Results 1 to 6 of 6

Thread: Preparing labs for a webapp security course

  1. #1
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    4

    Default Preparing labs for a webapp security course

    I am in the process of preparing labs for a university web application security course. We will be working from the Web Application Hacker's Handbook (Stuttard & Pinto). I would like the labs to be challenging and fun, but I'm unsure about a few things. I like the idea of scenario-based challenges. The WebGoat framework is great, but I don't want labs with solutions readily available. I have looked briefly into DVL, WebGoat, and the De-ICE.net live CDs. The students will be in a lab with capable machines running VMWare. While standalone challenges are good, I'm also considering bringing in an element of competition with small groups. I thought this community would be an ideal place to brainstorm. Any insights or suggestions would be greatly appreciated. Thanks!

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Well neither DVL nor DE-ICE.net are real webapp labs. They are more focused on OS/application exploits.

    Best would be to write your own webapps from scratch. Implement the vulnerabilities you want them to learn about. That hopefully gives you the full understanding of the way the vulnerability is working and enables you to answer all of the questions of the students.
    Tiocfaidh ár lá

  3. #3
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    4

    Default

    I think you are right - that will be the final verdict. Thanks for the input. I'm also thinking about demoing known vulnerabilities in previous versions of popular web applications.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by eagle047 View Post
    I think you are right - that will be the final verdict. Thanks for the input. I'm also thinking about demoing known vulnerabilities in previous versions of popular web applications.
    Don't know if you are aware of this, but the Iron Geek site has a list of vulnerable web applications. You may want to check there and see if there is something suitable.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Member webtrol's Avatar
    Join Date
    Jan 2010
    Posts
    113

    Default

    I did a web security class at my work.
    For initial demonstration I used WebGoat (instead of webScarab I used temperData plugin for firefox).
    Then for challenge I created a very vulnerable application in php5 (even turned magic quotes off), it was all of 4 web pages.
    Students got to attack the application etc. It was actually a lot less work then I feared.

    While webGoat might not be great for your lab, it might still be useful as demo/learning tool.

    Good luck and let us know how it all went.

    Sin-cerely,
    trol

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    In addition to WebGoat, Foundstone makes about five "broken" web apps for learning security.

    Hacme Travel™
    Hacme Bank™
    Hacme Shipping™
    Hacme Casino™
    Hacme Books™
    Thorn
    Stop the TSA now! Boycott the airlines.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •