Deploy vulnerable web applications for Application Security (AppSec) training in under 25 minutes
After successfully installing Kali Linux, use this article as reference to get started with Web Application Security Testing for free. The applications used in this article are open-sourced and great for configuring a lab environment on your local machine.
Installing DVWA and Juice Shop
Here is a one-liner used to update Kali and start installation for DVWA & Juice Shop:
Feel free to copy directly from here as well:
sudo apt update && sudo apt full-upgrade -y && sudo apt install kali-linux-labs -y
(Enter sudo credentials for successful execution of commands used in this article)
Installs will complete ~20 minutes, depending on speeds.
Yes, the vulnerable metapackages for testing are fully installed, that’s it!
Let’s start our vulnerable applications now.
AppSec testing with DVWA
Step 1. Start DVWA with the command “dvwa-start”
(Remember: Enter sudo credentials for successful execution)
Default credentials for new DVWA instance are:
- Default username = admin
- Default password = password
The setup page will load immediately after login. Otherwise, the local application should still allow you to visit localhost:dvwaport/setup.php.
Step 2. Scroll down and click Create/Reset Database
Clicking Create/Reset Database should display something similar to the response below
After seeing, “Setup Successful!”, ensure to configure the security level for this instance.
Step 3. Click the DVWA Security tab to view the level of security for the instance.
DVWA Security Options:
- Low Level: Allows you to easily exploit all known vulnerabilities present
- Medium Level: Requires fundamental skills in bypassing application defenses/filtration
- High Level: Requires a thorough, practical understanding of defense evasion techniques
- Impossible Level: Requires an advanced skill level to successfully perform attacks against the hardest instance of DVWA
Note: Use of the file inclusion labs will require additional configuration within the DVWA php.ini file (/setup.php briefly describes how to achieve this)
Step 4. Configure your application proxy tool to listen to the configured localhost:dvwa for all testing.
Step 5. When done with testing, stop DVWA by running “dvwa-stop”
AppSec testing with OWASP Juice Shop
Once Kali Linux has installed the Juice Shop metapackage, start testing the Juice Shop Application using the instructions below:
Step 1. The application can be started by running “juice-shop”
The browser should automatically open to the Juice Shop Home page. Otherwise visit http://localhost:jsport. The CLI will indicate which port has the Juice Shop Web UI.
Step 2. You can create a testing account visiting http://127.0.0.1:jsport/register or by clicking “Not yet a customer?” on the login page.
Step 3. Configure your application proxy tool to listen to the configured localhost:jsport for all testing.
Step 4. When done with testing, stop Juice Shop by running juice-shop-stop
References
Kali Linux
https://www.kali.org/get-kali/
https://www.kali.org/tools/dvwa/
https://www.kali.org/tools/juice-shop/
https://www.kali.org/blog/kali-linux-2022-3-release/
OWASP Resources
https://owasp.org/www-project-vulnerable-web-applications-directory/
https://owasp.org/www-project-juice-shop/
GitHub Repositories
https://github.com/juice-shop
https://github.com/digininja/DVWA
https://github.com/Martian1337/CyberSpace
Originally published at https://www.linkedin.com/pulse/deploy-vulnerable-web-applications-application-appsec-dion/
