WebMaven Install Guide

by David Rhoades (david@mavensecurity.com)


Introduction

WebMaven v.1.01 is an interactive web application that simulates several vulnerabilities at the application-level. WebMaven is useful for the following:


See the User Guide for more information about WebMaven and how to use it.


Install Requirements

WebMaven v.1.01 must be installed on a system that has a web server that supports Perl CGI scripts.

In addition, you will need some way to interact with WebMaven, such as a web browser (e.g. Mozilla) and/or custom scripts or scanning tools.

The client (e.g. web browser, script, etc) and WebMaven, along with the required web server, can operate all on the same system together (i.e. one computer). A network is technically not required since all interaction can be accomplished over the system’s loopback adapter.


WebMaven works fine with HTTP and HTTPS. For HTTPS, your web server will need to support SSL and/or TLS.


Caution

WebMaven contains intentionally flaws. WebMaven might even contain accidental flaws. Therefore, it is not recommended to install WebMaven on a production web server, especially a web server that is accessible via the Internet.


Installation Process

Overview of Install Process

The following steps need to be performed to install WebMaven:


Installing Perl

See http://www.perl.org/ for details on installing Perl for UNIX-based systems.

For Windows-based systems, two popular choices include Cygwin and ActiveState’s ActivePerl.

See http://www.cygwin.com/ for details about Cygwin. Be sure to select the Perl package (under Interpreters) during the Cygwin installation. Perl is not selected by default, so you must enable it during the installation of Cygwin. See image below.


See http://www.activestate.com/Products/ActivePerl/ for details about installing ActivePerl.


Installing web server

The web server of choice for WebMaven is Apache since it is open source.

Apache is easy to install on UNIX and Windows.

See http://httpd.apache.org/ for Apache installation instructions.

A standard install can be followed for use with WebMaven.


Alternatively, WebMaven can be run on any web server that supports Perl CGI scripts. An easy to install alternative to Apache would be Xitami, a web server for Windows and UNIX. See http://www.xitami.com/ for more details about Xitami.


Install WebMaven Files

This section assumes default installations of Apache v2 on Windows.


  1. Uncompress the WebMaven archive distribution file.

    For UNIX, this can typically be done with the tar command. For example, tar -zxvf webmavenX.YZ.tar.gz

    For Windows, use your preferred zip tool to extract the WebMaven files. See http://dmoz.org/Computers/Software/Data_Compression/ for a list of compression and zip utilities for Windows.


  1. Place the /wm directory outside your web server’s document root (we don't want web browsers pulling these files off directly) but within reach of CGI scripts.

The WebMaven CGI script (wm.cgi) code will look for its data file within the ./wm directory, which it expects to be at the same file system level as the ./cgi-bin directory. In other words ./cgi-bin and ./wm must have the same parent directory.


For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\wm

For Apache on UNIX, this would be /usr/local/apache2/wm

For Xitami on Windows, this would be C:\Xitami\wm


  1. Place the WebMaven CGI script (wm.cgi) within the normal CGI directory for the web server.


For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\cgi-bin\wm.cgi

For Apache on UNIX, this would be /usr/local/apache2/cgi-bin/wm.cgi

For Xitami on Windows, this would be C:\Xitami\cgi-bin\wm.cgi


  1. Place the ./templates folder within the normal CGI directory for the web server.


For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\cgi-bin\templates

For Apache on UNIX, this would be /usr/local/apache2/cgi-bin/templates

For Xitami on Windows, this would be C:\Xitami\cgi-bin\templates


  1. Place all the files within the ./webmaven_html folder directly into the web server document root. WARNING: This may overwrite your web server’s current home page (i.e. index.html).


For Apache on Windows, this would be C:\Program Files\Apache Group\Apache2\htdocs

For Apache on UNIX, this would be /usr/local/apache2/htdocs

For Xitami on Windows, this would be C:\Xitami\webpages\xitami


Test Your Installation

To test your installation, use a web browser to view http://localhost/index.html (Assuming you installed WebMaven on localhost.)

You should see the WebMaven Home page (shown below).



To be sure the installation was done correctly, click the Login link and login with on the of test accounts shown on the WebMaven Home page.


The Login page is shown below.


After logging in with a test account, you should see the Account Home Page (shown below).


Congratulations, WebMaven is installed properly.

See http://webmaven.mavensecurity.com for further resources.


File Overview

WebMaven consists of two file types: those that are installed, and those that get generated by WebMaven during its operation. For installation purposes, we are only concerned with the installed files included with the WebMaven distribution.

Installed Files

The WebMaven distribution is in the form of a compress archive file (e.g. a zip or tar file). This archive contains the following files:


/cgi-bin

Directory that contains the WebMaven CGI Perl script and some HTML templates.

/webmaven_html

Graphics and HTML.

/wm

Directory

license.txt

The license file. WebMaven is licensed open source under GPL (www.gnu.org/copyleft/gpl.html).


./cgi-bin:


./cgi-bin/templates

Directory of HTML templates

./cgi-bin/wm.cgi

This is the WebMaven Perl CGI script.


./cgi-bin/templates:


./cgi-bin/templates/wm-footer.txt

HTML template

./cgi-bin/templates/wm-header.txt

HTML template



./webmaven_html/index.html

HTML home page for WebMaven (i.e. the WebMaven Home Page)

./webmaven_html/...

Other HTML might also be included, such as user_guide.html and install_guide.html


./wm/wm.dat

This data file contains user account data: account number, PIN, user name, accounts and balances, locked account flag, and number of failed login attempts.


Generated Files

Several files are created by WebMaven during its operation. These generated files are placed into the ./wm directory, and are described below.

lockdb.dir & lockdb.pag

Data files generated by WebMaven to track which user accounts have been locked from an excessive number of failed logins.


siddb.dir & siddb.pag

Data files generated by WebMaven to show which users (both real and simulated) are currently logged in.