Preparing labs for a webapp security course
I am in the process of preparing labs for a university web application security course. We will be working from the Web Application Hacker's Handbook (Stuttard & Pinto). I would like the labs to be challenging and fun, but I'm unsure about a few things. I like the idea of scenario-based challenges. The WebGoat framework is great, but I don't want labs with solutions readily available. I have looked briefly into DVL, WebGoat, and the De-ICE.net live CDs. The students will be in a lab with capable machines running VMWare. While standalone challenges are good, I'm also considering bringing in an element of competition with small groups. I thought this community would be an ideal place to brainstorm. Any insights or suggestions would be greatly appreciated. Thanks!
Well neither DVL nor DE-ICE.net are real webapp labs. They are more focused on OS/application exploits.
Best would be to write your own webapps from scratch. Implement the vulnerabilities you want them to learn about. That hopefully gives you the full understanding of the way the vulnerability is working and enables you to answer all of the questions of the students.
Tiocfaidh ár lá
I think you are right - that will be the final verdict. Thanks for the input. I'm also thinking about demoing known vulnerabilities in previous versions of popular web applications.
Don't know if you are aware of this, but the Iron Geek site has a list of vulnerable web applications. You may want to check there and see if there is something suitable.Originally Posted by eagle047
Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".
The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.
I did a web security class at my work.
For initial demonstration I used WebGoat (instead of webScarab I used temperData plugin for firefox).
Then for challenge I created a very vulnerable application in php5 (even turned magic quotes off), it was all of 4 web pages.
Students got to attack the application etc. It was actually a lot less work then I feared.
While webGoat might not be great for your lab, it might still be useful as demo/learning tool.
Good luck and let us know how it all went.
Sin-cerely,
trol
In addition to WebGoat, Foundstone makes about five "broken" web apps for learning security.
Hacme Travel™
Hacme Bank™
Hacme Shipping™
Hacme Casino™
Hacme Books™
Thorn
Stop the TSA now! Boycott the airlines.
Posting Permissions
