Pen Testing in the Cloud
Matt Tesauro (@matt_tesauro) discussed how testing in the cloud can be done and also did brief overview of OWASP WTE (Web Testing Environment) and its history. It is astounding to hear that there have been over 300,000 downloads of the project and how it evolved. The project started out—or at least Matt’s involvement started during—the OWASP Summer of Code in 2008. After burning lots of CDs and several releases the project has moved to a Debian repo as it applies to more people and extends the environment to other use cases other than a CD—which we all know is so 1999.
This really grows once you want to expand to the cloud and allow devs and pen testers to build their own custom pen testing environments. At the Austin OWASP meeting today, Tesauro went over the 12 steps needed to implement WTE in the cloud. These 12 steps will get a fully functional WTE in the cloud and should take about 30 minutes.
Step 1: Get a cloud account
Step 2: Get an Ubuntu instance (xubuntu cuz its faster with xfce)
Step 3: Choose 2GB RAM for the box (name and tag it)
Step 4: Start your server
Step 5: Prep and update the box (ssh add ubuntu partners and WTE repo and run apt-get update)
Step 6: Install Desktop and WTE
apt-get —assume-yes —force-yes install xubuntu-desktop owasp-wte-cloud
Step 7: Add a NX Server (remote desktop for linux) - Uses no machine NX currently but will move to X2go later (probably).
Step 8: Setup your NX Client (win, linux, mac)
Step 9: Connect to WTE (uses SSH) - WTE in the cloud
Step 10: Test Connection
Step 11: Test tools (use intercepting proxy to rewrite page)
Step 12: Testing! and be sure to check your bill and pay it if you dare (pennies to use the cloud)
Couple of interesting notes for the project going forward:
1. Future project goals include using Apache libcloud for build automation.
2. Also looking at swapping in X2go for the NX portion of this.
3. I would also add a Vagrant build which is an extension of virtual box
See the full slides here > https://www.owasp.org/index.php/File:WTE-Cloud-Austin-2012-02.pdf