Learning about web security with Web Security Dojo
Master Class
Protecting your own websites from attack either costs a lot of money or requires a lot of expertise. Web Security Dojo helps you learn to think like an expert.
Security is now a major focus for Internet users and companies. Unfortunately, the sophisticated nature of recent attack techniques, as well as the ever-increasing surveillance ambitions of the authorities and data-mining corporations, continues to complicate the quest for a safe and secure Internet.
A specialized Linux environment called Web Security Dojo [1] offers an easy way for everyday users and beginning professionals to learn about web security. Dojo is designed to provide practical, hands-on exercises on web security and intrusion techniques.
The Dojo virtual appliance is available on SourceForge [2] as an image of around 2.3GB in OVA format. The Dojo is suitable to run in VirtualBox from version 5.0 and also in VMware. After you download the image, install a test environment in VirtualBox by specifying the storage path for the OVA file in the newly opened dialog via the File | Import Appliance… menu. Then create a new virtual machine from the appliance (Figure 1).
The virtual machine is available in VirtualBox as Dojo 3.0. After booting, Dojo launches as a Xubuntu 16.04 32-bit system with the XFCE desktop (Figure 2).
Start and Finish
The Web Security Dojo virtual learning environment includes various services that are configured to serve as targets for simulated attacks. The services listed in the Targets menu cover a wide range of possible attack scenarios. Some of these target services are already active by default; others must be launched manually.
Some of the services in the Targets menu are web-based applications that require a proxy service. These proxy services are available in the form of Firefox add-ons (Figure 3). Since targets and tools already exist on the same system, you do not need an active Internet connection for the lessons.
![](/var/linux_magazin/storage/images/issues/2017/205/web-security-dojo/figure-3/715870-1-eng-US/Figure-3_large.png)
Application
Firefox is the center of Web Security Dojo. When Launched, Firefox first offers the option to call the Damn Vulnerable Web Application (DVWA) page [3], a preconfigured test environment that familiarizes the user with a variety of vulnerabilities in web applications (Figure 4). In the DVWA window, log in with the username admin
and password password
.
In the menu on the left, you will find various attack technique options, such as Cross Site Scripting (XSS), SQL Injection, CSRF, or Brute Force. For the various scenarios, you will receive background information in the form of links to related websites and wikis.
In addition to DVWA, Dojo has other tools for more advanced attack scenarios. For example, you will find the Java application WebGoat, which is part of the OWASP Project [4]. Launch WebGoat using the WebGoat Start script in the Targets menu, and then click on the WebGoat link in Firefox on the homepage. You can authenticate using guest as a username and password.
The application provides a brief introduction and lists various test scenarios in a vertical scrollbar on the left edge of the screen (Figure 5). Subgroups partly summarize individual categories. For example, under Authentication Flaws , you will find tests for authentication vulnerabilities.
Several options appear at the top edge of the screen. Click on Show Solution to display the solution to a scenario; Show Plan provides additional didactic information. Show Source familiarizes you with the source code, and Restart Lesson launches the active task again. WebGoat Stop from the menu stops the service.
Google Gruyere and McAfee's Hacme Casino are two other toolkits for learning protection technologies for web pages. You have to manually launch these tools via the Targets menu before the web pages are available in Firefox. Gruyere, which is named after the cheese, portrays several typical methods for hacking a website and familiarizes you with solutions that prevent such attacks.
Hacme Casino is extremely playful and looks like a gambling website; however, it also serves as a learning tool, letting the user trace through some common attack techniques. A detailed manual for Hacme Casino is available in English with many practical examples [5].
In the Tools menu, you will find a wide range of tools and scanners for your own research. These tools includes the security scanner Arachni, the browser exploitation framework BeEF, the Metasploit Framework, and the w3af framework – including a command-line version. DirBuster, an application written in Java for brute force attacks, and BurpSuite are also available. Pure command-line applications such as Skipfish, SqlMap, or Skavenger Shell round out the portfolio.
Documentation
The manufacturer has put a lot of effort into documentation for Web Security Dojo. You'll find plenty of PDF and HTML files for the various tools, as well as several video tutorials hosted on YouTube. The documents and videos make it easier for beginners to install and get acquainted with the system. You can also find some basic information on the desktop in the README.html
and GettingStarted.html
files.
Instructions for the main suites and frameworks are available in the Documentation folder. The Zim desktop wiki is available for you to record your own notes. To launch Zim, click the Zim icon on the desktop.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.