OWASP - Open Web Application Security Project :
is a open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.
OWASP Testing Guide :
January 2004
–"The OWASP Testing Guide", Version 1.0
July 14, 2004
–"OWASP Web Application Penetration Checklist", Version 1.1
Download Link : OWASP Ver 1.1
December 25, 2006
–"OWASP Testing Guide", Version 2.0
Download Link MS- DOC Format : OWASP Ver 2.0
Download Link PDF-Format : OWASP Ver 2.0
Download Link MS-PPT Format : OWASP Ver 3.0
Download Link PDF Format : OWASP Ver 3.0
Video Tutorials :
OWASP AppSec Basics :
OWASP SQL Injection :
OWASP Cross Site Scripting :
OWASP Strict Transport Security :
Training PDF : Click Here
OWASP WebScarab Proxy Training :
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
Linux: java -jar ./webscarab-selfcontained-[numbers].jar
Download Link : WebGoat V 5.4
Hacking-Lab is providing the FREE OWASP TOP 10 :
hands-on lab as a service to the OWASP Academy Portal and to the OWASP community. Those training material is reviewed and approved by the OWASP Academy Portal Project members in order to set and maintain an OWASP-worthy training quality.
Installation :
These are the simple steps I followed on a Windows 7 laptop.
You should be ready to go now at the OWASP Security Training.
is a open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.
OWASP Testing Guide :
January 2004
–"The OWASP Testing Guide", Version 1.0
July 14, 2004
–"OWASP Web Application Penetration Checklist", Version 1.1
Download Link : OWASP Ver 1.1
December 25, 2006
–"OWASP Testing Guide", Version 2.0
Download Link MS- DOC Format : OWASP Ver 2.0
Download Link PDF-Format : OWASP Ver 2.0
- 15th September, 2008
- –"OWASP Testing Guide", Version 3.0
Download Link MS-PPT Format : OWASP Ver 3.0
Download Link PDF Format : OWASP Ver 3.0
Video Tutorials :
OWASP AppSec Basics :
OWASP SQL Injection :
OWASP Strict Transport Security :
Setting Up OWASP Web Security Learning Lab with OWASP ZAP :
Installation
Required Software
- Virtual Machine Software - Recommend Free VirtualBox (Win, Mac, Linux)
- OWASP Broken Web Apps VM (Download at official site)
- Web Proxy - Recommend OWASP Zap Proxy
- Web Proxy - Alternative Burp Proxy
- Browser - Recommend Firefox
- Optional - Browser Plugins
Setup
- Install VirtualBox
- Unzip OWASP Broken Web Apps VM into any directory (don't pick restricted directories that require admin or sudo to access)
- Open VirtualBox and hit the icon for "New"
- VM Name and OS Type: Enter name "OWASP-BWA" and select OS "Linux" and Version "Ubuntu"
- Memory: Default of 512 is fine
- Virtual Hard Disk: Important Select "Use existing hard disk" and click on the folder.
- Browse to the unzipped folder contents of the OWASP Broken Web Apps
VM. Select "OWASP Broken Web Apps.vmdk" Note: There are similar files
ending in -s001. Don't pick those.
- Click OK to finish VM Setup
- Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings)
- Go to Settings->Network->Adapter 1.
- Make sure the checkmark for enabled is checked.
- Change "Attached to:" from "NAT: to "Host-Only Adapter"
- Click OK
- Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start"
- After the VM boots the OWASP-BWA login page will provide the following message (the IP address will be similar but not exactly this)
- Open a browser on your main machine (not the VM) and go to this URL. It should load a page that starts with "OWASP Broken Web Applications"
- Note: You don't need to actually login to the virtual machine. Everything is already running.
You can access the web apps at http://192.168.56.101
Common Errors
- Boot Up Error Message - Kernel requires feature on CPU: pae
- Power off VM (not VirtualBox, just VM window)
- Right click on OWASP-BWA on left side and select "Settings" (also available via menu Machine->Settings)
- Go to System->Processor and enable PAE
- Click OK and restart VM
- Host Only Adapter Shows Error Message and Name says "not selected" with no options
- Go to the VirtualBox Manager (e.g. the main virtualbox control app, not the individual vm)
- Go to the VirtualBox->Preferences and then select "Network" (note: these are settings for the virtualbox app overall)
- There is text box with the title "Host-only Networks:" it is most likely an empty text area and this is the problem
- Click the plus icon on the right to add a new adapter. You should now see "vboxnet0"
- Click ok and then go back to the VMs preferences. You should be able to select the hostonly adapter now
- Keyboard and mouse trapped in VM
- Mac: Hit the left command button to exit VM control
- Windows: Left Alt??
- Simply click back inside the vm with the mouse to regain keyboard control in the VM
Training PDF : Click Here
OWASP WebScarab Proxy Training :
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
Download
Windows : Click Here or Alernate Link Click HereLinux: java -jar ./webscarab-selfcontained-[numbers].jar
Video Training Click Here: http://yehg.net
Sample Video :
OWASP Webgoat Training :
WebGoat
is a deliberately insecure J2EE web application designed to teach web
application security lessons. In each lesson, users must demonstrate
their understanding of a security issue by exploiting a real
vulnerability in the WebGoat
application. For example, in one of the lessons the user must use SQL
injection to steal fake credit card numbers. The application is a
realistic teaching environment, providing users with hints and code to
further explain the lesson.
Training Documentation :
References to WebGoat documentation or solutions.
Sample Video :
Hacking-Lab is providing the FREE OWASP TOP 10 :
hands-on lab as a service to the OWASP Academy Portal and to the OWASP community. Those training material is reviewed and approved by the OWASP Academy Portal Project members in order to set and maintain an OWASP-worthy training quality.
These are the simple steps I followed on a Windows 7 laptop.
- Dowload the Virtual Appliance OVA file to your laptop
- Download and install the Oracle Virtual Box application onto your laptop
- Double-click the .ova file through Windows Explorer and the appliance import process should commence on the Virtual Box application. You should see something like Fig 1:
Fig. 1: Oracle VM Virtual Box Manager |
- In theVirtual Box Manager left-hand pane double-click on the LiveCD-Hacking-Lab-V5.55 entry. The LiveCD should start and after a short while the Welcome screen as shown in Fig 2 should appear.
Fig 2: Welcome Screen |
Video Description |
Details |
How to use 2 different (attacker/victim) browser instances |
Learn how to use 2 different (attacker/victim) browser instances (The Firefox Profiles are available on LiveCD V5.83 and newer) |
How to use the ZAP browser in the LiveCD |
Tutorial; ZAP Web Inspection Proxy on LiveCD |
How to setup a landing page on the LiveCD |
Tutorial; ZAP Web Inspection Proxy on LiveCD |
How to import LiveCD in VirtualBox |
Learn how to import the LiveCD ova file into VirtualBox |
How to import LiveCD in VMware |
Learn how to import the LiveCD ova file into VMware |
Run Hacking-Lab LiveCD with Vmware 8 workstation |
Learn how to use the LiveCD ISO with Vmware 8 workstation |
Installation of LiveCD in Vmware 8 workstation |
Learn how to install the LiveCD ISO in your Vmware 8 workstation |
How to open a root shell |
Learn how to open a "root" shell |
Server side VDI solution | Learn how to use the server side VDI solution |
Hacking-Lab Download
Documents and Videos | |
Hacking-Lab LiveCD |