1 00:00:00,420 --> 00:00:05,650 ‫One of the target devices will be Oos Broken Web applications, or W8. 2 00:00:06,590 --> 00:00:12,140 ‫A broken Web applications is a virtual machine that hosts a lot of applications prepared for training 3 00:00:12,140 --> 00:00:12,740 ‫purposes. 4 00:00:13,450 --> 00:00:21,170 ‫These apps are intentionally have a lot of vulnerabilities and could also be accessed from a main page. 5 00:00:21,680 --> 00:00:27,950 ‫The virtual machine is prepared by a WASP Open Web application security project, which is one of the 6 00:00:27,950 --> 00:00:32,630 ‫most important communities around in the application security market. 7 00:00:35,390 --> 00:00:38,720 ‫So I am now on my host machine, it's a MacBook. 8 00:00:39,890 --> 00:00:48,260 ‫Over the Web browser and Google for O.W. Aspey broken web applications, those are my keywords. 9 00:00:49,200 --> 00:00:55,880 ‫The first Web site is the official website of the Broken Web Applications Project hosted under the old 10 00:00:56,000 --> 00:00:58,490 ‫WASP dot org domain. 11 00:00:58,770 --> 00:00:59,700 ‫So let's click it. 12 00:01:00,710 --> 00:01:03,560 ‫Now, this is a Web page of broken web applications. 13 00:01:03,740 --> 00:01:05,790 ‫I'll call it B way from now on. 14 00:01:06,830 --> 00:01:10,240 ‫So there are some explanations about this project here. 15 00:01:10,250 --> 00:01:11,570 ‫So you can read them if you want. 16 00:01:11,810 --> 00:01:17,240 ‫But over here on the right hand side, we have download the latest release. 17 00:01:17,390 --> 00:01:18,270 ‫So click on that. 18 00:01:19,670 --> 00:01:23,390 ‫Now we're directed to the Sound Forge website. 19 00:01:24,910 --> 00:01:27,660 ‫So these are the side effects of GDP. 20 00:01:29,000 --> 00:01:32,090 ‫We'll have to see a lot more approval pages like this one. 21 00:01:33,630 --> 00:01:39,510 ‫OK, so these are all the releases of the project, and the latest version is right here at the top. 22 00:01:40,740 --> 00:01:48,500 ‫So click on it and now I have three different options to download Gotabaya file a zip file and a DOT 23 00:01:48,510 --> 00:01:49,570 ‫seven zip file. 24 00:01:50,520 --> 00:01:57,900 ‫Now, ENOVIA file is a virtual appliance used by virtualization applications such as VMware and Oracle 25 00:01:57,900 --> 00:01:58,690 ‫Virtual Box. 26 00:01:59,070 --> 00:02:03,330 ‫It's a package that contains files used to describe a virtual machine. 27 00:02:04,380 --> 00:02:12,480 ‫ZIP and 7C are the archive files and they contain the exact same VM so you can download any one of them 28 00:02:12,840 --> 00:02:14,820 ‫where the seven file is smaller. 29 00:02:15,840 --> 00:02:20,330 ‫OK, so I want to download the seven zip file, which is the most popular one already. 30 00:02:20,700 --> 00:02:25,410 ‫So click on the link and download will start in just a couple of seconds. 31 00:02:25,440 --> 00:02:26,160 ‫There we go. 32 00:02:37,600 --> 00:02:38,620 ‫And the downloads finished. 33 00:02:38,660 --> 00:02:47,470 ‫So now I have an otherwise BWB archive file, so I'll open it with an on Arqiva and double click and 34 00:02:47,470 --> 00:02:49,470 ‫here are the files inside the archive. 35 00:02:50,530 --> 00:02:53,530 ‫So I already have the VM, so I won't extract it again. 36 00:02:54,250 --> 00:02:56,650 ‫When you extract it, you will have a folder like this. 37 00:02:57,930 --> 00:03:01,590 ‫So go to the folder and here are the files of the virtual machine. 38 00:03:02,830 --> 00:03:11,710 ‫If you run the VMAX file, double click the PVM starts, if it's the first run, it asks you whether 39 00:03:11,710 --> 00:03:13,330 ‫you moved it or copied it. 40 00:03:13,330 --> 00:03:15,970 ‫Select copy and continue. 41 00:03:17,800 --> 00:03:23,500 ‫Right, so while IBM is starting, let's have a look at its settings by clicking this button. 42 00:03:24,680 --> 00:03:29,330 ‫Click here to look at the memory, 1024 megabytes of RAM as recommended. 43 00:03:30,460 --> 00:03:33,380 ‫Click Shole to turn back to the settings. 44 00:03:34,130 --> 00:03:39,940 ‫Network settings are here to my VM is in an unrecognized network mode. 45 00:03:40,430 --> 00:03:44,430 ‫Don't pay any attention that your VM is probably in that mode by default. 46 00:03:44,450 --> 00:03:50,570 ‫I choose to share with my Mac so that I can use the VM in that mode. 47 00:03:52,630 --> 00:03:55,810 ‫So now the PVM has started and we're ready to log in. 48 00:03:56,840 --> 00:04:01,380 ‫It has a route user with the password Owais B way by default. 49 00:04:02,090 --> 00:04:03,290 ‫I have to change it before. 50 00:04:03,290 --> 00:04:06,800 ‫So I log into the VMS by using this credential. 51 00:04:09,010 --> 00:04:14,500 ‫If config that check, if it has got an IP address and there it is, so yes, it has. 52 00:04:15,430 --> 00:04:22,690 ‫Now, putting a system on the Internet, Google DNS, for example, 88 directory, and will receive 53 00:04:22,690 --> 00:04:23,400 ‫the replies. 54 00:04:24,160 --> 00:04:29,440 ‫So it seems everything's fine and we're ready to use Hawas Broken Web Applications VM. 55 00:04:30,380 --> 00:04:37,040 ‫In this phase, you should be able to reach the Iowa Speedway application inside your Calli machine 56 00:04:37,610 --> 00:04:45,890 ‫to go to Calli, open Firefox browser and type the IP address of the OOS machine with the HTTP prefix. 57 00:04:48,000 --> 00:04:53,400 ‫If you don't want to memorize the IP address of the application to enter each time or if you want your 58 00:04:53,400 --> 00:05:01,560 ‫test more realistic, you can give a domain name to your application, go to Google etc hosts file. 59 00:05:03,240 --> 00:05:09,630 ‫And Ed are aligned for the application machine IP address of the application space. 60 00:05:10,700 --> 00:05:13,220 ‫A domain name to reach the application. 61 00:05:15,070 --> 00:05:17,590 ‫Save the hosts file and close. 62 00:05:19,310 --> 00:05:24,380 ‫Now you can reach the application with the domain name you gave in hosts file.