HackMDditact Web Application Security Setup-Guide 2024
For this course we suggest one of the following two setups:
- everything within a VirtualBox machine running Kali Linux
- working on your own machine using the Burp Suite Community Edition and Firefox as well as a Docker container running the Damn Vulnerable Web Application
For both setups we have a few notes here that might help you get started, including some tips to test whether everything works as expected.
The first option might be the one for you if you want everything ready in a box (and don't care about several GB of download), and when you are fine with working outside your native desktop environment on a Kali Linux desktop.
The second option might be the one for you if you rather want to have everything on your own machine, so you can work in your native environment. Also if your machine is not that fast (less then 4 CPU cores or 4 GB RAM), you might want to choose the Docker container version.
Both options should work fine whether you are using a (moderately recent) Linux, Mac or Windows operating system. If you are already running on Linux, the second version might just be the thing for you. For Mac and Windows users the first option might be less tedious in setup, but at the cost of having to work inside a virtual Linux desktop later.
1. Using Kali-Linux as a virtual machine
Disclaimer: if you happen to have VMware or are familiar with running Hyper-V images, you don't need VirtualBox. In this case, just download the VMware or Hyper-V images instead of the VirtualBox image. This way your virtual machine will be much faster. The explanations below are just tailored to VirtualBox, because this is freely available and can be used on any OS.
For this setup you only need to install the current VirtualBox virtualization software. So just go to https://www.virtualbox.org and go to their download page. There you find different downloads depending on which operating system you are using.
Once you have VirtualBox, go to the section with the pre-built virtual machines on the Kali Download page and download the VirtualBox image (or VMware or Hyper-V if you are already using it). After the download you need to extract the image file and in the extracted folder you can just double-click on the .vbox file. Then, in VirtualBox you can start the machine.
To log in, use the following initial credentials:
- user: kali
- pass: kali
You can change these after login. In any case only you should be able to access the machine. It has network access, but over a NAT, so it can reach the internet (if your host machine is connected), but it cannot be reached from outside.
Now we need to install docker and docker compose with the following commands in a terminal:
You can already use docker now, but you need to use sudo privileges. It can be a bit annoying, so adding yourself to the docker group might be handy:
Everything is set up now, and Kali already includes Firefox and the Burp Suite (as well as a lot of other practical offensive security tools).
2. Using a Docker container
For this setup you will need three things (except you already have some of them set up):
- Docker as a containerization environment
- Firefox as a web browser
- Burp Suite Community Edition for HTTP request inspection and manipulation
To install Docker go to https://docs.docker.com/get-docker/ and follow the install docs for your operating system. For Burp do the same on https://portswigger.net/burp/communitydownload. Finally Firefox may give you the most straight-forward setup on https://www.mozilla.org/firefox/new/. On a Linux distribution you might already have it installed or could also easily install it through your package manager.
Testing your setup and running the DVWA
In both cases we will be running the Damn Vulnerable Web Application as a Docker container because, it is then neatly separate from your system and it saves us the tedious work of setting up web and database servers.
For this we download the docker compose file from the official DVWA repository, which you can get directly here: https://github.com/digininja/DVWA/blob/master/compose.yml (if you want to directly download it, e.g. with wget use the raw link to the file)
Note for virtual machine Kali users:
- you need to download the file inside your virtual machine. The fastest way to do that is probably to open a terminal and execute
wget https://github.com/digininja/DVWA/raw/master/compose.yml. Now a compose.yml file should be in your home directory.- after that you need to open the file and remove (or comment out) line 11 where it says
build: .. This is due to an older Docker version available in the Kali repositories.
Now, to start the DVWA, the only thing you need to do is (in a terminal, in the folder where you downloaded the compose.yaml file to):
Side note on docker hub images: Of course we should not just run any image we find on the Docker Hub. But this one is coming from the DVWA's github repo and I even added a small pull request to make the default port mapping more secure. So we should be able to trust the image listed in the compose.yaml file.
Now you should see some output of the container, as it starts up the web and database server and then you should be able to just open your browser and connect to http://localhost:4280. There you should be greeted by the DVWA's login screen.
To stop the container again, just press Ctrl+C in the terminal where you started it.
That is all you need for now. Congratulations! See you at the workshop.
Side note for those very curious in advance: if you want to play around with the DVWA already beforehand feel free to do so. Go to the docker hub page linked above, there you find the default credentials, so you can log into the DVWA, do the initial setup (just a click on the button) and then explore the available assortment of vulnerabilities.
Cleaning up everything
The DVWA and MariaDB containers are generally ephemeral. But in order for you to be able to continue your work and not have to go through the initial setup, on volume is persisted for the database container. This way, the next time you do a docker compose up the state of the database is still the same. You can see how the volume is mounted in the compose.yml file, where for the db service it says:
This means, the first time you start the services, a named volume dvwa will be created and mounted into the container to /var/lib/mysql where the actual database files reside. The volume is just a folder on your system, wherever docker stores its named volumes (usually under /var/lib/docker/volumes/)
If at some point you want to fully get rid of this data (or just start with a fresh setup), you can remove this volume with docker volume rm web-hacking_dvwa (if the folder your compose file resides in is called web-hacking, otherwise replace it with your folder name, or take a look at your volumes with docker volume ls). If you get an "Error response from daemon" that says "volume is in use", do a docker compose down, which makes sure the containers are not only stopped, but fully removed.
Generic notes
There are of course a lot more possible setups than these two, for what we will be doing in this workshop. If you want to tinker around with different setups, feel free to do so. But please make sure to at least have a running version of the Damn Vulnerable Web Application that you can access from the machine you attend the workshop with.
Ideally we would also like for everyone to use the Firefox web browser, so we have the same reference points when it comes to browser stuff. Of course everything can also be done with almost any other browser, or even with things like curl or httpie.
You also don't actually need the Burp Suite to solve all the challenges in this course, but it helps a lot. Also if you want to continue to test your own web applications at a later point, getting into using Burp now might be a valuable and time-saving starter for later.
