Annotations, etc. .WebGoat Provides a range of web Safety learning course , Some courses also offer video demonstrations , Guide users to exploit these vulnerabilities .

Project address ：

https://github.com/WebGoat/WebGoat

1.1 Instructions for installation preconditions

Go to the project address , choice WebGoat Of jar edition , because WebGoat 8 Of jar The file has been brought with it tomcat And the database , So there's no need to install anything else tomcat and mysql, Just install jdk Used to run the jar File can .

It should be noted that ,WebGoat8.0 Version above , Installation dependency required JDK11 above .

When the download is complete , among ：

webgoat-server-8.1.0.jar The corresponding is webgoat service , Used to start WebGoat.

webwolf-8.1.0 Another secondary system with vulnerabilities , Non essential .

1.2 Starting method

adopt java -jar xxx.jar To start, respectively, webgoat and webwolf Two jar Program , for example ：

After successful execution , You can use the link http://127.0.0.1:8080/WebGoat visit Webgoat.

First, you need to inject an account , And then after landing , according to WebGoat Test one by one in the side order of .

at present WebGoat Divided into three categories ,Lesson、Challenges/CTF、WebWolf.
among Lesson For the course , Each course includes vulnerability descriptions , origin , And practice ,

WebWolf The start-up mode is basically the same ,WebWolf The default port is 9090, The login address http://127.0.0.1:9090/WebWolf/login,WebWolf My account with WebGoat It is interlinked. , Use WebGoat Your account can be directly logged in WebWolf.

▌ DVWA

DVWA（Damn Vulnerable Web Application） It's a famous loophole range , use PHP+Mysql Write a set for routine WEB Loophole teaching and testing WEB Vulnerability test procedure . Contains SQL Inject 、XSS、 Blind injection and other common security vulnerabilities . It aims to provide a legal environment for security professionals to test their professional skills and tools , help web Developers have a better understanding of web The process of applying security precautions .

Official website ：https://dvwa.co.uk/

DVWA There are ten modules , Namely :

1.Brute Force（ violence （ Crack ））

2.Command Injection（ Command line injection ）

3.CSRF（ Cross-site request forgery ）

4.File Inclusion（ File contains ）

5.File Upload（ Upload files ）

6.Insecure CAPTCHA（ Insecure verification code ）

7.SQL Injection（SQL Inject ）

8.SQL Injection（Blind）（SQL Blind note ）

9.XSS（Reflected）（ Reflection Cross Station script ）

10.XSS（Stored）（ Stored cross site scripts ）

2.1 Construction method

If it's in Windows To build DVWA, The installation process is mainly divided into two steps ：

phpstudy Download and install .

DVWA Download and configure .

1、 because DVWA Need to run in a database / Server and other environments , We generally choose the... Integrated with these environments phpStudy: https://www.xp.cn/, This tool can be downloaded from the official website , as follows ：

2、 Download complete , according to requirements , It's just a fool installation , After installation , Turn on the boot Apache、MySQL Two services .

3、 download DVWA, Extract the package to phpstudy Of WWW Under the table of contents . And find DVWA\config Below config.ini.php.dist file , Change the user name and password , Modify as needed . Finally, the suffix .dist Delete , The file named :config.inc.php, The contents are as follows ：

<?php


# If you are having problems connecting to the MySQL database and all of the variables below are correct
# try changing the 'db_server' variable from localhost to 127.0.0.1. Fixes a problem due to sockets.
#   Thanks to @digininja for the fix.


# Database management system to use
$DBMS = 'MySQL';
#$DBMS = 'PGSQL'; // Currently disabled


# Database variables
#   WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
#   Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
#   See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'root';
$_DVWA[ 'db_password' ] = '123456';
$_DVWA[ 'db_port'] = '3306';


$_DVWA[ 'allow_url_include'] = 'on';
$_DVWA[ 'allow_url_fopen'] = 'on';


# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = 'mikezhou';
$_DVWA[ 'recaptcha_private_key' ] = 'mikezhou';


# Default security level
#   Default value for the security level with each session.
#   The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
$_DVWA[ 'default_security_level' ] = 'impossible';


# Default PHPIDS status
#   PHPIDS status with each session.
#   The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'.
$_DVWA[ 'default_phpids_level' ] = 'disabled';


# Verbose PHPIDS messages
#   Enabling this will show why the WAF blocked the request on the blocked request.
#   The default is 'disabled'. You can set this to be either 'true' or 'false'.
$_DVWA[ 'default_phpids_verbose' ] = 'false';


?>

4、 visit ：http://localhost/dvwa/setup.php

Click create database .

5、 Create success , Will automatically jump to the login page , User name and password are required . Default user name ：admin , Default password ：password.

Come here , We're done , Security loopholes, the construction of range environment . What about? , Have you learned ？