Creating a web application security lab part 1

So you want to hack the planet? Whether you want to validate the latest exploit, or do your due diligence in vulnerability research you will need a test lab. Installing, configuring and maintaining a test lab can be a serious time sink. I always aim to make repeatable tasks as simple as possible and web application security is no exception. So in the hope of making someone else's life better I have decided to share my aprroach to lab design.

Getting started

You will need the following items
  • Server/VPS/VM image running a suitable OS (LINUX IMO!)
  • Apache
  • php
  • root access
Once you have your "server" ready we'll start the lab configuration process. I use debian-likes, so if you use something else you will have to adhust the paths as needed yourself. The first thing to setup is the directory structure. Run the following commands, as root:
mkdir -p /var/www/appseclab/public_html
mkdir /var/www/appseclab/etc
mkdir /var/www/appseclab/tmp
mkdir /var/log/apache2/appseclab
chown www-data /var/www/appseclab/tmp

The next step is to create a common apache config file, I called mine /var/www/appseclab/etc/common.conf
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/appseclab/webroot
        ServerSignature Off
                Options ExecCGI FollowSymLinks
                AllowOverride None
                Order allow,deny
                allow from all

                AddHandler cgi-script .cgi

        CustomLog /var/log/apache2/appseclab/access.log combined
        ErrorLog /var/log/apache2/appseclab/error.log
        Include /var/www/
        LogLevel notice

In the /var/www/appseclab/etc directory I created two files, moon.lair and vulcano.lair with the following content:
<VirtualHost *>
        ServerName moon.lair
        Include /var/www/appseclab/etc/common.conf
        php_admin_flag register_globals on
        php_admin_flag allow_url_fopen on
        php_admin_flag allow_url_include on
        php_flag magic_quotes_gpc off
<VirtualHost *>
        ServerName vulcano.lair
        Include /var/www/appseclab/etc/common.conf
        php_admin_flag register_globals off
        php_admin_flag allow_url_fopen off
        php_admin_flag allow_url_include off
        php_flag magic_quotes_gpc on

Next we create a test file and add the lair configs to the apache configuration
echo 'Welcome to the lair!' > /var/www/appseclab/webroot/index.html
ln -s /var/www/appseclab/etc/moon.lair /etc/apache2/sites-available
ln -s /var/www/appseclab/etc/vulcano.lair /etc/apache2/sites-available
Then we enable the hosts, and restart apache
a2ensite moon.lair
a2ensite vulcano.lair
apache2ctl graceful
And then we test that it works by speaking a little HTTP
 telnet localhost 81
Connected to localhost.localdomain.
Escape character is '^]'.
GET / HTTP/1.1
Host: moon.lair

HTTP/1.1 200 OK
Date: Wed, 29 Sep 2010 07:25:26 GMT
Server: Apache
Last-Modified: Wed, 29 Sep 2010 07:19:58 GMT
ETag: "282849d-14-49160c9f4e380"
Accept-Ranges: bytes
Content-Length: 20
Vary: Accept-Encoding
Content-Type: text/html

Welcome to the lair
telnet> quit
Connection closed.
If you get connection refused at this point, there is likely an issue with your apache configuration. Check your apache error.log for details to help you fix this.

Next we move on to securing and accessing your lab.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.