##Session 6: Security Testing
The aim of this session is to help tester to kick start the Security Testing journey.
####Agenda:
- Quick brief on Security Testing
- Tools for using
- Web - browser (Chrome, Firefox, IE)
- Burbsuite
- OWASP ZAP
- ...
- Hands-on Test Lab
####Installation Instruction ######Prerequisite packages:
Ruby and related Gems
- For Unix:
curl -sSL https://get.rvm.io | bash -s stable --ruby- For Windows: download and install Ruby then Install DevKit (package is to support Ruby to build native package during gem installation).
You should choose a non-space in full path as the destination for the kit. i.e C:\DevKit, then add C:\DevKit\bin;C:\DevKit\mingw\bin to your System PATH (type below command on prompt)
SET PATH=C:\Devkit\bin;C:\Devkit\mingw\bin;%PATH%- After Ruby is installed, run below commands to install gems
sudo gem install bundler
bundle installJDK (version >= 1.7): you should grab it from Oracle Website ######Checkout project from GitHub and setup the test lab
- We will use Railsgoat app as test lab for this session. This is a Ruby-Rails web app which was designed to demonstrate OWASP Top 10
git clone https://github.com/SydneyTestersBootcamp/sydneyTestersBootcamp.git
git clone https://github.com/OWASP/railsgoat.git
cd railsgoat
bundle install- If you don't have git, you can find it here.
- If gem installation finishes successfully (you see no error), you can start the lab as below:
rake db:setup (to setup a clean DB with some seed data)
rails server (start up server at port 3000)- You now can access to the lab via http://localhost:3000/
- NOTE: you should now disconnect your computer from network since the Security Test Lab was purposely setup with security holes, hence would leave your PC openned for being attacked
######Important time saving note Since downloading and compiling gems make take long time, please run above command prior coming to the session
######Additional tools
- Burp Suite (Free version): Web Pen Testing Toolsuite Download Here
- DB tool: Universal DB Client tool. Download Here
- Webgoat: Another Security Test Lab using Java stack. Download Here
- Webgoat.net: Another Security Test Lab using .NET stack. https://github.com/jerryhoff/WebGoat.NET
####Common issues Sometimes gems got failure during installation, in that case try to follow the last instruction from the log that outputed to screen). If even the instruction doesn't help, then post it up on the Sydney Tester Bootcamp wall.
####Reading Material
- OWASP Top 10: List of top 10 security issues. Please make sure you go through this before the session.
- Quick Youtube video on how to setup and use Burp Suite
- The Railsgoat application itself. Please register/login and go through pages of the website before joining the session.