Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Deploying vulnerable web application online

IS
Ihab Samara
Mon, Mar 19, 2012 1:40 PM

Hi List,

I am deploying a vulnerable web application for students (about 100) in a university, that they can test online and am collecting all the traffic for research purposes.

I am deploying this machine on an ESX hosting other machines, and am concerned about the security issues involved.

Any recommendations/links/tips available will be great.

Thanks
Ihab

Hi List, I am deploying a vulnerable web application for students (about 100) in a university, that they can test online and am collecting all the traffic for research purposes. I am deploying this machine on an ESX hosting other machines, and am concerned about the security issues involved. Any recommendations/links/tips available will be great. Thanks Ihab
S
Subin
Mon, Mar 19, 2012 4:49 PM

Hi,

If you deploy in production/ DMZ it could cause the host to be compromised depending on the vulnerabilities it exposes.

If its for the university students why does it need to be public ? It can be an intranet application, you can still analyze the traffic

If its behind the corporate firewall and proxy and has no access to production university data , though theres a risk I guess it should be fine . (firewall and proxy would defend against major attacks and the app can be still tested for web application vulnerabilities)

Thanks
Subin

Sent from my iPhone

On Mar 19, 2012, at 9:40 AM, Ihab Samara ihab24@hotmail.com wrote:

Hi List,

I am deploying a vulnerable web application for students (about 100) in a university, that they can test online and am collecting all the traffic for research purposes.

I am deploying this machine on an ESX hosting other machines, and am concerned about the security issues involved.

Any recommendations/links/tips available will be great.

Thanks
Ihab

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi, If you deploy in production/ DMZ it could cause the host to be compromised depending on the vulnerabilities it exposes. If its for the university students why does it need to be public ? It can be an intranet application, you can still analyze the traffic If its behind the corporate firewall and proxy and has no access to production university data , though theres a risk I guess it should be fine . (firewall and proxy would defend against major attacks and the app can be still tested for web application vulnerabilities) Thanks Subin Sent from my iPhone On Mar 19, 2012, at 9:40 AM, Ihab Samara <ihab24@hotmail.com> wrote: > Hi List, > > > I am deploying a vulnerable web application for students (about 100) in a university, that they can test online and am collecting all the traffic for research purposes. > > I am deploying this machine on an ESX hosting other machines, and am concerned about the security issues involved. > > Any recommendations/links/tips available will be great. > > Thanks > Ihab > > > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
U
Ukpong
Mon, Mar 19, 2012 5:01 PM

VMware have an hardening guide make sure to apply that to the exi.

You also want to separate the machine from other machines using a firewall.
Checkpoint have a fantastic virtual firewalls.
Rules should seek to:

  • prevent outbound from the machine to the outside world. You don't want
    somebody compromised it and using or as an attacking machine.
  • prevent connection to the other machines. I.e this machine should be in
    your dmz

Lastly, you should capture all the logs from the machine onto an external
machine using syslog. Thus ensuring that you can detect attacks without
having to log onto the actual machine.

On Monday, March 19, 2012, Ihab Samara ihab24@hotmail.com wrote:

Hi List,

I am deploying a vulnerable web application for students (about 100) in a

university, that they can test online and am collecting all the traffic for
research purposes.

I am deploying this machine on an ESX hosting other machines, and am

concerned about the security issues involved.

Any recommendations/links/tips available will be great.

Thanks
Ihab

VMware have an hardening guide make sure to apply that to the exi. You also want to separate the machine from other machines using a firewall. Checkpoint have a fantastic virtual firewalls. Rules should seek to: - prevent outbound from the machine to the outside world. You don't want somebody compromised it and using or as an attacking machine. - prevent connection to the other machines. I.e this machine should be in your dmz Lastly, you should capture all the logs from the machine onto an external machine using syslog. Thus ensuring that you can detect attacks without having to log onto the actual machine. On Monday, March 19, 2012, Ihab Samara <ihab24@hotmail.com> wrote: > Hi List, > > > I am deploying a vulnerable web application for students (about 100) in a university, that they can test online and am collecting all the traffic for research purposes. > > I am deploying this machine on an ESX hosting other machines, and am concerned about the security issues involved. > > Any recommendations/links/tips available will be great. > > Thanks > Ihab > > > > > > >
Empathy v1.0   2024 ©Harmonylists.com