Hackazon Installation Guide

Hackazon is available on the Rapid7’s GitHub page. It is accessible from the https://github.com/rapid7/hackazon. User can download the source code by clicking on the “Download ZIP” button in the bottom right corner.

Prerequisites

Hackazon is a PHP web application. It requires the PHP framework, Apache server and MySQL as database. These may be obtained by visiting the following:

• PHP Framework: http://php.net/downloads.php
• Apache server: https://httpd.apache.org/download.cgi
• MySQL database: https://www.mysql.com/downloads/

Windows user can download WAMP server which includes PHP framework, Apache server and MySQL database. These may be obtained by visiting the following:

• WAMP server: http://www.wampserver.com/en/download-wampserver-64bits/

WAMP server and Hackazon setup for Windows machine

1: Unzip the “Hackazon_master.zip” into C:\home\hackazon\

2. Install WAMP server and follow the steps in the Install Wizard.
3. Read and Accept the agreement.
4. Choose a location to install the WAMP server.
5. Select any additional tasks to be completed during installation.
6. Select Install.
7. Choose whether or not to install the new WampServer2 homepage.

8. Select Finish to complete the installation.
9. Open the application; click on the WAMP server’s system tray. Navigate to “Apache” >> “Apache modules”. Check the rewrite_module

10. Modify the file C:\wamp\bin\apache\apache2.4.9\conf\httpd.conf as following.

• DocumentRoot from “c:/wamp/www/” to "c:/home/hackazon/web/"
• <Directory "c:/home/hackazon/web/"> to <Directory "c:/wamp/www//">

11. Rename “C:\home\hackazon\assets\config\db.sample.php” to “C:\home\hackazon\assets\config\db.php”

12. Open a mysql console from the system tray. Hit the “Enter” when mysql console ask for password. Now, enter following command into mysql console.

create database hackazon;GRANT ALL ON hackazon.* TO hackazon@'localhost' IDENTIFIED BY 'password';

13. From the WAMP server, select Restart All Services.

14. In your browser, go to http://localhost/. Apply the password and click on the “Next” button
15. Hit the Enter button as your password, and then select Next again.
16. Enter the DB Settings and then select Next.

17. Enter the Email Settings and then select Next Step.
18. Finally, review your parameters and select Install.

The Hackazon application is now able to perform a vulnerability assessment.

Hackazon setup for Linux (Ubuntu) machine

1. Open a terminal (Ctrl + Alt + T). Run following command to install Apache server: sudo apt-get install apache2
2. Run following command to install MySQL database server: sudo apt-get install mysql-server
3. Run following command to install PHP framework: sudo apt-get install php5 libapache2-mod-php5
4. Restart the apache server with the following command: sudo /etc/init.d/apache2 restart
5. Copy the Hackazon source file in /var/www/hackazon
6. Change the permission to writable for “/var/www/hackazon/ directory using following commands: sudo chmod -R a+rwX /var/www/hackazon/assets/config/sudo chmod -R a+rwX /var/www/hackazon/web/upload/
7. Create a hackazon.lc.conf site configuration file on /etc/apache2/sites-available/ with following content:

text
1
<VirtualHost *:80> 
2
    	ServerAdmin webmaster@localhost 
3
   	ServerName hackazon.lc 
4
 
5
    DocumentRoot /var/www/hackazon/web 
6
    <Directory /> 
7
 
8
 	Options FollowSymLinks 
9
AllowOverride All 
10
    </Directory> 
11
    <Directory /var/www/hackazon/web/>  
12
 	Options Indexes FollowSymLinks MultiViews 
13
 	AllowOverride All 
14
 	Order allow,deny 
15
 	allow from all 
16
    </Directory> 
17
</VirtualHost> 

8. Enable the newly created site “hackazon.lc.conf” using following command: sudo a2ensite hackazon.lc.conf
9. Enable Apache “rewrite” module using following command: sudo a2enmod rewrite
10. Install pdo_mysql drivers using following command: sudo apt-get install php5-gd php5-mysql

11. Restart the Apache server using following command: sudo service apache2 restart
12. Open mysql database using following command: mysql -u root -p
13. Create hackazon database using following commands: create database hackazon;GRANT ALL ON hackazon.* TO hackazon@'localhost' IDENTIFIED BY 'password';
14. Restart the mysql server using following command: sudo /etc/init.d/mysql restart
15. Open the URL “http://localhost/” in your web browser. Follow the steps 8 - 12 to setup the Hackazon application.

Default Configurations

To enhance the user experience, the tool comes with some preconfigured data. This includes a Login Account.

Hackazon comes with 1 default account. This enables the first time users to login the application. User can configure Admin account’s login credentials while setting up the application.

Username: test_user Password: 123456

Features of the application

Hackazon is intended to design an application which looks similar to real world shopping application.

• Browse and Search products: The application allows users to browse the different products throughout the application. Users can also search the products using Search bar.
• Create a shopping cart: Users can browse the application and add the products into their carts for the purchase.
• Place an order: The application allows users to purchase selected items and place an order, where user can insert their shipping address, coupon code and payment methods.
• View orders: The application allows user to check previous orders.
• Edit profile: Users can edit their personal information such as name, address, email, etc.
• Change password: The application allows its users to change the password associated with the username.
• Create and edit wish list: The application allows users to create multiple wish lists. User can also edit the wish lists.
• My document and Help article: Users can review the documents and help articles in case of any query.
• Help Desk: The application allows users to ask questions on the help desk forum.
• Contact us: The application allows user to contact to the company's representatives.

Administrator Interface

• Dashboard: The dashboard component shows the vulnerabilities persists in the application including vulnerable URL, Field, vulnerabilities and details.
• User: The application allows users to Add, Edit and Update the users.
• Roles: The application allows users to Add, Edit and Update the user roles.
• Product Details: Application allows users to customize Product categories, Product details, Product options, Orders, Coupons, Enquiries and FAQs.
• Vulnerability Config: Hackazon has this unique and innovative feature which allows users to Add, Edit or Update the vulnerabilities as shown

Example Application

Here is an example on how to create a vulnerability in hackazon application. Hackazon application has RESTful API in which users can view products. Following are the steps:

1. Navigate to “Vulnerable Config” and select “rest” from the drop down list. Check the “Edit” option.
2. Click on the “Add Child” button. Application generates an empty child box.

3. Add SQL injection vulnerability as shown

4. Click on the submit button. Now, “Page” parameter of the product page in REST API is vulnerable to SQL injection.