Learning about web security with Web Security Dojo
Master Class
Protecting your own websites from attack either costs a lot of money or requires a lot of expertise. Web Security Dojo helps you learn to think like an expert.
Security is now a major focus for Internet users and companies. Unfortunately, the sophisticated nature of recent attack techniques, as well as the ever-increasing surveillance ambitions of the authorities and data-mining corporations, continues to complicate the quest for a safe and secure Internet.
A specialized Linux environment called Web Security Dojo [1] offers an easy way for everyday users and beginning professionals to learn about web security. Dojo is designed to provide practical, hands-on exercises on web security and intrusion techniques.
The Dojo virtual appliance is available on SourceForge [2] as an image of around 2.3GB in OVA format. The Dojo is suitable to run in VirtualBox from version 5.0 and also in VMware. After you download the image, install a test environment in VirtualBox by specifying the storage path for the OVA file in the newly opened dialog via the File | Import Appliance… menu. Then create a new virtual machine from the appliance (Figure 1).
The virtual machine is available in VirtualBox as Dojo 3.0. After booting, Dojo launches as a Xubuntu 16.04 32-bit system with the XFCE desktop (Figure 2).
Start and Finish
The Web Security Dojo virtual learning environment includes various services that are configured to serve as targets for simulated attacks. The services listed in the Targets menu cover a wide range of possible attack scenarios. Some of these target services are already active by default; others must be launched manually.
Some of the services in the Targets menu are web-based applications that require a proxy service. These proxy services are available in the form of Firefox add-ons (Figure 3). Since targets and tools already exist on the same system, you do not need an active Internet connection for the lessons.
Application
Firefox is the center of Web Security Dojo. When Launched, Firefox first offers the option to call the Damn Vulnerable Web Application (DVWA) page [3], a preconfigured test environment that familiarizes the user with a variety of vulnerabilities in web applications (Figure 4). In the DVWA window, log in with the username admin
and password password
.
In the menu on the left, you will find various attack technique options, such as Cross Site Scripting (XSS), SQL Injection, CSRF, or Brute Force. For the various scenarios, you will receive background information in the form of links to related websites and wikis.
In addition to DVWA, Dojo has other tools for more advanced attack scenarios. For example, you will find the Java application WebGoat, which is part of the OWASP Project [4]. Launch WebGoat using the WebGoat Start script in the Targets menu, and then click on the WebGoat link in Firefox on the homepage. You can authenticate using guest as a username and password.
The application provides a brief introduction and lists various test scenarios in a vertical scrollbar on the left edge of the screen (Figure 5). Subgroups partly summarize individual categories. For example, under Authentication Flaws , you will find tests for authentication vulnerabilities.
Several options appear at the top edge of the screen. Click on Show Solution to display the solution to a scenario; Show Plan provides additional didactic information. Show Source familiarizes you with the source code, and Restart Lesson launches the active task again. WebGoat Stop from the menu stops the service.
Google Gruyere and McAfee's Hacme Casino are two other toolkits for learning protection technologies for web pages. You have to manually launch these tools via the Targets menu before the web pages are available in Firefox. Gruyere, which is named after the cheese, portrays several typical methods for hacking a website and familiarizes you with solutions that prevent such attacks.
Hacme Casino is extremely playful and looks like a gambling website; however, it also serves as a learning tool, letting the user trace through some common attack techniques. A detailed manual for Hacme Casino is available in English with many practical examples [5].
In the Tools menu, you will find a wide range of tools and scanners for your own research. These tools includes the security scanner Arachni, the browser exploitation framework BeEF, the Metasploit Framework, and the w3af framework – including a command-line version. DirBuster, an application written in Java for brute force attacks, and BurpSuite are also available. Pure command-line applications such as Skipfish, SqlMap, or Skavenger Shell round out the portfolio.
Documentation
The manufacturer has put a lot of effort into documentation for Web Security Dojo. You'll find plenty of PDF and HTML files for the various tools, as well as several video tutorials hosted on YouTube. The documents and videos make it easier for beginners to install and get acquainted with the system. You can also find some basic information on the desktop in the README.html
and GettingStarted.html
files.
Instructions for the main suites and frameworks are available in the Documentation folder. The Zim desktop wiki is available for you to record your own notes. To launch Zim, click the Zim icon on the desktop.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4
-
Fedora Unleashes Atomic Desktops
Fedora has combined its solid distribution with rpm-ostree system to make it possible to deliver a new family of Fedora spins, called Fedora Atomic Desktops.
-
Bootloader Vulnerability Affects Nearly All Linux Distributions
The developers of shim have released a version to fix numerous security flaws, including one that could enable remote control execution of malicious code under certain circumstances.