《hackazon_用户手册》由会员分享,可在线阅读,更多相关《hackazon_用户手册(141页珍藏版)》请在金锄头文库上搜索。
1、Hackazon Users Guide Contents2 ContentsContents Contents2 Introduction4 Hackazonsetupfor aWindowsmachine5 WampServer setup6 Hackazonsetupfor aLinux(Ubuntu) machine15 Hackazoninstallationwizard23 Defaultconfiguration26 Applicationfeatures27 Administrator interface28 CreateSQLinjectionvulnerability28
2、How toconductamanualtestagainstHackazon31 How tofindvulnerabilitiesfromtheHackazonapplication34 How totesttheHackazonmobileapplicationusingAppSpider44 InstallAndroidemulator44 InstallHackazonapplicationintheAndroidemulator44 Configuringtheproxy45 Capturemobileapplicationtraffic47 Importrecordedtraff
3、icintoAppSpider50 How totesttheHackazonwebapplicationusingAppSpider59 Attackpolicy61 Authentication62 Browser Macro63 Scansummary67 Reporting69 Contents3 How totestaREST APIusingAppSpider76 Exampleof proxysetupinOWASP ZAP andAndroidemulator.76 TestREST APImanuallyusingOWASP ZAP77 TestingaREST APIusi
4、ngAppSpider91 How tocreateacustomattackmodule101 CreateaC#classlibrary101 Addnew DLLreference102 Creatingclasses103 Createconfigurationfiles107 Editconfigurationfile109 Runningascanusingacustomattackmodule110 How toconductmobileapplicationtestingusingtheWiFiPineapple111 WiFiPineapplesetupwithyour ma
5、chine111 Createanopenwirelessnetwork116 Monitor mobileapplicationtraffic121 ImportrecordedtrafficintoAppSpider125 AppSpider Swagger Utility133 AccessingtheSwagger Utility133 Creatinganew scanconfiguration137 Introduction4 IntroductionIntroduction Hackazonisdesignedtoteachapplicationdevelopers,progra
6、mmers,architectsandsecurity professionalshow tocreatesecuresoftware.Hackazonsimulatesa“real-world” e-commerce applicationwhichwasbuiltwithanumber of knownandcommonvulnerabilitiessuchasSQL injectionandcross-sitescripting.Thisallowsyoutoattemptrealexploitsagainstaweb applicationandunderstandthespecifi
7、csof theissue,andhow toresolveit. Mostsecurityresearcherswouldagreethatinsufficient(or sadlyoftentheabsenceof) data validationistheleadingcauseof softwaresecurityvulnerabilities.Buffer overflows,SQLinjection andcross-sitescriptingcanallbepreventedthroughproper datavalidation.Asfor the performanceeff
8、ect,inour experience,thatisoftennegligibleascomparedtorestof the applicationwhichistypicallyperformingbothCPU andI/Ointensiveoperationssuchas encryptionanddatabase/fileaccess. Hackazonallowsyoutoseehow easilyanumber of issuescanbedetectedwithAppSpider,a specializedapplicationsecuritytoolthatautomate
9、smanualtestingprocesses.Byexperiencing firsthand,boththeattackandwhatmadeit possible,webelieveyoucanbetrainedtorecognize thepotentialfor suchproblemsoccurringinyour ownapplication(s).Inturn,increased knowledgeandskillwillmotivateyoutofixcurrentproblemsbeforetheyareexploitedaswellas buildfutureapplic
10、ationstobesecurefromdayoneof thesoftwaredevelopmentlifecycle. Disclaimer:Disclaimer:Hackazonisriddledwithvulnerabilitiesbydesign.Useof Hackazoncancause systemcompromiseandRapid7acceptsnoliabilityfor thesame.Westronglyadviseusersnotto usetheapplicationonproductionsystems.Anydownload,installation,or u
11、seof Hackazonis entirelyat theusersownrisk. Hackazon setup for a Windows machine5 HackazonHackazon setupsetup forfor a a WindowsWindows machinemachine HackazonisavailableontheRapid7GitHubpageandcanbedownloadedfromthefollowing link: Hackazon:Hackazon: https:/ 1. ClicktheDownloadDownload ZIPZIP button
12、todownloadthesourcecode. 2. UnzipHackazon_Hackazon_master.zipmaster.zipintoC:homehackazon. WampServer setup6 WampServerWampServer setupsetup HackazonisaPHP webapplicationandrequiresPHP framework,anApacheserver,anda MySQLdatabase.For anall-in-one,Windowswebdevelopmentenvironment,youcanuse WampServer.
13、It allowsyoutocreatewebapplicationswithPHP framework,anApacheserver, andaMySQLdatabase.WampServer canbedownloadedfromthefollowinglink: WampServer:WampServer:http:/ 1. CompleteWampServer SetupWizard. WampServer setup7 WampServer setup8 WampServer setup9 WampServer setup10 2. LaunchWampServer. 3. Clic
14、kontheWampServerssystemtray. 4. NavigatetoApacheApache - - ApacheApache modulesmodules - - rewrite_rewrite_modulemodule. WampServer setup11 Modifythefile,C:wampbinapacheapache2.4.9confhttpd.conf: 5. ChangeDocumentRoot“c:/wamp/www/“to: DocumentRoot “c:/home/hackazon/web/“ 6. Change to: WampServer set
15、up12 7. RenameC:homehackazonassetsconfigdb.sample.phpto C:homehackazonassetsconfigdb.php. WampServer setup13 8. OpenaMySQLconsolefromthesystemtray. 9. PressENTERENTER onyour keyboardwhentheMySQLconsoleasksfor password. 10. Enter thefollowingcommandsintotheMySQLconsole. 11. CreateHackazondatabase: cr
16、eate database hackazon; 12. Assigndatabasecredentials: GRANT ALL ON hackazon.* TO hackazonlocalhost IDENTIFIED BY InsertPasswordHere; Note:Note: ThepasswordthatyouprovidewillbeusedtoauthenticatetheHackazonDB Settingsas partof theHackazonInstallationWizard. 11. PressENTERENTER onyour keyboardtocontinue. 12. NavigatetoWampServerWampServer - - RestartRestart AllAll ServicesServices. WampServer s