Purple Team Web App Security Project: Build your offensive and defensive skills
August 12, 2020
A new hands-on Purple Team Web Application Security Project is available in Infosec Skills. You’ll play the part of both the red team and the blue team as you attempt to exploit and mitigate a machine running a vulnerable version of a content management system.
“This isn’t some artificial scenario,” said June Werner, project designer and Cyber Range Engineer for Infosec Skills. “It’s an actual coding decision an open source project made. Being able to see that real-world decision, how it impacts security and how to exploit it — that adds a whole human element to your training.”
Red team lab: Exploiting a vulnerable web application
In the first lab, you’ll attempt to identify a local file inclusion (LFI) vulnerability and then exploit it using a remote code execution attack.
“An LFI vulnerability is when you send a request to a server, and you say, ‘Hey, give me the homepage, and also while you’re at it, give me the file that has all the passwords,’” June said. “And the web server replies, ‘OK, I’ll get that right over to you.’”
Identifying a potential vulnerability is just the first step of offensive security. After that, it’s about leveraging those weaknesses to take the attack further and further.
“That’s where the creativity of penetration testing comes in,” June said.
Blue team labs: Patching and mitigating the risk
In the defensive security labs, you’ll learn how to implement two methods to mitigate the vulnerability: identifying and patching the vulnerable source code, and installing and testing a web application firewall (WAF).
“It’s easy for educational projects to only focus on the really flashy red team parts,” June said. “With this project, we wanted to show both sides. Let’s teach you how to attack and get into the system, but let’s also show you a couple ways you could fix the issue.”
One method is to go straight to the code and look for potential vulnerabilities.
“There could be 10,000 lines of code, but how can you narrow that down to the 12 spots where there might be an issue?” June asked. “The lab is about getting a student familiar with that process, and then teaching them how to actually fix the code.”
“But you won’t always have access to the code. Installing a web application firewall on top of everything means some of these vulnerabilities can be mitigated without having to mess with the source code. That’s what you’ll learn in the final lab.”
More hands-on labs being developed
Now that the Purple Team Project is launched, June is looking forward to exploring new ways for students to learn by doing.
“I’m super excited about the new cyber ranges the LX Labs team is working on,” June said. “They’re going to help students get even more hands-on experience and practice more real-world scenarios. I can’t wait for everyone to see them.”