Lab Environment & Topology¶

Environment¶

Linux client (client01):

Web Attack Tools used in this lab:

• OWASP ZAP - DAST
• BURP Community Edition - Packet Crafting

Api Tools:

• Ansible - Automation platform
• curl - command line webclient, will be used to interact with the iControl Rest API
• Postman - Graphical based Restful Client, will be used to interact with the iControl Rest API
• python - general programming language used to interact with the iControl Rest API

Linux server (server01):

• WebGoat 8 - WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other ‘goats’ such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the Goat!

Lab Topology¶

The network topology implemented for this lab is very simple. The following components have been included in your lab environment:

• 1 x Ubuntu Linux 16.04 client
• 1 x F5 BIG-IP VE (v13.1.0.2) running ASM and LTM
• 1 x Ubuntu Linux 16.04 server

The following table lists VLANS, IP Addresses and Credentials for all components:

A graphical representation of the lab: