In the realm of cybersecurity, practical experience is key to understanding and defending against various threats. This guide outlines the process of setting up a comprehensive web application security lab, focusing on the installation and configuration of DVWA (Damn Vulnerable Web Application), Suricata IDS/IPS, and ModSecurity WAF. This lab environment will allow you to simulate attacks, test security measures, and observe how different tools respond to various threats.
1. Installing DVWA on Ubuntu Virtual Machine
To get started, you’ll need to set up DVWA on an Ubuntu Virtual Machine. DVWA is a PHP/MySQL web application that is damn vulnerable, designed for security professionals to practice vulnerability testing. Below are the requirements and steps to install it:
Requirements:
✔️MySQL, Apache2 server, PHP
Installation Commands:
sudo apt update
sudo apt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php
Next, install DVWA using the following script:
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"
After running these commands, your DVWA lab will be successfully installed and ready for testing.
2. Setting up Suricata IDS/IPS
Suricata is an open-source IDS/IPS (Intrusion Detection System/Intrusion Prevention System) capable of real-time intrusion detection, inline intrusion prevention, and network monitoring. Here’s how to set it up:
Configuration:
- Ensure your network is using the 192.168.144.0/24 subnet. (as my network using this)
- Modify the configuration file to suit your network by running:
sudo nano /etc/suricata/suricata.yaml
Update the interface name in the af-packet section. Enable and Start Suricata:
sudo systemctl enable suricata
sudo systemctl start suricata
Test suricata configuration by
suricata -T -c /etc/suricata/suricata.yaml -v
Visit a test site (http://testmynids.org/uid/index.html) and check the logs from /var/log/ suricata/fast.log. The setup is working fine.
3. Configuring Web Application Firewall (WAF) with ModSecurity
For enhanced security, I configured ModSecurity WAF to protect the DVWA web application. Follow these steps to set it up:
sudo apt install libapache2-mod-security2
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
nano /etc/modsecurity/modsecurity.conf
Change the setting from DetectionOnly to On to activate the WAF. With the WAF set up, you can now test the web application against various attacks.
4. Testing the Web Application Security
With everything set up, it’s time to test the security measures using various attack vectors:
SQL Injection (SQLi): The objective here was to test Suricata’s ability to detect SQL injection attempts. Using the sqlmap tool, I targeted the SQL injection module in DVWA. Despite the attempts, the SQL injection was unsuccessful, as indicated by the 403 Forbidden responses from both Suricata and ModSecurity.
We can see the logs just using “tail -f /var/log/suricata/http.log” command. The SQL injection attempt using sqlmap was unsuccessful, as indicated by the 403 Forbidden responses.
Now see the modsecurity log (tail -f /var/log/apache2/modsec_audit.log). It also shows 403 forbidden
Cross-Site Scripting (XSS):Cross-Site Scripting (XSS): Next, I attempted a cross-site scripting attack by inserting a script into the web application. The response again showed 403 Forbidden, confirming that the WAF successfully blocked the attack.
Command Injection: Finally, I tested for command injection vulnerabilities. The WAF blocked these attempts as well, proving the effectiveness of the setup.
By following the steps outlined in this guide, you can create a secure lab environment to test and enhance your cybersecurity skills. The combination of DVWA, Suricata, and ModSecurity WAF provides a robust setup to simulate and defend against various web application attacks.
Md Mesbaul Islam, Cyber Security Researcher & Ethical Hacker
Want to read with POC? Here is the Medium link