Lab Environment & Topology¶
Note
All work is done from the Linux client/jumphost (client01), which can be accessed via RDP (Windows Remote Desktop) or ssh. No installation or interaction with your local system is required.
Environment¶
Linux client (client01):
Web Attack Tools used in this lab:
- OWASP ZAP - DAST
- BURP Community Edition - Packet Crafting
Api Tools:
Linux server (server01):
- WebGoat 8 - WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other ‘goats’ such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the Goat!
Lab Topology¶
The network topology implemented for this lab is very simple. The following components have been included in your lab environment:
- 1 x Ubuntu Linux 16.04 client
- 1 x F5 BIG-IP VE (v13.1.0.2) running ASM and LTM
- 1 x Ubuntu Linux 16.04 server
The following table lists VLANS, IP Addresses and Credentials for all components:
Component | mgmtnet IP | clientnet IP | servernet IP | Credentials |
---|---|---|---|---|
Linux Client (client01) | 10.1.1.51 | 10.1.10.51 | N/A | https-ubuntu:ubuntu |
Bigip (bigip01) | 10.1.1.245 | 10.1.10.245 | 10.1.20.245 | https - admin:f5DEMOs4u! ssh - f5student:f5DEMOs4u! |
Linux Server & WebGOAT app (server01) | 10.1.1.252 | N/A | 10.1.20.252 | ssh - f5student:f5DEMOs4u! |
A graphical representation of the lab: