# Setup-Guide: Hack the heck out of this website! For this course we suggest one of the following two setups: 1. everything within one pre-configured VirtualBox machine based on Kali Linux 2. working on your own machine using the Burp Suite Community Edition and Firefox as well as a Docker container running the Damn Vulnerable Web Application For both setups we have a few notes here that might help you get started, including some tips to test whether everything works as expected. The first option might be the one for you if you want everything ready in a box and don't care about several GB of downloads, and when you are fine with working outside your native desktop environment on a Kali Linux desktop. The second option might be the one for you if you rather want to have everything on your own machine, so you can work in your native environment. Also if your machine is not that fast (less then 4 CPU cores or 4 GB RAM), you might want to choose the Docker container version. Both options should work fine whether you are using a (moderately recent) Linux, Mac or Windows operating system. If you are already running on Linux, the second version might just be the thing for you. For Mac and Windows users the first option might be less tedious in setup, but at the cost of having to work inside a virtual Linux desktop later. ## 1. Using the pre-configured VirtualBox machine For this setup you only need to install the current [VirtualBox](https://www.virtualbox.org/) virtualization software. So just go to https://www.virtualbox.org and go to their download page. There you find different downloads depending on which operating system you are using. **Important:** Make sure to have a current VirtualBox 6.x version. So if you already have VirtualBox installed, but in a version <6.x, please upgrade first, because otherwise our image might not run. Once you have VirtualBox, you can download our pre-configured Hthoot-Kali-Image [hack-the-heck.ova](https://nextcloud.tantemalkah.at/index.php/s/5qAzHKKDYcDxoHQ) (4.4GB). After the download is complete you can start up your VirtualBox program, and import the downloaded file as a new appliance. Just go to _File_ -> _Import Appliance_ in the menu and choose the downloaded image. If everything went fine, a Kali machine should boot. To log in, use the following initial credentials: * user: kali * pass: kali You can change these after login. In any case only you should be able to access the machine. It has network access, but over a NAT, so it can reach the internet (if your host machine is connected), but it cannot be reached from outside. ## 2. Using a Docker container For this setup you will need three things (except you already have some of them set up): * [Docker](https://www.docker.com/) as a containerization environment * [Firefox](https://www.mozilla.org/firefox/) as a web browser * [Burp Suite Community Edition](https://portswigger.net/burp) for HTTP request inspection and manipulation To install Docker go to https://docs.docker.com/get-docker/ and follow the install docs for your operating system. For Burp do the same on https://portswigger.net/burp/communitydownload. Finally Firefox may give you the most straight-forward setup on https://www.mozilla.org/firefox/new/. On a Linux distribution you might already have it installed or could also easily install it through your package manager. # Testing your setup and running the DVWA In both cases we will be running the Damn Vulnerable Web Application as a Docker container because there is already a Docker image on the Docker Hub: https://hub.docker.com/r/vulnerables/web-dvwa. And this saves us the tedious work of setting up web and database servers. Here you find the commands you need to start the container and infos on how to log in to your DVWA. For those who prefer a short video guide on that we have created two screencasts: * [Starting the DVWA with Docker on you system](https://nextcloud.tantemalkah.at/index.php/s/YY5HHmfyDf8GY7Z) (~ 6:40min / 45MB) * [Starting the DVWA with the virtual Kali machine provided by us](https://nextcloud.tantemalkah.at/index.php/s/TRmcfP3AKm2meFY) (~ 5:20min / 43MB) * (if your browser does not play the video directly from the Nextcloud share, you can download it and play it with the video player of your choice, e.g. [VLC](https://www.videolan.org/vlc/)) If you are using the VirtualBox image you can just open a terminal and use a little helper script we made, to start the DVWA: ```bash ./start-dvwa.sh ``` Or you could do the same as in the second setup (actually the above script also only does exactly this, it is just a tad more convenient): ```bash docker run --rm -it -p 127.0.0.1:80:80 vulnerables/web-dvwa ``` > **Side note on docker hub images:** Of course we should not just run any image we find on the Docker Hub. But this one is referenced on the [DVWA's github repo](https://github.com/digininja/DVWA) and is also starred by many people and downloaded over 5M times (unlike many other DVWA images that can also be found on the Docker Hub) In both cases you should see some output of the container, as it starts up the web and database server and then you should be able to just open your browser and connect to _http://localhost_. There you should be greeted by the DVWA's login screen. To stop and clean up the container again, just press Ctrl+C in the terminal where you started it. That is all you need for now. Congratulations! See you at the workshop. > **Side note for those very curious in advance:** if you want to play around with the DVWA already beforehand feel free to do so. Go to the docker hub page linked above, there you find the default credentials, so you can log into the DVWA, do the initial setup (just a click on the button) and then explore the available assortment of vulnerabilities. > **Side note on the docker run command:** the above docker command is only slightly different from the one found in the DVWAs documentation. While they use `-p 80:80` we use `-p 127.0.0.1:80:80`. It seems subtle, but it is an important difference. Because in the first case it will listen on port 80 of your host machine, indepentend of the network device. So everyone on your (W)LAN could access it. In our case, with the 127.0.0.1 provided explicitly, only the local host machine itself will be allowed to connect to it. Here is what the whole command does in detail: > 1. it pulls the `web-dvwa` image from the Docker Hub (if not already done before), and starts a new container from this image > 2. through the `--rm` option it cleans up the whole container and its data, after it is shut down > 3. the `-it` options connects the process to our **i**nteractive **t**erminal, so that we can easily stop the container with Ctrl+C > 4. through the `-p 127.0.0.1:80:80` command it binds/maps/connects the port 80 of the container itself (on which the web application is running) to the port the IP 127.0.0.1 and port 80 of the docker host machine. This allows us to connect to the port 80 of the container from the host we are running docker on (but not from anyone outside of our host). If on your device the port 80 is already used (e.g. because you have an actual web server running there), you could also use something like `-p 127.0.0.1:12345:80`, to map it to port 12345. Then the DVWA would run on http://localhost:12345 rather then http://localhost # Generic notes There are of course a lot more possible setups than these two, in order to do what we want you to guide through in this workshop. If you want to tinker around with different setups, feel free to do so. But please make sure to at least have a running version of the [Damn Vulnerable Web Application](https://dvwa.co.uk/) that you can access from the machine you attend the workshop with. Ideally we would also like for everyone to use the Firefox web browser, so we have the same reference points when it comes to browser stuff. Of course everything can also be done with almost any other browser, or even with things like `curl` or `httpie`. You also don't actually need the Burp Suite to solve all the challenges in this course, but it helps a lot. Also if you want to continue to test other or your own web applications at a later point, getting into using Burp now might be a valuable and time-saving starter for later.
Last changed by  
jackie
#queer #feminist part-time #sysadmin, #developer and #trainer. into: #linux #python #itsec #participatorydesign #transdisciplinarity #education ... more at: https://tantemalkah.at
241

Read more

Feminist / Women / Gender Diversity in Tech Initiatives in Vienna

This is an open collection of organisations, meetups, (recurring) workshop, conferences, etc. on topics of feminism and technology, fostering gender diversity and the increased participation of women and non-binary folks in the production and facilitation of technology.

2/22/2024
Artful Coding 2 - Session Plans

Session overview 7 x 1.5 hours input and learning sessions: HTML Canvas: intro , 16 March 2022 HTML Canvas: animated and interactive , 23 March 2022 Jumping Block in Canvas , 30 March 2022 Live Server & Phaser init & Jumping Block in Phaser, 06 April 2022 Website Mini Game , 27 April 2022 Infinite Duality Jumper , 04 May 2022 [buffer] , 11 May 2022

3/29/2023
Web Hacking Quickstart Reference

HTML Basic build up of an HTML page: <!DOCTYPE html> <html lang="en" dir="ltr"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0" > <!-- a comment: here could be lots of more meta tags --> <title>This is a simple placeholder page</title>

8/20/2022
base dev sprint planning

current sprint : 19 date range : 23.5. - 1.6. Status after sprint ✔ ... done ⇢ ... in progress ⏸ … on hold ✗ ... not started

5/23/2022
Read more from jackie
Published on HackMD