Setting Up Web Security Learning Lab

Past Presentations - Slide Deck

Installation

Required Software

• Virtual Machine Software - Recommend Free VirtualBox (Win, Mac, Linux)
• OWASP Broken Web Apps VM (Download at official site)
• Web Proxy - Recommend OWASP Zap Proxy
• Web Proxy - Alternative Burp Proxy
• Browser - Recommend Firefox
• Optional - Browser Plugins
• Firebug
• Firecookie

Setup

1. Install VirtualBox
2. Unzip OWASP Broken Web Apps VM into any directory (don't pick restricted directories that require admin or sudo to access)
3. Open VirtualBox and hit the icon for "New"
• VM Name and OS Type: Enter name "OWASP-BWA" and select OS "Linux" and Version "Ubuntu"
• Memory: Default of 512 is fine
• Virtual Hard Disk: Important Select "Use existing hard disk" and click on the folder.
• Browse to the unzipped folder contents of the OWASP Broken Web Apps VM. Select "OWASP Broken Web Apps.vmdk" Note: There are similar files ending in -s001. Don't pick those.
  
• Click OK to finish VM Setup
4. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings)
• Go to Settings->Network->Adapter 1.
• Make sure the checkmark for enabled is checked.
• Change "Attached to:" from "NAT: to "Host-Only Adapter"
• Click OK
5. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start"
6. After the VM boots the OWASP-BWA login page will provide the following message (the IP address will be similar but not exactly this)

You can access the web apps at http://192.168.56.101


7. Open a browser on your main machine (not the VM) and go to this URL. It should load a page that starts with "OWASP Broken Web Applications"
8. Note: You don't need to actually login to the virtual machine. Everything is already running.

Common Errors

• Boot Up Error Message - Kernel requires feature on CPU: pae
• Power off VM (not VirtualBox, just VM window)
• Right click on OWASP-BWA on left side and select "Settings" (also available via menu Machine->Settings)
• Go to System->Processor and enable PAE
• Click OK and restart VM
• Host Only Adapter Shows Error Message and Name says "not selected" with no options
• Go to the VirtualBox Manager (e.g. the main virtualbox control app, not the individual vm)
• Go to the VirtualBox->Preferences and then select "Network" (note: these are settings for the virtualbox app overall)
• There is text box with the title "Host-only Networks:" it is most likely an empty text area and this is the problem
• Click the plus icon on the right to add a new adapter. You should now see "vboxnet0"
• Click ok and then go back to the VMs preferences. You should be able to select the hostonly adapter now
• Keyboard and mouse trapped in VM
• Mac: Hit the left command button to exit VM control
• Windows: Left Alt??
• Simply click back inside the vm with the mouse to regain keyboard control in the VM