Damn Vulnerable Web Application (DVWA) Installation script for Kali Linux

Kali

I recently needed to setup a series of labs for an introduction to security course.  I decided to use Kali Linux as the primary VM for all of the students and then install Damn Vulnerable Web Application (DVWA) to explore basic web security concepts.  Since this is an introductory course, I didn’t want anyone to get too hung-up on the installation of DVWA so I went looking for a scalable way to help automate (I still wanted the installation to be hands-on after all).  I found a script to install DVWA on BackTrack 5 posted by Travis Phillips on The Unl33t Blog, it didn’t quite work but was a great foundation for me to create an updated version.  The primary items that needed to be updated where the location to download DVWA, any file-handling commands based off of the download and then a few tweaks to creating and updating the database.  Create a script and copy/paste the contents below into the file.  Make sure to give the file execute permissions: Continue reading

Website Security from a Business Perspective

Website security from the business perspective
Website Security

I was recently asked to comment on the compromise, or hack – although I don’t like to use that term in the context of criminal behavior, of a very popular regional website (see my comments here).  The site’s homepage was replaced with an image of the Malaysian Coat of Arms and information about who was responsible for the attack.  While not a desirable event to endure for any organization, the attack could have been much worse.  How? In this case, the site was used for notoriety of the group responsible and not to attack the users of the site (read, the organizations customers and/or it’s data).  The down time of the site was minimal, the real site was back online within minutes of the first reports of the defacement.  So how does an organization handle such an event?  This brings us into the often times confusing world of security.  For anyone well-versed in security, and website security in particular, you probably already have several ideas as to what happened.  For those not in security you probably have no idea where to begin.  Instead of making this another article on the technical measures that can be put into place, I’m going to look at it from the business’s perspective.  And in particular, a business that either doesn’t have the security professionals on staff or has hired out their technology services and therefore rely exclusively on a third-party. Continue reading