16

I'd like to set up OWASP WebGoat or a similar vulnerable web app in a VM (probably VirtualBox on Linux). For convenience's sake, I'd like to get it running on one of the primary machines I use (say, a laptop with an internet connection). I realize virtual machines don't provide complete security and isolation for, say, loading a machine up full of viruses, but I just want to use it to learn about and practice pentesting web apps.

What needs to be done to do this securely? What are some of the risks of running a security-related "sandbox" in a VM on an actively-used machine (as opposed to an isolated machine dedicated to that purpose)?

Edit: Just to clarify, my main question here is about a VM for pentesting a vulnerable web app, not virus/malware analysis, etc.

jrdioko
  • 13,011
  • 7
  • 29
  • 38
  • 2
    One thing to note about WebGoat specifically is that, by default, it's only accessible from localhost, it doesn't listen on other network interfaces, so there's perhaps a lower level of risk attached to running it on a standard laptop. – Rory McCune Oct 31 '11 at 14:33

6 Answers6

6

The core mindset you want is:

Build it as if it were real, not virtual.

What would you want in place? Firewalls, access controls, logging etc

For a lab running virus analysis etc., you would normally segregate that from the rest of your network, so do the same here. I don't know of any malware yet that is specifically designed to break out of a VM in order to compromise the host and spread that way. However, what you'll find is that quite a lot of malware will detect it is in a VM and tailor its activity accordingly, which could hamper analysis.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 1
    If you go to all that effort using actual hardware might prove a benefit. If the lab network is seperate then you protection from anything in the lab is possible. Only benefit with a virtual machine ( these can still be used ) is restoration of the test hardware. – Ramhound Oct 28 '11 at 17:38
  • Well, and cost and space - that was my main reason :-) – Rory Alsop Nov 02 '11 at 10:40
5

Setting up a vulnerable web app in a virtual machine is relatively safe. The risk is an attacker gaining access to that VM over the network, so as long as you restrict network access to the virtual machine there won't be a problem.

As I understand it by default VMWare (and other VM software) will be configured in this way.

Realistically if you have your host computer running the VM behind a NAT then you are safe enough. The attacker can't gain access to the vulnerable web app from the internet so there's nothing to worry about - if they manage to get in to your network some other way then you have other things to worry about!

Andy Smith
  • 2,742
  • 18
  • 24
1

Virtual machines are pretty secure, but like every other software we use on our computers they have bugs and vulnerabilities have a look at

http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=vmware&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

for vulnerabilities on VMware software.

Also you can always run into malware that uses techniques to exploit and escape the hypervisor of the Virtualization software you are using.

For easier setup just create a VM and separate it from any other network, however you should notice that certain malwares will detect it is in a virtualized environment and behave accordingly!

Have a look at this article for more detailed explanation: http://zeltser.com/vmware-malware-analysis/

Also: http://www.cert.uy/documentos/pdf/malware-lab.ppt2.pdf

balgan
  • 316
  • 1
  • 6
  • For a Vulnerable web application you will be fine with just putting it on a network that only the VM and host has access! This will give u no trouble with outsiders accessing ur Virtual machine or possibly compromising ur host machine. – balgan Oct 31 '11 at 03:49
  • The reason why you do now want to test a Vulnerable web application on ur own hardware is the following scenario: You testing at home, all cool n stuff, then u take the laptop ur testing elsewhere,however you forget to turn off the webserver with the vulnerable web app, you connect to a public wireless network such as ur university or coffee shop, some1 happens to be scanning, connects to ur local web server and pwns ur machine with SQLmap os pwn options... – balgan Oct 31 '11 at 03:51
1

If you are doing this just to practice your own pen-testing, then you don't need any security. You won't be playing with viruses, for one thing. If you do advanced pen-testing, you might use malware, such as that built into the Metasploit kit, but these are just control programs you upload to the victim machine, they don't try to spread (they won't attack your host machine, they won't try to spread to other machines on the network).

In general, no practical viruses today attack the host by escaping the sandbox. Virtual machine sandboxes are secure in theory: while sometimes 0day bugs are found that might allow escaping the VM, these bugs are quickly patched when found. The chief concern when intentionally infecting your VM with viruses isn't that they escape, it's that the virus detects the VM and shuts itself down so that you cannot analyze it.

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14
0

Id just build a virtual machine and drop webgoat on it (windows or linux) and use an network address that isnt routable to your host machine or network .. then create another virtual machine with Samurai WTF that can talk to your webgoat machine as your client for testing webgoat

ash
  • 145
  • 1
0

Apply a rule in the VM firewall. Let's say, only accept connections from your host and only on port 80 or 8080 or/and any other vulnerable web app you'd have installed.

dgarcia
  • 476
  • 3
  • 6