Group activity website defacement via XSS playground

Posted December 4, 2019 | View revision history

lol I’m teaching Web Security today to my b-school students. It’s a collection of miscellaneous random attacks possible against content hosted online – XSS, SQLi, cloud storage bucket permissions, shopping cart attacks. I like live-demoing XSS website defacement during the class lecture. All students have access to DVWA via their metasploitable2 instances, but I wanted a way where we could all deface the same website, for the visual impact. Figured one out – DVWA has a docker container, and GCP makes it easy to launch docker instances as GCP virtual instances. Two commands in gcloud:

Set up a tagged firewall rule that lets port 80 (http) traffic through:

gcloud compute firewall-rules create allow-http --allow tcp:80 --target-tags http-server

Launch the containerized instance, pointing to the docker hub dvwa container, and assigning it the http-server tag so that the firewall rule created in the above steps lets port 80 traffic through:

gcloud compute instances create-with-container dvwa --container-image vulnerables/web-dvwa --tags http-server

The instance, once launched, will pull the image, and run it. The pulling make take a minute or two – the serial console will show the progress.

Then, because GCP runs the container in host networking mode, and because the container runs its webserver on port 80, the DVWA app will be accessible via the instance’s public IP address. The public IP can be found from the GCP web console.

If perchance the instance gets compromised and wrecked by an internet denizen before I can demo the site to the class, or if perchance a student wrecks it, it’s easy enough to spin up a fresh dvwa instance by rerunning the gcloud create command above. Be mindful that you can’t have two instances with the same name, though (dvwa in the example above).

Edit: This idea of allowing students to anonymously edit a site that I am displaying in front of the class could have, and probably will have, catastrophic consequences. YOLO.

Tags: security, pedagogy

David Eargle is a business school professor, but secretly he is a computer scientist. His life goal is Automate All The Things. More about the author →

This page is open source. Please help improve it.