This week we turn our attention to tools that can be used to manipulate web-based applications. There are subscription-based services to test your skills, but during this week we look at two in particular – Web Security Dojo and Security Shepherd.
How has your experience been with these tools this week? Did you have any “a-ha!” moments? What lessons have you learned?
Also refer to this week’s Handouts for details on SQL.
Dhaval Patel says
I struggled with Security Shepherd, for some reason I could not get access to the webpage. I would be able to get the IP address from the VM by running if config, but upon entering the address I would get 404 or the page would timeout leaving me unable to test out Security Shepheard. I thought adjusting the proxy settings might make a difference, but unfortunately, it made no impact.
Antonio Cozza says
I am having a similar issue and I cannot figure it out. I tried all of the network adapter settings on the latest version of the Security Shepherd, but the webpage never loads. The IP never changes off of the localhost address for me and I am not seeing any information or videos on the latest version that help.
Eugene Angelo Tartaglione says
After trying for over a week, I can say that I was not able to get the application to work properly either.
William Bailey says
I’ve duplicated the non-functioning vmware, and not been able to remediate the issue yet. (no network) I’m still working through some troubleshooting to try to enable the networking in vmware.
I did, however, complete a fresh install of VirtualBox on Windows, acknowledged the pop-ups during the import of the appliance, and SecurityShepherd obtained an IP address.
The ‘ifconfig’ result that shows only the single 127.0.0.1 indicates that there is no network connectivity. Once networking is enabled on the VM/Appliance, you’ll see one or more IP addresses from the ifconfig results.
Note that the github site states that any virtualization platform will work, but that VirtualBox is recommended. You can re-download a Kali, Parrot, or other VM appliance, to have a full lab using all VirtualBox guests.
William Bailey says
Eugene,
Have you tried Security Shepherd in VirtualBox? Sometimes even though something _should_ work, if it doesn’t, and there’s a known fix or workaround, then the workaround is chosen.
When working through a project deliverable, there have been multiple times where there’s the way I’d like to do something, and the way that helps me meet the deadline, and the deadline is usually what the client is most concerned with.
-Bill
William Bailey says
Antonio,
Have you tried VirtualBox yet? I’ve duplicated the problem in vmware, but VirtualBox works.
-Bill
Antonio Cozza says
I was able to get the SecurityShepherd working now in VirtualBox after some time; when I was first able to log in and attempt the first challenge I had certificate issues. I generated and added a new certificate for BurpSuite in FireFox and the burp proxy was working properly for all websites other than the shepherd at first. Eventually I was able to get it to work and complete an Insecure Direct Object Reference (IDOR) challenge.
William Bailey says
Dhaval,
Have you tried VirtualBox yet? I’ve duplicated the problem in vmware, but VirtualBox works.
-Bill
Dhaval Patel says
I was finally able to get Security Shepherd running on a PC on Virtual Box. Going through the exercise was a great experience it gave me a better understanding of how Burp Suite can be used and the different scripting vulnerabilities that exist.
Tal Eidenzon says
Surprisingly, I was able to launch Security Shepherd and Web Security Dojo after playing around with the settings. It is priceless hands-on experience to be able to experiment within a safe environment. I look forward to pushing the capabilities further by running the VM on a home lab that I am building.
Dhaval Patel says
Hi Tal,
Once I got everything to run, I have to say they are great tools to practice and learn from where you can make mistakes and not have any repercussions.
Tal Eidenzon says
Hi Dhaval,
I completely understand employers that will not hire anyone without a home lab to play around/experiment with. Especially with virtual machines that can be spun up within an instant, there is no excuse to not have one to experience.
Thanks,
Tal
Andrew Nguyen says
I struggled with Security Shepherd because I was unable to login for some reason.
I had read that the default login was ‘admin/password’, but after reading the readme.md the initial login was securityshepherd/shepherd3.1 (the version number), while the default login into security shepherd itself was admin/password.
But other than that, I was able to access the tools and lessons.
Krish Damany says
Using both Mac and Windows platforms and VirtualBox, I was unable to successfully boot the Security Shepherd VM. I tried changing all sorts of network settings, display settings, and RAM and VRAM settings. I do not have access to VMWare as my subscription ran out, and I was unable to test it as a result. I’ve looked at videos online of how it works along with what we’ve done in class, and I would be interested to try it out if I could get it to boot successfully.
Patrick Jurgelewicz says
I had no problem booting up a SecurityShepherd instance on my VirtualBox. On my host machine, I went to https://github.com/OWASP/SecurityShepherd/releases and downloaded the VM zip file, and was able to open that in my VirtualBox. Following the tips from my classmates and the readme file, I was able to log in as admin, as well as create a player for myself. From there I completed the first challenge using BurpSuite on my Kali instance.
Overall it took a little while to get everything up and running, but once I did, the challenges I could do were very interesting and allowed me to gain some hands-on experience on using different tools.