6

I was curious if there is any need to secure/protect ourselves when doing projects on sites like OWASP to learn about vulnerabilities or "Wargames/Challenges" such as what's posted in these links

How to get started?

Best resources to learn web security attacks?

How do I get started with security? (beginner)

It seems that these sites are created for legal purposes, with the intent of learning. I'm curious if that is also a concern for malicious users altering these projects that could hurt others, or possibly some of these not being all that protected...?

I'm curious if people would recommend being in a VM/test machine (would you always want to use a VM, over a physical machine, just in case of hardware malware, or w/e?), as well as VPN/Proxy for privacy, etc?

Just curious if any of this is needed, or if most of these sites are legit...

Maybe it's just good practice in general to always protect yourself from sites you don't know about (i.e., block JS, cookies, plugins, etc)? I just figured since we are working with vulnerabilities and stuff that could be dangerous, that we should be protected on our end too?

Community
  • 1
XaolingBao
  • 897
  • 2
  • 9
  • 21
  • 1
    Well, don't forget that for online challenges, you might not be the only person doing them, and not everyone may be benign - some might be trying to plant malware for others to stumble on. Less of an issue for self-hosted boxes, but you'd run those in a VM anyway, usually. – Matthew Jun 09 '16 at 17:50
  • That's the thing, I figured others might be trying to do some dirty stuff while the others are learning. What do you mean by "self-hosted boxes" and why would we run them in a VM:? So would you say that we should always be running these tests in a VM then? I'll probably setup a VM on another Machine, jujst to be safe... Thanks :). – XaolingBao Jun 09 '16 at 19:36
  • Self hosted means that you download a server image and run it on your own machine, as opposed to an online challenge, where you connect to a remote server to break in. No harm in running them in a VM, and it might prevent some issues, not to mention, it's how a lot of security assessments are carried out - I run a Kali VM as a sort of baseline, for example. – Matthew Jun 09 '16 at 19:38
  • Ah... never heard of a "Server Image" I'll look into that. So basically, you're just cracking the site on your machine, instead of someone else's then? So according to your "security assessment" comment, this is how normal users would do it then/ Is there anything else you do besides run Kali? Do you have a VPN/Proxy setup? Thanks for the help. – XaolingBao Jun 09 '16 at 19:41

4 Answers4

1

There is a saying, and it goes like
Only the paranoid survives.
To answer your question, these kind of practice machines are built for the practice purpose by security enthu and experts who want to give something back to the society. By doing so the creator gets reputation and fame (sort of) in the Infosec family.
On the other hand, if you think about it the people practicing on these machines are mostly beginners with half the knowledge and can be a perfect target for such things. I mean look at the daily Infosec news like CISCO 0 Days, Xiomi's backdoors, exploits in linux systems such as overlayfs and many other examples will only inspire you to be as cautious as you can. Although no such news has ever surfaced, at-least not to my knowledge. But there is also first time for everything.
Again if one thinks about it, all such kind of projects are open-source and all their code and steps are available and easily visible. Also websites like Vulnhub who hosts the CTFs, always make sure these kind of things do not happen before they host any new user submitted machine. So as long as you are downloading your practice machine from a legit website you should be good to go. But again i can't argue with the urge to be more careful. Because no matter how careful you are, it's never enough, at-least not in the infosec field.

7h1n0b1
  • 64
  • 5
0

It seems like you answered your own question. It would be very prudent of you to take steps to protect yourself from threats. You can never be too careful.

Desthro
  • 1,007
  • 5
  • 5
  • Well, I'm not sure if people are always in a VM and VPN connected when browsing, or if they only do this in certain situations? I would assume that people aren't going into their VM every time they are going to do something on the web...? I take precautions going to sites on my computers, but this is different.... Do we take extra precautions, or what? – XaolingBao Jun 09 '16 at 16:47
  • Beginners do all kinds of things. They won't all be in VMs, blocking scripts, etc. But it's not the beginners that you need to worry about. Treat this as a lab situation, because it is. Your lab system should be essentially disposable. VMs and sandboxing give a certain level of security, but there are exploits for those, too. So if you truly care, isolate it from the rest of your network, and wipe it when you're done. For good measure, you could wipe the network equipment you were using, too. – Courtney Schwartz Sep 29 '16 at 02:06
0

When in doubt, setup some security. Hackers are always looking for the next big exploit. And there are millions of them in the world working all hours of the night on many, many different systems.

Yokai
  • 795
  • 4
  • 7
0

Although the projects on OWASP wargames list are fairly well-vetted and reliable, you're not wrong to be cautious. Using protection like Sandboxie (for Windows), or firejail, BitBox, Cuckoo when running something of unknown provenance is a good idea.

Jedi
  • 3,906
  • 2
  • 24
  • 42
  • Interesting, is Sandboxie free, or do we pay? What about using a VM? I've heard Vms are Sandboxed, except in the case the VM is connected to the Network where the main OS is. What about using a VPN? Thanks! – XaolingBao Jun 15 '16 at 21:50
  • A VM will definitely be more secure, but it has a higher overhead and is less convenient. All 4 tools are free to download. – Jedi Jun 15 '16 at 21:53
  • Hmm.... I guess I will look into these. Are these advised to be used at all times to protect yourself, or just in the case of 100% making sure? Also do you think we need to hide ourselves behind a proxy or VPN? Thanks. – XaolingBao Jun 15 '16 at 22:31
  • The sandbox is just a precaution, but I've found it's a good habit for trying new things. You could always use something like Tor to anonymize your traffic. It all depends on what type of threats you want to protect yourself from. – Jedi Jun 15 '16 at 22:35