The aim of the project was to create an environment that will allow conducting experiments on the security of web applications by emulating popular types of their vulnerabilities and interacting with them in a controlled manner.
The environment allows for the implementation of various methods of attack, defense and detection of vulnerabilities. The created product is to be characterized by an extensible architecture, allowing for the addition of new modules enabling the emulation of new vulnerabilities and the use of new detection, attack and defense tools.
To deploy the environment locally you need to clone this repository and host it using one of many ways.
# Get the latest version of docker
sudo apt-get install docker.io
# Hosting PHP server on port 80 of localhost using docker container
git clone https://github.com/damianStrojek/Security-Testing-of-Web-Applications.git
cd Security-Testing-of-Web-Applications
docker build -t stewa .
docker run --log-driver=json-file --log-opt max-size=100m --log-opt max-file=3 -dp 127.0.0.1:80:80 stewa
# Check status of your container
docker psThe system allows you to set up a web application security testing environment at any time and anywhere. The entire theory and tips on how to perform tasks are included in individual modules. We recommend setting up an environment on Kali Linux.
Below is a recording of working system. The main page has been updated in the available release 1.1.
RELEASE-1.0-DEMO-SHORT.mp4
All the scripts/theory/tools included in this repository should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
[1] Michał Sajdak, Michał Bentkowski, Gynvael Coldwind et al.: Security of web applications, SECURITUM Publishing House. Available at: Securitum.pl
[2] Act of 6 June 1997 - Penal Code. Available at: Legal act (sejm.gov.pl)
[3] Judgment III K 865/15. Available at: Portal of Judgments of the District Court in Wałbrzych (walbrzych.sr.gov.pl)
[4] Dr. Adam Behan, article on types of crimes in information systems. Available at: Modern IT systems and types of crimes under Art. 267 of the Penal Code - Edition - 2/2020 | Palestra
[5] 2023 Data Breach Report, Verizon. Available at: 2023 Data Breach Investigations Report | Verizon
[6] OWASP Top Ten Report for 2021. Available at: OWASP Top Ten | OWASP Foundation
[7] Wikipedia, brute-force attacks. Available at: Brute-force attack - Wikipedia
[8] RFC 2965. Available at: RFC 2965: HTTP State Management Mechanism (rfc-editor.org)
[9] "Injection" vulnerability from the OWASP Top 10 2021 list. Available at: A03 Injection - OWASP Top 10: 2021
[10] Microsoft documentation – SQL Injection. Available at: SQL Injection - SQL Server | Microsoft Learn
[11] NERA BESIC, article on "Blind SQL Injection". Available at: Blind SQL Injection: How it Works, Examples and Prevention (brightsec.com)
[12] KirstenS, article on Cross Site Scripting for OWASP. Available at: Cross Site Scripting (XSS) | OWASP Foundation
[13] 2000 CERT Advisories, page 4. Available at: 2000 CERT Advisories (cmu.edu)
[14] Amit Klein, "A look at an overlooked flavor of XSS." Available at: Web Security Articles - Web Application Security Consortium (webappsec.org)
[15] BUSRA DEMIR, article on command injection. Available at: Pentester's Guide to Command Injection | Cobalt (cobalt.io)
[16] Robert Auger, article on the Path Traversal attack for The Web Application Security Consortium. Available at: The Web Application Security Consortium / Path Traversal (webappsec.org)
[17] PortSwigger, Path Traversal vulnerability. Available at: What is path traversal, and how to prevent it? | Web Security Academy (portswigger.net)
[18] Wikipedia, entry on path traversal attack. Available at: Directory traversal attack - Wikipedia
[19] Kaspersky IT Encyclopedia. Available at: Exploitation in the wild (ITW) | Kaspersky IT Encyclopedia
[20] Introduction to the Panama Papers case. Available at: Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption - The Panama Papers (occrp.org)
[21] Isaiah Chua, blog post on examples of vulnerabilities exploited in real life. Available at: Real Life Examples of Web Vulnerabilities (OWASP Top 10) (horangi.com)
[22] Microsoft, Guidance on Preventing, Detecting, and Finding the Log4j2 Vulnerability. Available at: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability | Microsoft Security Blog
[23] List of released Log4j2 versions. Available at: Log4j – Download Apache Log4j™ 2
[24] Fabiwanne, Wikipedia, entry regarding the Hydra tool. Available at: Hydra (software) - Wikipedia
[25] Kali, Hydra documentation. Available at: hydra | Kali Linux Tools
[26] Kali, gobuster documentation. Available at: gobuster | Kali Linux Tools
[27] Sanskar Dwivedi, article "Introduction to Burp Suite and its testing options". Available at: Introduction to Burp Suite and its Testing Features (perficient.com)
[28] Jim1138, Wikipedia, entry regarding OWASP ZAP. Available at: OWASP ZAP – Wikipedia, the free encyclopedia
[29] Bernardo Damele A. G., Miroslav Stampar, introduction to the sqlmap tool. Available at: sqlmap: automatic SQL injection and database takeover tool
[30] Editorial team of the website dlatesterów.pl, article "SQLMap Tool for Pentests". Available at: SQLMap pentesting tool - dlaTesterów.PL (dlasterow.pl)
[31] Scrum.org, Article "What is SCRUM?". Available at: What is Scrum? | Scrum.org
[32] pm-partners, scrum terminology. Available at: What is Scrum? | The Agile Journey with PM-Partners
[33] Team TIS, 15 best practices for creating web applications. Available at: Web Application Development Best Practices: 15 Best Practices (tisdigitech.com)
[34] Oracle Polska, "What is Docker?". Available at: What is Docker | Oracle Poland
[35] Docker Documentation, section for Dockerfile. Available at: Dockerfile reference | Docker Docs
[36] Docker documentation, system event logging section. Available at: Configure logging drivers | Docker Docs
[37] PATKOWSKI A. E., P-PEN methodology for conducting penetration tests of ICT systems, "Bulletin of the Institute of Automation and Robotics" No. 24/2007, Military University of Technology, 2007. Available at: Bulletin of the Institute of Automation and Robotics - Volume R. 13, No. 24 (2007) - BazTech - Yadda (icm.edu.pl)