Open Web Security Essentials
Over the past two weeks, I’ve been working through The Web Application Hacker’s Handbook. Although it’s not part of the 8th Light core curriculum, it ought to be: it’s a comprehensive catalog of web security mistakes and a great introduction to thinking about vulnerabilities from an attacker’s perspective. The only gripe I have with the authors is their penchant for plugging expensive closed-source software and online training. Fortunately, I’ve found plenty of free alternatives. Here are a few of the essential tools I’ve found for developers interested in web security.
Every tool in my pentesting kit depends on VirtualBox. Working in virtual machines keeps my security tools separate from my development environment, and allows me to practice attacking hideously vulnerable applications in quarantine. VirtualBox includes excellent network configuration options, including completely virtualized local networks that make it easy to keep things compartmentalized.
Kali Linux, formerly BackTrack, is a specialized Debian distribution that includes hundreds of built in security tools. I can’t begin to imagine the time I might have spent with Homebrew installing and configuring everything included here. The tools included with Kali are many and powerful, and I’ve discovered a new fuzzer, proxy, or scanner to try for every topic in the book.
Zed Attack Proxy
The authors of WAHH frequently plug their own Burp Suite, a closed-source intercepting proxy that costs $300 per user per year to do anything useful. Zed Attack Proxy, developed by the Open Web Security Project, is completely free, Apache licensed, and just as good an educational and testing tool. (It’s included in Kali, along with the free edition of Burp). Hacking tools are not always the most carefully crafted software, but ZAP is an extremely stable, very pleasant exception. WebScarab, also by OWASP, is another good free alternative.
I remember the joy of my first successful SQL injection like it was last Thursday. (It was last Thursday, but that’s beside the point). The thrill of breaking in with a well placed apostrophe and couple of dashes takes a while to wear off, but diminishing returns are likely to set in after 50 handcrafted variations on the same GET parameter. Fortunately, there’s SQLMap, which almost makes it too easy, automating the entire process of finding and exploiting SQL injection vulnerabilities.
All these tools are no fun without something to (safely, responsibly, legally) attack. Browsing through WAHH, I was excited to see lots of links to online interactive labs illustrating almost every concept. I was less excited to discover that they’re completely proprietary and cost $7/hour. Fortunately, there are plenty of open alternatives:
Metasploitable2 is an intentionally vulnerable virtual machine configured to run several vulnerable web applications on port 80 by default, including Damn Vulnerable Web App and Mutillidae. Before booting it up, please make sure your network settings are configured correctly: it should never ever be exposed to users on your network or the internet.
I’m not reading WAHH to become a professional pentester. I’m doing it to learn how to develop safe web applications, and we write lots of them in Rails. RailsGoat (yet another OWASP project) is a vulnerable Rails application with built-in documentation and examples of the top 10 web vulnerabilities. Best of all, each one includes code samples, which are especially useful for a developer like me trying to avoid writing a goat of my own.
Many of these resources come courtesy of OWASP, the Open Web Application Security Project. In addition to developing lots of free tools, they’re an excellent resource for learning about web security.