SSL Website for penetration testing

[Anonymous123]

I really enjoy penetration testing and I want to do penetration testing on a website. I need your help! It has to fit my criteria.

Website criteria:

It has to be made to have pen-testing done on it.

The website has to have ssl and secure client renegotiation.

The web server has to be small and has to have no firewall or protection.

[cooper]

Look at (locally) installing a vulnerable Linux distro:

Metasploitable, DVWA, BWaPP, Mutillidae, WebGOAT (although the last few are vulnerable web apps).

There is also Hack.Me, a community project where people upload vulnerable sandboxes for others to practice against.

Troy Hunt has an online vulnerable web app to test against: http://hackyourselffirst.troyhunt.com

Proper attribution: The relevant info from this message came from here.

[Anonymous123]

Thanks! You are very helpful!

[Anonymous123]

Are their any that have ssl?

[digip]

Topic got me interested in the same, but have yet to setup any test machines. Check this out:

http://support.citrix.com/article/CTX116557

[cooper]

Simply get one that has an Apache install, change its config so that it also provides SSL access to the same website (create a self-signed cert and reference it in the config) and you should be good to go.

Last tuesday I was at a client that had a really annoying SSL problem. The setup was that a request enters the DMZ and reaches our Reverse Proxy. For reasons specific to this customer this request then needs to be proxied on to a second Reverse Proxy that's located within the LAN. All traffic here is SSL, but the RP in the DMZ has a real cert whereas the one in the LAN was a self-signed one. Both RPs were Apache 2.2 installs. Sometime last year our product got an upgrade which included the RP that was now running Apache 2.4 and right from the start the traffic with the LAN RP would be blocked. Eventually a nasty workaround was found: give the DMZ RP an extra network adapter straight into the LAN and let it forward the traffic straight through to the machine the LAN RP was supposed to send it to.

Euwwww. Yes, indeed.

So last tuesday I was tasked to go to this customer and solve this problem. Got Wireshark and the LAN RP private key loaded so I could look at the traffic. Had to disallow the use of Diffie-Hellman because DH allows both sides to agree on a random to initialise their encryption with in such a way that Wireshark couldn't (wouldn't?) see it and use it to fully decrypt the traffic.

Eventually I did find out what the problem was: The LAN RP cert had expired over a year ago and Apache 2.2 was a-okay with that whereas Apache 2.4 on noticing the expired cert immediately dropped the connection without logging much of anything about it.

Learned a lot about SSL handshakes that day.

[Anonymous123]

I know how you feel.

[Anonymous123]

I know how I can setup a server but then I want the server online so I have to do port forwarding. Are their any website that fit my criteria? Please help I have ben looking for about 2 weeks. I tried to add ssl to my server. It was a horrible experience.

[cooper]

I really enjoy penetration testing and I want to do penetration testing on a website.

[...]

The web server has to be small and has to have no firewall or protection.

[...]I want the server online so I have to do port forwarding.

You don't need to employ port forwarding to do penetration testing on your own website. Just try to hack it from within your lan or put it on a virtual and hack that from the host so you don't even need an extra machine.

Finally, you don't want to put a webserver on the internet with "no firewall or protection". That's just asking for problems.

Edited January 18, 2015 by Cooper