QSES - Laboratory Exercises 2

Author: Eduardo R. B. Marques, DCC/FCUP

QSES homepage

Exercises marked with (C) will be covered in class, and exercises marked with (H) are left as homework.

At the end of this class, don't forget to TURN OFF your GCP VM instance(s) to avoid unnecessary billing.

1. Use GCP to run a DVWA container (C)

Aim: use GCP to deploy a virtual machine running the DVWA docker image.

  1. Navigate to the GCP website and access the console.
  2. In the drop-down shown left navigate to Compute Engine > VM Instances.

  3. In the very first time you access Compute Engine, an initialization action takes place. Wait a couple of minutes.

  4. After the previous initialization is complete, you are given several options, including creating a virtual machine. Choose Create.

  5. You must now define the characteristics of the Virtual Machine.

    Define the following parameters, as illustrated in the screenshot above:

  6. Once these parameters are set you may scroll down the page and click the Create button.

    .

    The VM creation will take at most a couple of minutes, after which you may see it in the Compute Engine dashboard.

  7. In the dashboard, you should be able to observe that the VM is turned on, has an internal IP on the GCP network, and an external IP for Internet access. For a first connection to the VM, you may access the SSH menu and then choose Open in browser window.

  8. A new browser window will appear indicationg that the SSH connection is being established. This may take a while but in the end you'll be presented with a console.

  9. For a more convenient and faster SSH connection you may alternatively use the gcloud utility, part of the Google Cloud SDK.

    gcloud beta compute --project dccqses2 ssh --zone us-central1-a dvwa

    (parameters will differ according to your settings) and you should get in response

    Updating project ssh metadata...done.                                          
    Waiting for SSH key to propagate.
    Warning: Permanently added 'compute.4323472978964651137' (ED25519) to the list of known hosts.
    ########################[ Welcome ]########################
    #  You have logged in to the guest OS.                    #
    #  To access your containers use 'docker attach' command  #
    ###########################################################
    edrdo@dvwa ~ $
  10. To finally be able to access DVWA running on the VM's container, we will use an SSH tunnel.

    You may chose 9999 as shown or any other free port number on the local PC. The full command will

2. Other gcloud commands (H)

At home, experiment with other gcloud commands to manage VM instances. Some basic examples are shown below. For further reference check the related documentation.

# List VM instances

$ gcloud compute instances list
NAME  ZONE           MACHINE_TYPE  PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP     STATUS
dvwa  us-central1-a  f1-micro                   10.128.0.2   35.225.149.241  RUNNING

# Stop a VM instance 

$ gcloud compute instances stop dvwa
Stopping instance(s) dvwa...done.                                                       
Updated [https://compute.googleapis.com/compute/v1/projects/dccqses2/zones/us-central1-a/instances/dvwa].

# Start a VM instance 

$ gcloud compute instances start dvwa
Starting instance(s) dvwa...done.                                                       
Updated [https://compute.googleapis.com/compute/v1/projects/dccqses2/zones/us-central1-a/instances/dvwa].

3. DVWA Weak session ids (C)

Consider the Weak Session Ids functionality in DVWA. Several strategies are considered to generate session ids using the dvwaSession cookie.

4. Use ZAP (H)