Sunday, December 23, 2012

OWASP - Web Security Training

OWASP - Open Web Application Security Project :

                                               is a open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.

OWASP Testing Guide :

January 2004
–"The OWASP Testing Guide", Version 1.0

July 14, 2004
–"OWASP Web Application Penetration Checklist", Version 1.1

Download Link : OWASP Ver 1.1

December 25, 2006
–"OWASP Testing Guide", Version 2.0
Download Link  MS- DOC Format : OWASP Ver 2.0  
Download Link PDF-Format   : OWASP Ver 2.0
15th September, 2008
–"OWASP Testing Guide", Version 3.0

Download Link MS-PPT Format : OWASP Ver 3.0
Download Link PDF Format : OWASP Ver 3.0

Video Tutorials :

OWASP AppSec Basics :

OWASP SQL Injection :
OWASP Cross Site Scripting :

OWASP Strict Transport Security :

Setting Up OWASP Web Security Learning Lab with OWASP ZAP :


Required Software


  1. Install VirtualBox
  2. Unzip OWASP Broken Web Apps VM into any directory (don't pick restricted directories that require admin or sudo to access)
  3. Open VirtualBox and hit the icon for "New"
    • VM Name and OS Type: Enter name "OWASP-BWA" and select OS "Linux" and Version "Ubuntu"
    • Memory: Default of 512 is fine
    • Virtual Hard Disk: Important Select "Use existing hard disk" and click on the folder.
    • Browse to the unzipped folder contents of the OWASP Broken Web Apps VM. Select "OWASP Broken Web Apps.vmdk" Note: There are similar files ending in -s001. Don't pick those.
    • Click OK to finish VM Setup
  4. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and select "Settings" (also available via menu Machine->Settings)
    • Go to Settings->Network->Adapter 1.
    • Make sure the checkmark for enabled is checked.
    • Change "Attached to:" from "NAT: to "Host-Only Adapter"
    • Click OK
  5. Right click on OWASP-BWA in the left pane of the Oracle VM VirtualBox Manager App and hit "Start"
  6. After the VM boots the OWASP-BWA login page will provide the following message (the IP address will be similar but not exactly this)

  7. You can access the web apps at

  8. Open a browser on your main machine (not the VM) and go to this URL. It should load a page that starts with "OWASP Broken Web Applications"
  9. Note: You don't need to actually login to the virtual machine. Everything is already running.

Common Errors

  • Boot Up Error Message - Kernel requires feature on CPU: pae
    • Power off VM (not VirtualBox, just VM window)
    • Right click on OWASP-BWA on left side and select "Settings" (also available via menu Machine->Settings)
    • Go to System->Processor and enable PAE
    • Click OK and restart VM
  • Host Only Adapter Shows Error Message and Name says "not selected" with no options
    • Go to the VirtualBox Manager (e.g. the main virtualbox control app, not the individual vm)
    • Go to the VirtualBox->Preferences and then select "Network" (note: these are settings for the virtualbox app overall)
    • There is text box with the title "Host-only Networks:" it is most likely an empty text area and this is the problem
    • Click the plus icon on the right to add a new adapter. You should now see "vboxnet0"
    • Click ok and then go back to the VMs preferences. You should be able to select the hostonly adapter now
  • Keyboard and mouse trapped in VM
    • Mac: Hit the left command button to exit VM control
    • Windows: Left Alt??
    • Simply click back inside the vm with the mouse to regain keyboard control in the VM

Training PDF : Click Here 

OWASP WebScarab Proxy Training : 

                                      WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.


Windows : Click Here  or Alernate Link Click Here

Linux: java -jar ./webscarab-selfcontained-[numbers].jar

Video Training Click Here: 

Sample Video : 

OWASP Webgoat Training :

                                    WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. 

Download Link : WebGoat V 5.4

Training Documentation :

References to WebGoat documentation or solutions.

Sample Video : 

Hacking-Lab is providing the FREE OWASP TOP 10 : 

                                                    hands-on lab as a service to the OWASP Academy Portal and to the OWASP community. Those training material is reviewed and approved by the OWASP Academy Portal Project members in order to set and maintain an OWASP-worthy training quality.

Installation :

These are the simple steps I followed on a Windows 7 laptop.

  • Dowload the Virtual Appliance OVA file to your laptop
  • Download and install the Oracle Virtual Box  application onto your laptop
  • Double-click the .ova file through Windows Explorer and the appliance import process should commence on the Virtual Box application. You should see something like Fig 1:
Fig. 1: Oracle VM Virtual Box Manager
  •  In  theVirtual Box Manager left-hand pane double-click on the LiveCD-Hacking-Lab-V5.55 entry. The LiveCD should start and after a short while  the Welcome screen as shown in Fig 2 should appear.
Fig 2: Welcome Screen
You should be ready to go now at the OWASP Security Training.

Training Videos - Hacking_Lab LiveCD
Video Description
How to use 2 different (attacker/victim) browser instances
Learn how to use 2 different (attacker/victim) browser instances (The Firefox Profiles are available on LiveCD V5.83 and newer)
How to use the ZAP browser in the LiveCD
Tutorial; ZAP Web Inspection Proxy on LiveCD
How to setup a landing page on the LiveCD
Tutorial; ZAP Web Inspection Proxy on LiveCD
How to import LiveCD in VirtualBox 
Learn how to import the LiveCD ova file into VirtualBox
How to import LiveCD in VMware
Learn how to import the LiveCD ova file into VMware
Run Hacking-Lab LiveCD with Vmware 8 workstation
Learn how to use the LiveCD ISO with Vmware 8 workstation
Installation of LiveCD in Vmware 8 workstation
Learn how to install the LiveCD ISO in your Vmware 8 workstation
How to open a root shell
Learn how to open a "root" shell
Server side VDI solution Learn how to use the server side VDI solution

Hacking-Lab Download 

document-open Documents and Videos
document-open Hacking-Lab LiveCD 

No comments:

Post a Comment

Open source Tools for Live Meeting(Web Conferencing)

posts. Guys the most of you find these posts a valuable resource for the e-Learning community. As a result, the following post is Free and Open Source Web Conferencing (Online Meetings, Webinars) Tools for e-Learning.

The following list contains free and open source Web Conferencing tools that are n't in particular order.

Also, you should be sure that the e-Learning community will highly appreciate:

  1. if you post a comment with your experience with these tools and/or,

  2. if you post a comment with a link to any other free and open source Web Conferencing tool.

We support Free eLearning! Do you?

I support Free eLearning

BigBluebutton* is built for Higher Education. It enables universities and colleges to deliver a high-quality learning experience to remote students. BigBlueButton is an active open source project that focuses on usability, modularity, and clean design -- both for the user and the developer. The project is hosted at Google Code. BigBlueButton is built by combining over fourteen open source components.

*note: Epignosis has created a module that provides integration of BigBlueButton conferencing in eFront Open Source Learning Management System. BigBlueButton is a free web-conferencing tool with text chat, audio and video capabilites, a virtual whiteboard and many more presentation and conferencing features.

OpenMeetings is a free browser-based software that allows you to set up instantly a conference in the Web. You can use your microphone or webcam, share documents on a white board, share your screen or record meetings. It is available as hosted service or you download and install a package on your server with no limitations in usage or users.

OpenMeetings Key Features Mini Demo

Mikogo is a free desktop sharing tool full of features to assist you in conducting the perfect online meeting or web conference. Take advantage of the opportunity to share any screen content or application over the Internet in true color quality with up to 10 participants simultaneously, while still sitting at your desk.

Yugma free web conferencing allows anyone, anywhere to instantly share their desktop and ideas online with others. To start hosting your own meetings you have to sign up for FREE. Your Yugma Free web conferencing account allows you to invite up to 20 attendees

Using WebHuddle, you have options and flexibility. Meetings can be conducted either in conjunction with an enterprise’s existing teleconferencing service, or utilizing WebHuddle’s optional voice over IP. WebHuddle also offers recording capabilities -- presentations can easily be recorded for playback over any web browser for those who missed the live meeting.

With Vyew you can give a presentation to a hundred people online or post a document you've been working on for review by your colleagues at the convenience. Vyew is extremely flexible alloying you to bring online collaboration and conferencing into your workflow on your terms.

Dimdim delivers synchronized live presentations, whiteboards and web pages while sharing your voice and video over the Internet - with no download. With the Free edition you can get 10 person meetings, 1 way video, standard support, Dimdim branded rooms, and public meetings.

*note: Epignosis has created a module that provides integration of Dimdim conferencing in eFront  Open Source Learning Management System.

Adobe® ConnectNow is a great way to share ideas, discuss details, and complete work with others all online. Reduce travel costs, save time, and increase productivity with a web conferencing solution that's easy to access and simple to use. ConnectNow operates inside a web browser. There's no installation required, so getting started is easy and Free