Jump to content

SSL Website for penetration testing


Recommended Posts

I really enjoy penetration testing and I want to do penetration testing on a website. I need your help! It has to fit my criteria.

Website criteria:

It has to be made to have pen-testing done on it.

The website has to have ssl and secure client renegotiation.

The web server has to be small and has to have no firewall or protection.

Link to comment
Share on other sites

Look at (locally) installing a vulnerable Linux distro:

Metasploitable, DVWA, BWaPP, Mutillidae, WebGOAT (although the last few are vulnerable web apps).

There is also Hack.Me, a community project where people upload vulnerable sandboxes for others to practice against.

Troy Hunt has an online vulnerable web app to test against: http://hackyourselffirst.troyhunt.com

Proper attribution: The relevant info from this message came from here.

Link to comment
Share on other sites

Simply get one that has an Apache install, change its config so that it also provides SSL access to the same website (create a self-signed cert and reference it in the config) and you should be good to go.

Last tuesday I was at a client that had a really annoying SSL problem. The setup was that a request enters the DMZ and reaches our Reverse Proxy. For reasons specific to this customer this request then needs to be proxied on to a second Reverse Proxy that's located within the LAN. All traffic here is SSL, but the RP in the DMZ has a real cert whereas the one in the LAN was a self-signed one. Both RPs were Apache 2.2 installs. Sometime last year our product got an upgrade which included the RP that was now running Apache 2.4 and right from the start the traffic with the LAN RP would be blocked. Eventually a nasty workaround was found: give the DMZ RP an extra network adapter straight into the LAN and let it forward the traffic straight through to the machine the LAN RP was supposed to send it to.

Euwwww. Yes, indeed.

So last tuesday I was tasked to go to this customer and solve this problem. Got Wireshark and the LAN RP private key loaded so I could look at the traffic. Had to disallow the use of Diffie-Hellman because DH allows both sides to agree on a random to initialise their encryption with in such a way that Wireshark couldn't (wouldn't?) see it and use it to fully decrypt the traffic.

Eventually I did find out what the problem was: The LAN RP cert had expired over a year ago and Apache 2.2 was a-okay with that whereas Apache 2.4 on noticing the expired cert immediately dropped the connection without logging much of anything about it.

Learned a lot about SSL handshakes that day. :smile:

Link to comment
Share on other sites

I really enjoy penetration testing and I want to do penetration testing on a website.


The web server has to be small and has to have no firewall or protection.

[...]I want the server online so I have to do port forwarding.

You don't need to employ port forwarding to do penetration testing on your own website. Just try to hack it from within your lan or put it on a virtual and hack that from the host so you don't even need an extra machine.

Finally, you don't want to put a webserver on the internet with "no firewall or protection". That's just asking for problems.

Edited by Cooper
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...