While taking part in the Software Security course offered through Coursera, one of the projects requires you to setup a virtual instance of BadStore.
BadStore is a deliberately vulnerable web application, which offers a hands-on approach to finding and exploiting web based vulnerabilities. It’s an older piece of software, but the material is still relevant today.
The BadStore site is ripe with vulnerabilities to practice your penetration testing skills with.
BadStore is available at http://www.BadStore.net. I also have a copy below as the site was not responding when I was originally setting up the project.
It required a couple of attempts for me to get it working under VMWare as this is based on an older Linux kernel, and seeing the questions on the discussion forums I figured I’d outline the steps to getting it setup for anyone who is running into issues.
BadStore (links to version 2.1.2)
VMWare Player or VMWare Workstation (I’m using Workstation July 2014 Tech preview at the moment but anything version 9 or higher should work fine).
BadStore 2.1.2 Manual (PDF)
BadStore comes as a bootable ISO file, and you can just add it within VMWare to save you from needing to burn a CD.
1. Startup VMWare, and create a new Virtual Machine and select the BadStore iso file you downloaded.
2. (Important) Select the OS as Linux and version as Other Linux 2.4.x kernel
3. Name the VM you’re creating. In this case I used BadStore.
4. Set the hard drive settings. I just used 8GB single file.
5. Review the summary. Double check Operating System is set to Other Linux 2.4.x kernel
6. Right click the virtual machine you created and go into the settings. Change the Network Adapter to Host-Only.
7. You’re ready to start the VM.
8. The VM will look like it stopped at “Configuring eth0: using DHCP”. Just wait a couple of minutes, it will continue and will configure an ip address.
9. When you see this screen, the vm is ready. Click on the VM and press enter (if you can’t alt-tab out of the window after use Control + Alt to give focus back to your host machine.
10. Now we need to find the IP address. Type ifconfig at the console (bash#) to display the network settings. Look for eth0 and note down the address it displays.
11. Because the BadStore website redirects you to www.badstore.net, you will need to tell your computer to use the address we noted in step 10. If you don’t know how to do this, you can follow this Rackspace tutorial. Below is a screenshot of what the host file may look like after you’ve edited it (In Windows 7).
12. Open a web browser on your host machine and type in www.badstore.net. You should now see the web app running from the virtual machine. Have fun!