- ModSecurity (+DVWA) Research Lab
| Category | Specs |
|---|---|
| OS | Kali Linux 2023.1 (ISO File) |
| VM Platform | VMware |
| Network Adapter | NAT |
| Apache Version | Apache/2.4.55 (Debian) |
| PHP Version | 8.2.2 |
If your PHP version is different, i would like to recommend to use PHP 8.2, you should always have the latest PHP and Apache version through the latest Kali Linux release. For instance, Kali Linux 2021 supports PHP 7.4, we should have some step to update it to that version. Go to script folder, run executable file as root user:
sudo chmod 777 setup-php8.2-environment.sh
sudo ./setup-php8.2-environment.shNow check PHP version again !
If you know how to set up DVWA and ModSecurity, please proceed to ... . Otherwise, you can follow my instructions or reference to below links:
DVWA: https://github.com/digininja/DVWA
Modsecurity: https://github.com/SpiderLabs/ModSecurity
DVWA stands for Damn Vulnerable Web Application, it is a PHP/MySQL web application that contains a variety of known vulnerabilities, . It was designed to help web developers and security professionals learn about web application security
The application is divided into different security levels, ranging from low to high
By defautl, codebase of Apache Server is deployed at /var/www/html
cd /var/www/htmlPlacing all the repo's source code in here.
git clone https://github.com/digininja/DVWA.gitChange permission(full-privileged) for execution:
sudo chmod 777 DVWAStart apache2 service:
sudo service apache2 startBrowse to http://127.0.0.1/; if you see this, you have successfully deployed the Apache server.
Then following instruction in repo from here, DVWA offers a dummy copy of its config file for you to copy into place and then make the appropriate changes
cd DVWA
sudo cp config/config.inc.php.dist config/config.inc.phpAccess to http://127.0.0.1/DVWA. You should be able to see the Welcome Page:
Start mysql and mariadb service:
sudo service mysql start
sudo service mariadb startAccess user root for making changes to database:
sudo mysql -u root -pEnter your system password. Then go through each of the following command respectively to create user dvwa with default password (P@ssw0rd) in config/config.inc.php:
create database dvwa;
create user dvwa@localhost identified by 'p@ssw0rd';
grant all on dvwa.* to dvwa@localhost;
flush privileges;
use dvwa;
exit;Access http://127.0.0.1/DVWA/setup.php for final setup, click on "Create/Reset database". Then you're able to access challenge resources. These are enough for basic WAF testing.
Note1: Default login credential (username-password):
admin-password
Note2: In main page, go to "DVWA Security" tab and set the difficulty to
Lowfor quick testing. Go to SQL Injection and type1'in placeholder, if popping up an error message page it means it's working.
After setting up with basic resources, we're good to go and test the demo website; but in case you want all challenge to be avaiable, refer to this section. Go to http://127.0.0.1/DVWA/setup.php to check the available function's status:
PHP function allow_url_include
Go to PHP configuration file at /etc/php/{YOUR_PHP_VERSION}/apache2/php.ini. For example, in my system:
sudo nano /etc/php/8.2/apache2/php.iniCtrl + W to search -> Type "allow_url_include" -> Enter -> Rewrite "Off" to "On" -> Save
Restart service apache2
sudo service apache2 restartPHP module gd
Install php-gd
sudo apt update
sudo apt install php8.2-gdNote: My current PHP version is 8.2 which supports
php8.2-gd. Use can examine whether a PHP version support additional module byapt, for example:
sudo apt-cache pkgnames | grep "php8.2"Then find the appropriate version for Apache2
sudo apt-cache pkgnames | grep "apache2" | grep phpWritable folder /var/www/html/DVWA/hackable/uploads/
By default, user www-data is used to run the webserver. As above, we've changed permission to 777 and used as root user, so this section turned to Yes; if not, for properly configured
sudo chown www-data -R /var/www/html/DVWA/hackable/uploads/Writable folder /var/www/html/DVWA/config
sudo chown www-data -R /var/www/html/DVWA/configreCAPTCHA key
This key is only required when you are intending to expose this website to public access. [Follow official repo] This setup is very simple. Edit file config/config.inc.php:
$_DVWA[ 'recaptcha_public_key' ] & $_DVWA[ 'recaptcha_private_key' ]These values need to be generated from: https://www.google.com/recaptcha/admin/create
That's all, I just love the "green" color :>
ModSecurity is a web application firewall (WAF) that provides an additional layer of security for web applications. It is an open source module for the Apache, IIS and Nginx HTTP Server that helps protect websites having web vulnerabilities (SQLi, XSS, Path Traversal, ...).
The module works by analyzing incoming HTTP requests and applying a set of rules to identify and block potential attacks. These rules can be customized to meet the specific security requirements of a website or application.
List of comprehensive functions:
- Prevent attacks to web application (Apache support)
- Open-source
- Logging and monitoring
- SSL/TLS support
- Customizable rules
Deployment method:
- Embedded : deploy along with Web Server itself (one VM only)
- Reverse Proxy : seperate as a node standing in front of Web Server
Source: https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/
sudo apt install libapache2-mod-security2 -yAfter installing ModSecurity, enable the Apache 2 headers module by running the following command:
sudo a2enmod headersRestart the service
sudo systemctl restart apache2Use the default configuration file
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.confEdit /etc/modsecurity/modsecurity.conf, change the value for SecRuleEngine to On. Then apply it:
sudo systemctl restart apache2Setting Up the OWASP ModSecurity Core Rule Set (Official repo).
This is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top 10, with a minimum of false alerts
Delete the current rule set that comes prepackaged with ModSecurity
sudo rm -rf /usr/share/modsecurity-crsClone CRS(Core Rule Set) from repo and save it to /usr/share/modsecurity-crs
sudo git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crsUse crs-setup.conf.example as configuration file
sudo cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.confsudo cp /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.confEnable ModSecurity in the Apache configuration file as a modification module. Edit /etc/apache2/mods-available/security2.conf to include it in config file:
<IfModule security2_module>
SecDataDir /var/cache/modsecurity
Include /usr/share/modsecurity-crs/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf
</IfModule>Edit /etc/apache2/sites-enabled/000-default.conf, add SecRuleEngine directive to On
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SecRuleEngine On
</VirtualHost>Restart the service
sudo systemctl restart apache2curl http://127.0.0.1/DVWA/?exec=/bin/bashThe returning result should be like below
<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr />
<address>Apache/2.4.51 (Debian) Server at 127.0.0.1 Port 80</address>
</body>
</html>Go to lab for research tutorial. There will be more instructions
Go to script. There would be also some guides and scripts for automation install everything