WebMaven Install Guide
by David Rhoades (david@mavensecurity.com)
WebMaven v.1.01 is an interactive web application that simulates several vulnerabilities at the application-level. WebMaven is useful for the following:
Training: practicing security assessment techniques
Benchmarking: ensure your security tools perform their tests correctly
See the User Guide for more information about WebMaven and how to use it.
WebMaven v.1.01 must be installed on a system that has a web server that supports Perl CGI scripts.
In addition, you will need some way to interact with WebMaven, such as a web browser (e.g. Mozilla) and/or custom scripts or scanning tools.
The client (e.g. web browser, script, etc) and WebMaven, along with the required web server, can operate all on the same system together (i.e. one computer). A network is technically not required since all interaction can be accomplished over the system’s loopback adapter.
WebMaven works fine with HTTP and HTTPS. For HTTPS, your web server will need to support SSL and/or TLS.
WebMaven contains intentionally flaws. WebMaven might even contain accidental flaws. Therefore, it is not recommended to install WebMaven on a production web server, especially a web server that is accessible via the Internet.
The following steps need to be performed to install WebMaven:
install Perl
install web server
install WebMaven
test install
See http://www.perl.org/ for details on installing Perl for UNIX-based systems.
For Windows-based systems, two popular choices include Cygwin and ActiveState’s ActivePerl.
See http://www.cygwin.com/ for details about Cygwin. Be sure to select the Perl package (under Interpreters) during the Cygwin installation. Perl is not selected by default, so you must enable it during the installation of Cygwin. See image below.
See http://www.activestate.com/Products/ActivePerl/ for details about installing ActivePerl.
The web server of choice for WebMaven is Apache since it is open source.
Apache is easy to install on UNIX and Windows.
See http://httpd.apache.org/ for Apache installation instructions.
A standard install can be followed for use with WebMaven.
Alternatively, WebMaven can be run on any web server that supports Perl CGI scripts. An easy to install alternative to Apache would be Xitami, a web server for Windows and UNIX. See http://www.xitami.com/ for more details about Xitami.
This section assumes default installations of Apache v2 on Windows.
Uncompress the
WebMaven archive distribution file.
For UNIX, this can
typically be done with the tar command. For example, tar
-zxvf webmavenX.YZ.tar.gz
For Windows,
use your preferred zip tool to extract the WebMaven files. See
http://dmoz.org/Computers/Software/Data_Compression/
for a list of compression and zip utilities for Windows.
Place the /wm directory outside your web server’s document root (we don't want web browsers pulling these files off directly) but within reach of CGI scripts.
The WebMaven CGI script (wm.cgi) code will look for its data file within the ./wm directory, which it expects to be at the same file system level as the ./cgi-bin directory. In other words ./cgi-bin and ./wm must have the same parent directory.
For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\wm
For Apache on UNIX, this would be /usr/local/apache2/wm
For Xitami on Windows, this would be C:\Xitami\wm
Place the WebMaven CGI script (wm.cgi) within the normal CGI directory for the web server.
For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\cgi-bin\wm.cgi
For Apache on UNIX, this would be /usr/local/apache2/cgi-bin/wm.cgi
For Xitami on Windows, this would be C:\Xitami\cgi-bin\wm.cgi
Place the ./templates folder within the normal CGI directory for the web server.
For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\cgi-bin\templates
For Apache on UNIX, this would be /usr/local/apache2/cgi-bin/templates
For Xitami on Windows, this would be C:\Xitami\cgi-bin\templates
Place all the files within the ./webmaven_html folder directly into the web server document root. WARNING: This may overwrite your web server’s current home page (i.e. index.html).
For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\htdocs
For Apache on UNIX, this would be /usr/local/apache2/htdocs
For Xitami on Windows, this would be C:\Xitami\webpages\xitami
To test your installation, use a web browser to view http://localhost/index.html (Assuming you installed WebMaven on localhost.)
You should see the WebMaven Home page (shown below).
To be sure the installation was done correctly, click the Login link and login with on the of test accounts shown on the WebMaven Home page.
The Login page is shown below.
After logging in with a test account, you should see the Account Home Page (shown below).
Congratulations, WebMaven is installed properly.
See http://webmaven.mavensecurity.com for further resources.
WebMaven consists of two file types: those that are installed, and those that get generated by WebMaven during its operation. For installation purposes, we are only concerned with the installed files included with the WebMaven distribution.
The WebMaven distribution is in the form of a compress archive file (e.g. a zip or tar file). This archive contains the following files:
/cgi-bin |
Directory that contains the WebMaven CGI Perl script and some HTML templates. |
/webmaven_html |
Graphics and HTML. |
/wm |
Directory |
license.txt |
The license file. WebMaven is licensed open source under GPL (www.gnu.org/copyleft/gpl.html). |
./cgi-bin: |
|
./cgi-bin/templates |
Directory of HTML templates |
./cgi-bin/wm.cgi |
This is the WebMaven Perl CGI script. |
./cgi-bin/templates: |
|
./cgi-bin/templates/wm-footer.txt |
HTML template |
./cgi-bin/templates/wm-header.txt |
HTML template |
|
|
./webmaven_html/index.html |
HTML home page for WebMaven (i.e. the WebMaven Home Page) |
./webmaven_html/... |
Other HTML might also be included, such as user_guide.html and install_guide.html |
./wm/wm.dat |
This data file contains user account data: account number, PIN, user name, accounts and balances, locked account flag, and number of failed login attempts. |
Several files are created by WebMaven during its operation. These generated files are placed into the ./wm directory, and are described below.
lockdb.dir & lockdb.pag
Data files generated by WebMaven to track which user accounts have been locked from an excessive number of failed logins.
siddb.dir & siddb.pag
Data files generated by WebMaven to show which users (both real and simulated) are currently logged in.