Learning about web security with Web Security Dojo
Master Class
Protecting your own websites from attack either costs a lot of money or requires a lot of expertise. Web Security Dojo helps you learn to think like an expert.
Security is now a major focus for Internet users and companies. Unfortunately, the sophisticated nature of recent attack techniques, as well as the ever-increasing surveillance ambitions of the authorities and data-mining corporations, continues to complicate the quest for a safe and secure Internet.
A specialized Linux environment called Web Security Dojo [1] offers an easy way for everyday users and beginning professionals to learn about web security. Dojo is designed to provide practical, hands-on exercises on web security and intrusion techniques.
The Dojo virtual appliance is available on SourceForge [2] as an image of around 2.3GB in OVA format. The Dojo is suitable to run in VirtualBox from version 5.0 and also in VMware. After you download the image, install a test environment in VirtualBox by specifying the storage path for the OVA file in the newly opened dialog via the File | Import Appliance… menu. Then create a new virtual machine from the appliance (Figure 1).
The virtual machine is available in VirtualBox as Dojo 3.0. After booting, Dojo launches as a Xubuntu 16.04 32-bit system with the XFCE desktop (Figure 2).
Start and Finish
The Web Security Dojo virtual learning environment includes various services that are configured to serve as targets for simulated attacks. The services listed in the Targets menu cover a wide range of possible attack scenarios. Some of these target services are already active by default; others must be launched manually.
Some of the services in the Targets menu are web-based applications that require a proxy service. These proxy services are available in the form of Firefox add-ons (Figure 3). Since targets and tools already exist on the same system, you do not need an active Internet connection for the lessons.
Application
Firefox is the center of Web Security Dojo. When Launched, Firefox first offers the option to call the Damn Vulnerable Web Application (DVWA) page [3], a preconfigured test environment that familiarizes the user with a variety of vulnerabilities in web applications (Figure 4). In the DVWA window, log in with the username admin
and password password
.
In the menu on the left, you will find various attack technique options, such as Cross Site Scripting (XSS), SQL Injection, CSRF, or Brute Force. For the various scenarios, you will receive background information in the form of links to related websites and wikis.
In addition to DVWA, Dojo has other tools for more advanced attack scenarios. For example, you will find the Java application WebGoat, which is part of the OWASP Project [4]. Launch WebGoat using the WebGoat Start script in the Targets menu, and then click on the WebGoat link in Firefox on the homepage. You can authenticate using guest as a username and password.
The application provides a brief introduction and lists various test scenarios in a vertical scrollbar on the left edge of the screen (Figure 5). Subgroups partly summarize individual categories. For example, under Authentication Flaws , you will find tests for authentication vulnerabilities.
Several options appear at the top edge of the screen. Click on Show Solution to display the solution to a scenario; Show Plan provides additional didactic information. Show Source familiarizes you with the source code, and Restart Lesson launches the active task again. WebGoat Stop from the menu stops the service.
Google Gruyere and McAfee's Hacme Casino are two other toolkits for learning protection technologies for web pages. You have to manually launch these tools via the Targets menu before the web pages are available in Firefox. Gruyere, which is named after the cheese, portrays several typical methods for hacking a website and familiarizes you with solutions that prevent such attacks.
Hacme Casino is extremely playful and looks like a gambling website; however, it also serves as a learning tool, letting the user trace through some common attack techniques. A detailed manual for Hacme Casino is available in English with many practical examples [5].
In the Tools menu, you will find a wide range of tools and scanners for your own research. These tools includes the security scanner Arachni, the browser exploitation framework BeEF, the Metasploit Framework, and the w3af framework – including a command-line version. DirBuster, an application written in Java for brute force attacks, and BurpSuite are also available. Pure command-line applications such as Skipfish, SqlMap, or Skavenger Shell round out the portfolio.
Documentation
The manufacturer has put a lot of effort into documentation for Web Security Dojo. You'll find plenty of PDF and HTML files for the various tools, as well as several video tutorials hosted on YouTube. The documents and videos make it easier for beginners to install and get acquainted with the system. You can also find some basic information on the desktop in the README.html
and GettingStarted.html
files.
Instructions for the main suites and frameworks are available in the Documentation folder. The Zim desktop wiki is available for you to record your own notes. To launch Zim, click the Zim icon on the desktop.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.
-
CachyOS Adds Support for System76's COSMIC Desktop
The August 2024 release of CachyOS includes support for the COSMIC desktop as well as some important bits for video.
-
Linux Foundation Adopts OMI to Foster Ethical LLMs
The Open Model Initiative hopes to create community LLMs that rival proprietary models but avoid restrictive licensing that limits usage.
-
Ubuntu 24.10 to Include the Latest Linux Kernel
Ubuntu users have grown accustomed to their favorite distribution shipping with a kernel that's not quite as up-to-date as other distros but that changes with 24.10.
-
Plasma Desktop 6.1.4 Release Includes Improvements and Bug Fixes
The latest release from the KDE team improves the KWin window and composite managers and plenty of fixes.
-
Manjaro Team Tests Immutable Version of its Arch-Based Distribution
If you're a fan of immutable operating systems, you'll be thrilled to know that the Manjaro team is working on an immutable spin that is now available for testing.