Security Testing
Security Testing
Security Testing
• Concurrency
• Invalidated Parameters
• Authentication Flaws
• Buffer Overflows
• Injection Flaws
• Insecure Storage
• Denial of Service
• Insecure Configuration
• Web Services
• AJAX Security
Challenge
Concurrency
Web applications can handle many HTTP requests simultaneously. Developers often use variables
that are not thread safe. Thread safety means that the fields of an object or class always maintain
a valid state when used concurrently by multiple threads. It is often possible to exploit a
concurrency bug by loading the same page as another user at the exact same time. Because all
threads share the same method area, and the method area is where all class variables are stored,
multiple threads can attempt to use the same class variables concurrently.
General Goal(s):
The user should be able to exploit the concurrency error in the web application and view login
information for another user that is attempting the same function at the same time. This will
require the use of two browsers.
General Goal(s):
For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase
merchandise for a lower price.
Unvalidated Parameters
Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page.
While this is a convenient and easy mechanism for the developer, they often don't validate the
information that is received from the hidden field. This lesson will teach the attacker to find and
modify hidden fields to obtain a product for a price other than the price specified
General Goal(s):
The user should be able to exploit a hidden field to obtain a product at an incorrect price.
It is always a good practice to validate all inputs. Most sites allow non-authenticated users to send
email to a 'friend'. This is a great mechanism for spammers to send out email using your corporate
mail server.
General Goal(s):
Client-side validation should not be considered a secure means of validating parameters. These
validations only help reduce the amount of server processing time for normal users who do not
know the format of required input. Attackers can bypass these mechanisms easily in various ways.
Any client-side validation should be duplicated on the server side. This will greatly reduce the
likelihood of insecure parameter values being used in the application.
General Goal(s):
For this exercise, the web site requires that you follow certain rules when you fill out a form. The
user should be able to break those rules, and send the website input that it wasn't expecting.
In a role-based access control scheme, a role represents a set of access permissions and privileges.
A user can be assigned one or more roles. A role-based access control scheme normally consists of
two parts: role permission management and role assignment. A broken role-based access control
scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or
somehow allow privilege escalation to an unauthorized role.
General Goal(s):
Each user is a member of a role that is allowed to access only certain resources. Your goal is to
explore the access control rules that govern this site. Only the [Admin] group should have access
to the 'Account Manager' resource.
In a path based access control scheme, an attacker can traverse a path by providing relative path
information. Therefore an attacker can use relative paths to access files that normally are not
directly accessible by anyone, or would otherwise be denied if requested directly.
General Goal(s):
The user should be able to access a file that is not in the listed directory.
In role-based access control scheme, a role represents a set of access permissions and privileges.
A user can be assigned one or more roles. A role-based access control normally consists of two
parts: role permission management and role assignment. A broken role-based access control
scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or
somehow obtain unauthorized roles.
General Goal(s):
Your goal is to explore the access control rules that govern this site. Each role has permission to
certain resources (A-F). Each user is assigned one or more roles. Only the user with the [Admin]
role should have access to the 'F' resources. In a successful attack, a user doesn't have the
[Admin] role can access resource
Applications will often have an administrative interface that allows privileged users access to
functionality that normal users shouldn't see. The application server will often have an admin
interface as well.
Standards Addressed :
General Goal(s): Try to access the administrative interface for WebGoat. You may also try to
access the administrative interface for Tomcat. The Tomcat admin interface can be accessed via a
URL (/admin) and will not count towards the completion of this lesson.
Web applications frequently provide their users the ability to retrieve a forgotten password.
Unfortunately, many web applications fail to implement the mechanism properly. The information
required to verify the identity of the user is often overly simplistic.
General Goal(s):
Users can retrieve their password if they can answer the secret question properly. There is no lock-
out mechanism on this 'Forgot Password' page. Your username is 'webgoat' and your favorite color
is 'red'. The goal is to retrieve the password of another use
Basic Authentication
Basic Authentication is used to protect server side resources. The web server will send a 401
authentication request with the response for the requested resource. The client side browser will
then prompt the user for a user name and password using a browser supplied dialog box. The
browser will base64 encode the user name and password and send those credentials back to the
web server. The web server will then validate the credentials and return the requested resource if
the credentials are correct. These credentials are automatically resent for each page protected
with this mechanism without requiring the user to enter their credentials again.
General Goal(s):
For this lesson, your goal is to understand Basic Authentication and answer the questions below.
Many applications will automatically log a user into their site if the right authentication cookie is
specified. Some times the cookie values can be guessed if the algorithm for generating the cookie
can be obtained. Some times the cookies are left on the client machine and can be stolen by
exploiting another system vulnerability. Some times the cookies maybe intercepted using Cross
site scripting. This lesson tries to make the student aware of authentication cookies and presents
the student with a way to defeat the cookie authentication method in this lesson.
General Goal(s):
Application developers who develop their own session IDs frequently forget to incorporate the
complexity and randomness necessary for security. If the user specific session ID is not complex
and random, then the application is highly susceptible to session-based brute force attacks.
General Goal(s):
• HTTPOnly Test
To pass this lesson, the credentials must be posted to the catcher servlet.
It is always a good practice to scrub all inputs, especially those inputs that will later be
used as parameters to OS commands, scripts, and database queries. It is particularly
important for content that will be permanently stored somewhere. Users should not be able
to create message content that could cause another user to load an undesirable page or
undesirable content when the user's message is retrieved.
XSS can also occur when unvalidated user input is used in an HTTP response. In a reflected
XSS attack, an attacker can craft a URL with the attack script and post it to another
website, email it, or otherwise get a victim to click on it.
General Goal(s):
For this exercise, you will perform stored and reflected XSS attacks. You will also
implement code changes in the web application to defeat these attack
It is always a good practice to scrub all input, especially those inputs that will later be used
as parameters to OS commands, scripts, and database queries. It is particularly important
for content that will be permanently stored somewhere in the application. Users should not
be able to create message content that could cause another user to load an undesirable
page or undesirable content when the user's message is retrieved.
General Goal(s):
The user should be able to add message content that cause another user to load an
undesireable page or content.
It is always a good practice to validate all input on the server side. XSS can occur when
unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker
can craft a URL with the attack script and post it to another website, email it, or otherwise
get a victim to click on it.
General Goal(s):
For this exercise, your mission is to come up with some input containing a script. You have
to try to get this page to reflect that input back to your browser, which will execute the
script and do something bad.
This lesson teaches how to perform Cross Site Request Forgery (CSRF) attacks.
Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a
page that contains img links like the one below:
<img src="http://www.mybank.com/sendFunds.do?acctId=123456"/>
When the victim's browser attempts to render this page, it will issue a request to
www.mybank.com to the transferFunds.do page with the specified parameters. The
browser will think the link is to get an image, even though it actually is a funds transfer
function. The request will include any cookies associated with the site. Therefore, if the
user has authenticated to the site, and has either a permanent cookie or even a current
session cookie, the site will have no way to distinguish this from a legitimate user request.
In this way, the attacker can make the victim perform actions that they didn't intend to,
such as logout, purchase item, or any other function provided by the vulnerable website
General Goal(s):
Your goal is to send an email to a newsgroup that contains an image whose URL is pointing
to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL
should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can
copy the shortcut from the left hand menu by right clicking on the left hand menu and
choosing copy shortcut. Whoever receives this email and happens to be authenticated at
that time will have his funds transferred. When you think the attack is successful, refresh
the
<img src=?http://localhost/WebGoat/attack?Screen=81&menu=210&transferFunds=5000?
width="1" height="1" />
HttpOnly Test
To help mitigate the cross site scripting threat, Microsoft has introduced a new cookie
attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side
script to access the cookie. Since the attribute is relatively new, several browsers neglect
to handle the new attribute properly.
General Goal(s):
The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie
flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly, and you
enable it for a cookie, client side code should NOT be able to read OR write to that cookie,
but the browser can still send its value to the server. Some browsers only prevent client
side read access, but don't prevent write access.
It is always a good practice to scrub all input, especially those inputs that will later be used
as parameters to OS commands, scripts, and database queries. It is particularly important
for content that will be permanently stored somewhere in the application. Users should not
be able to create message content that could cause another user to load an undesireable
page or undesireable content when the user's message is retrieved.
General Goal(s):
Tomcat is configured to support the HTTP TRACE command. Your goal is to perform a Cross
Site Tracing (XST) attack.
Denial of service attacks are a major issue in web applications. If the end user cannot conduct
business or perform the service offered by the web application, then both time and money is
wasted.
General Goal(s):
This site allows a user to login multiple times. This site has a database connection pool
that allows 2 connections. You must obtain a list of valid users and create a total of 3
logins.
This lesson presents the basics for understanding the "fail open" condition regarding
authentication. The security term, “fail open” describes a behavior of a verification mechanism.
This is when an error (i.e. unexpected exception) occurs during a verification method causing that
method to evaluate to true. This is especially dangerous during login.
General Goal(s):
Injection Flaws
• Command Injection
• Log Spoofing
• XPATH Injection
• Database Backdoors
Command injection attacks represent a serious threat to any parameter-driven site. The
methods behind an attack are easy to learn and the damage caused can range from
considerable to complete system compromise. Despite these risks an incredible number of
systems on the internet are susceptible to this form of attack.
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense
and forethought, can be almost totally prevented. This lesson will show the student several
examples of parameter injection.
It is always good practice to sanitize all input data, especially data that will used in OS
command, scripts, and database queries.
General Goal(s):
The user should be able to execute any command on the hosting OS.
The result contains the output of the command netstat and ipconfig.
SQL injection attacks represent a serious threat to any database-driven site. The methods behind
an attack are easy to learn and the damage caused can range from considerable to complete
system compromise. Despite these risks an incredible number of systems on the internet are
susceptible to this form of attack.
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and
forethought, can be almost totally prevented. This lesson will show the student several examples
of SQL injection.
It is always good practice to sanitize all input data, especially data that will used in OS command,
scripts, and database queries.
General Goal(s):
The form below allows a user to enter an account number and determine if it is valid or not. Use
this form to develop a true / false test check other entries in the database.
The goal is to find the value of the first_name in table user_data for userid 15613. Put that name
in the form to pass the lesson.
==========
General Goal(s):
The user should be able to view all records in the specified table. The user could add new records or modify
existing records.
The backend database is HSQLDB. Keep that in mind if you research SQL functions on the Internet since
different databases use some different functions and syntax.
This is the code for the query being built and issued by WebGoat:
"SELECT * FROM user_data WHERE userid = " + accountNumber
The application is taking your input and inserting it at the end of a pre-formed SQL command. You will need to
make use of the following SQL functions:
substr(string, start, length) - returns a substring of string starting at the start character and going for length
characters
ascii(string) will return the ascii value of the first character in string
> and < - once you have a character's value, compare it to a choosen one
Example: is the first character of the first_name of userid 15613 less than 'M' (ascii 77)?
101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) , 1 , 1) ) < 77 );
If you get back that account number is valid, then yes. If get back that the number is invalid then answer is no.
Another example: is the second character of the first_name of userid 15613 greater than 'm' (ascii 109)?
101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) , 2 , 1) ) > 109 );
If you get back that account number is valid, then yes. If get back that the number is invalid then answer is no.
Figure 1 Lesson 16
For the query: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) , 1 , 1) ) <
77 ); you will get a "Account number is valid". If the character is bigger then the value you get an invalid account
error message.
Figure 2 Invalid account number
You can change the < to = to make sure that you have the correct value.
This results in the query 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) ,
1 , 1) ) = 74 );
So you know that ascii(74) is capital J. Now do the same for the second and all other characters.
The query for the second character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE
userid=15613) , 2 , 1) ) = 111 );
Ascii(111) = o, so you have now Jo.
For the third character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) , 3
, 1) ) = 101 ); Ascii(101) = e
For the fourth character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) ,
4 , 1) ) = 115 ); Ascii(115) = s
For the fifth character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) ,
5 , 1) ) = 112); Ascii(112) = p
For the sixth character: 101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=15613) , 6
, 1) ) = 104); Ascii(104) = h
So the name that you found is Joesph. Enter this in the text field to complete this lesson.
Figure 4 Enter the name Joesph
General Goal(s):
The form below allows a user to view weather data. Try to inject an SQL string that results in all the weather data
being displayed.
Solution:
The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.
Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try
appending a SQL statement that always resolves to true.
Intercept the post request with WebScarab and replace 101 with 101 or 1=1!
As the SQL Statement is true for every station you get a list of all stations:
How the attacks works: The attack is based on fooling the human eye in log files. An attacker can erase his
traces from the logs using this attack.
General Goal(s):
The grey area below represents what is going to be logged in the web server's log file.
Your goal is to make it like a username "admin" has succeeded into logging in.
Elevate your attack by adding a script to the log file.
Solution:
This lesson accepts any input for a username and appends the information to the log file.
Enter for username the text: smith Login Succeeded for username admin
Fill out the following text for the username: Smith%0d%0aLogin Succeeded for username: admin
An attacker can use this attack to add malicious JavaScript to the log file, which will be viewed by the
administrator using a browser. What happens when you inject admin <script>alert(document.cookie)</script> for
the username?
General Goal(s):
The form below allows employees to see all their personal data including their salaries. Your account is
Mike/test123. Your goal is to try to see other employees data as well.
Figure 1 XPath Injection
XPath injection is similar to SQL Injection. Input is not validated and used to create a XPath query. Here you can
see how the XPATH query is built:
Injecting Smith' or 1=1 or 'a'='a will log you on as the first user defined in the system. Password is a required field,
so there you can enter whatever you want.
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be
prevented.
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database
queiries, even if the threat of SQL injection has been prevented in some other manner.
General Goal(s):
For this exercise, you will perform SQLInjection attacks. You will also implement code changes in the web application to
defeat these attacks.
Solution:
Select Neville as user to log in. Make sure WebScarab will intercept the next request. Hit the Login Button and Change the
password parameter in WebScarab to smith' OR '1' = '1. Et voila you are logged in as Neville without knowing the password
as the query will lookup if the password is smith and if not it controls if 1=1 what return true.
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be
prevented.
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database
queiries, even if the threat of SQL injection has been prevented in some other manner.
General Goal(s):
For this exercise, you will perform SQLInjection attacks. You will also implement code changes in the web application to
defeat these attacks.
Solution:
To prevent a SQLInjection you can use "Parametreized Queries". This kind of query makes it possible to use every input of
an user as a parameter. In this lesson you have to change org.owasp.webgoat.lessons.SQLInjection.Login.java The query
execution in the method login looks like this:
String query = "SELECT * FROM employee WHERE userid = " + userId + " and password =
'" + password + "'";
// System.out.println("Query:" + query);
try
{
Statement answer_statement = WebSession.getConnection(s)
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(query);
etc...
To paramerize the Query you have to replace the userinput with questionmarks:
String query = "SELECT * FROM employee WHERE userid = ? and password = ?";
Now that the query is prepared we have to add the parameters to the query:
statement.setString(1, userId);
statement.setString(2, password);
String query = "SELECT * FROM employee WHERE userid = ? and password = ?";
try
{
Connection connection = WebSession.getConnections(s);
PreparedStatement statement = connection.prepareStatement(query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, userId);
statement.setString(2, password);
ResultSet answer_results = statement.executeQuery();
etc...
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be
prevented.
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database
queiries, even if the threat of SQL injection has been prevented in some other manner.
General Goal(s):
For this exercise, you will perform SQLInjection attacks. You will also implement code changes in the web application to
defeat these attacks.
Solution:
Choose Larry to log in with password larry. Select yourself from the list and make sure that WebScarab will intercept the
next request. Replace the id 101 with following:
101 OR 1=1 ORDER BY salary desc
With '101 OR 1=1' we have a SQL Statement which is always true. It will get all the employees from the db but only return
one of them. That is why we have to ensure we get the "Big Fish" which is the employee earning most. With 'ORDER BY
SALARY DESC' we guarantee exactly this.
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be
prevented.
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database
queiries, even if the threat of SQL injection has been prevented in some other manner.
General Goal(s):
For this exercise, you will perform SQLInjection attacks. You will also implement code changes in the web application to
defeat these attacks.
Solution:
The solution is simular to Stage2. That is why here is only a short solution.
You have to alter the class org.owasp.webgoat.lessons.SQLInjection.ViewProfile.java
Alter the method getEmployeeProfile to something like this:
Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can
easily be prevented.
It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and
database queiries, even if the threat of SQL injection has been prevented in some other manner.
General Goal(s):
The form below allows a user to view their credit card numbers. Try to inject an SQL string that results in all the
credit card numbers being displayed. Try the user name of 'Smith'.
Solution:
Compared with the previous lesson, there is now a string parameter and not an integer.
Strings must be terminated with single quotes to have a valid SQL Query.
Figure 1 Lesson 18
The query used in this lesson is: SELECT * FROM user_data WHERE last_name = 'Your Name'
General Goal(s):
Your goal should be to learn how you can exploit a vulnerable query to create a trigger.
You will not be able to actually create one in this lesson because the underlying database engine used with
WebGoat doesn't support triggers.
Your login ID is 101.
Solution:
Enter your user ID 101 to see how the application works.
Figure 2 User ID is 101
As you probably noticed, the input is not validated so very easy to do SQL Injection. To have two SQL queries
executed, you need to separate them using a sem-colon. For example select * from employees; drop table
employees will first select all the users from employees and then drop the table employees. Not all databases
support multiple SQL statements.
Here you need to update the salary of the employees. This requires an update query like update employees set
salary=10000.
Inject this for the user ID: 101; update employee set salary=10000
To create a database trigger, you need to inject the following SQL: CREATE TRIGGER myBackDoor BEFORE
INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='[email protected]'WHERE
userid = NEW.userid
Insecure Communication
General Goal(s):
See how easy it is to sniff a password in plaintext.
Understand the advantages of encrypting the login data!
Solution:
This lesson has two stages. In the first stage you try to sniff a password which is sent in plaintext. In the second stage you try
the same but on a secure connection.
You need a client server setup for this lesson. Please refer to the Tomcat Setup in the Introduction section.
Stage 1
Start a sniffer. If you do not have one we recommend wireshark, which is free: Wireshark. Make sure you are capturing on
the right interface. Click on the submit button ans stop the capturing. Now analyze the captured data.
Figure 1: Sniffed Traffic
As you can see we are interested in the HTTP Post request as the password is transmitted there. The field for the password
has the name clear_pass and has as value sniffy. Of course this is also the correct answer and you are done with stage 1.
Stage 2
Now you have to switch to a secure connection. You archive this by changing the URL from http://... to https://... Sniff again
the traffic as you have done in stage 1. As you will see there is not sent the password in plaintext. The server communicates
with the application over a secure layer the so called Transport Layer Security (TLS) also called Secure Socket Layer (SSL).
TLS is a hybrid encrypting protocol. A master secret is built to communicate. This master secret is built by using SHA-1 and
MD5. All traffic between the Server and the Cleint is encrypted.
Insecure Configuration
General Goal(s):
Your goal should be to try to guess the URL for the "config" interface.
The "config" URL is only available to the maintenance personnel.
The application doesn't check for horizontal privileges.
Solution:
If you want to access a restricted page, you need to be able to guess the URI to access the page, for example
/admin.
In this environment, WebGoat consists of different servlets that live in the WebGoat application. The main servlet
is /attack, what could be the servlet for config?
Figure 3 No /WebGoat/configuration
Figure 4 Bingo for /WebGoat/conf
Parameter Tampering
General Goal(s):
The user should be able to exploit a hidden field to obtain a product at an incorrect price.
Figure 1 Lesson 4
Solution:
To change the hidden field you need to start your favorite HTTP Interceptor. You can use WebScarab from
OWASP to intercept the request and change the hidden field. Configure your browser to use a local proxy. In
Internet Explorer you can do this via "Tools" ? "Internet Options" ? "Connections" ? "LAN Settings". You must
define proxy "localhost" with port 8008.
Start WebScarab
Figure 3 Intercept request with WebScarab
General Goal(s):
The user should be able to send an obnoxious email message.
Solution:
Type a malicious script like <script>alert("XSS")</script> and click Send!
Figure 1 Lesson 5
The second part of this lesson is to send a mail to a friend from OWASP. This can be accomplished by
intercepting the request with WebScarab and changing the hidden field "to" from [email protected] to
[email protected]
Figure 3 Change the variable to another e-mail address
General Goal(s):
For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be
able to break those rules, and send the website input that it wasn't expecting.
Figure 1 Lesson 6
There are two ways to complete this lesson. The first one is to submit a valid request like the one from the
screenshot above and intercept this using WebScarab. The second way is to intercept the HTTP Response when
loading the page and remove the Javascript that validates the values.
Solution 1
Solution 2
Reload the page by clicking on the menu item "How to bypass Client-Side Javascript Validation" and intercept
the response in WebScarab.
Figure 5 Enable "Intercept responses"
If you remove the onclick="validate();" the "Submit" button will not work anymore.
Locate the validate() Javascript function in the HTML page.
Figure 7 The function validate()
Removing the regular expressions will remove the Javascript validation and submit the form.
Click "Accept changes". This returns a HTML page like before but without any regular expression checks.
Figure 9 It looks the same
Change the fields in the HTML page to contain symbols like @#@@# and click "Submit".
General Goal(s):
Try to access an authenticated session belonging to someone else.
In this lesson the purpose is to predict the WEAKID value. The WEAKID is used to differentiate authenticated
and anonymous users of WebGoat.
Solution:
The easiest way to complete this lesson is to use WebScarab's Session ID Analysis.
Go to WebScarab and click on the button "SessionID Analysis". Select the last POST request from the "Previous
requests" drop-down box.
Figure 1 WebScarabs SessionID Analysis
To make sure that WebScarab is able to fetch the WEAKID cookie, you need to click the "Test" button on the
bottom of the screen. A pop-up window must be shown like below.
If you don?t have a pop-up window with the Extracted Sessionids, you must edit the Request. You must delete
the WEAKID value from the request. Without this cookie value, WebGoat will return a HTTP Header "Set-Cookie:
WEAKID=value" so WebScarab learns about this value.
Fetch 50 samples and examine the results. Enter "50" in the "Samples" window and click the button "Fetch". You
will not see any information about progress.
Now you need to go to the tab "Analysis".
You must select the Session Identifier WEAKID value from the drop-down box.
The WEAKID is divided in 2 parts: the first part is an identifier that is added 1 in every cookie and a time value.
The time value is calculated at the moment that you submit the request.
Notice that there is sometimes a gap in the first value of the WEAKID, skipping with 1. The value that is missing
is the value that you need to know to log on. Now you only need to calculate the timestamp. This can be brute-
forced using Crowbar. You know the previous timestamp and the next timestamp so you have a start and end
value.
You can download Crowbar for free: http://www.sensepost.com/research/crowbar/
There is a value 16935 and a value 16937 with a numeric difference of 28110 instead of 14109, so there the
WEAKID cookie is located. Copy and paste the raw HTTP request in Crowbar:
Figure 3 Crowbar
Insert ##1## in the WEAKID parameter where you want to brute-force the value and be aware, that the first part
of the WEAKID is the one we are searching for (16936). The WEAKID in Crowbar lookes like this: Cookie:
JSESSIONID=...; WEAKID=16936-1163685##1##;
Start the first loop at 363093, the last digits of the last cookie before the authentication cookie and 363203, the
first cookie after the authentication cookie. You have to enter these two values in the Parameter1 fields. We have
to brute-force these values, but we are sure that they lie between these two boundaries.
Examine the results until you see a different fuzzy logic value (the blue line in Figure 3), right-click it and click on
"Show reply".
Figure 4 Lesson 12 Completed
General Goal(s):
The user should be able to bypass the authentication check.
Solution:
Make sure that you have "Show Cookies" enabled in WebGoat. And you need to disable the feature "Inject know
cookies into requests" in WebScarab otherwise WebScarab will always inject your old cookie and not the new
cookie.
Figure 1 Disable "Inject known cookies into requests"
Hit "Refresh". This refresh will show our AuthCookie. And you are now authenticated using this cookie and not
with parameters like above.
There is a new cookie called AuthCookie with values 65432ubphcfx. Logout and login with aspect/aspect.
Figure 4 Logon as aspect/aspect
webgoat ubphcfx
Aspect udfgfb
This is an transposition of the letters of the alphabet. Each letter is replaced with its successor, for example t->u,
a->b and the user name is reversed. So for user name alice the cookie will contain the reversed user name ecila
and the successors of the letters. This results in fdjmb.
Login with user name alice and intercept the request in WebScarab. Add AuthCookie=65432fdjmb to the existing
cookie JSESSIONID.
Figure 7 Add AuthCookie to request
An attacker can send a hyperlink to a victim with a chosen Session ID. This can be done for example by a prepared mail
which looks like an official mail from the application administrator. If the victim clicks on the link and logs in he is
authorized by the Session ID the attacker has chosen. The attacker can visit the page with the same ID and is recognized as
the victim and gets logged in without authorization.
General Goal(s):
This lesson has several stages. You play the attacker but also the victim. After having done this lesson it should be
understood how a Session Fixation in general works. It should be also understood that it is a bad idea to use the Get-Request
for Session IDs.
Solution:
This lesson has 4 stages. In stage 1 and 4 you are Hacker Joe in lesson 2 and 3 you are the victim Jane.
Stage 1:
You have to send a prepared mail to Jane which looks like a mail from Goat Hills Financial with a link containing a Session
ID. The mail is already prepared. You only have to alter the link so it includes a Session ID (SID). You can archive this by
adding &SID=WHATEVER to the link. Of course can WHATEVER be replaced by any other string. The link should look
similar to following:
<a href=http://localhost/WebGoat/attack?Screen=46&menu=320&SID=WHATEVER>
Stage 2:
Now you are Jane which receives the mail you wrote in stage 1. Point with the mouse on the link and you will notice the SID
in the status bar of your browser. This is the easiest stage as you have only to click on the link 'Goat Hills Financial'.
Stage 3:
You are on the login screen of Goat Financial Hills now. In the URL is the SID visible. All you have to do is to log in with
your user name Jane and your password tarzan.
Stage 4:
The application switches again to the hacker Joe. There is already a prepared link you have to click on to reach the Goat Hill
Financial. In real life this would be different of course. You could directly put the URL in the address bar of your browser.
After having clicked on the provied link you reach Goat Hill Financial. Take a look at the URL and you will see that your
SID is NOVALIDSESSION. Change this string to the SID you have chosen at the beginning of this lesson and hit enter.
Congratulation! You are logged in as Jane and the lesson was successful.
General Goal(s):
Try connecting to the WSDL with a browser or Web Service tool. The URL for the web service is:
http://localhost/WebGoat/services/SoapRequest The WSDL can usually be viewed by adding a ?WSDL on the
end of the web service request.
Figure 1 - Lesson 21
Solution:
Click on the URL "WebGoat WSDL" to examine the Webservices Description Language file.
Figure 2 - WSDL
Count the number of operations like getFirstName. There are 4 operations defined.
For the next question the getFirstNameRequest method uses an int as parameter type. Enter int and click
"Submit".
Figure 4 Stage 2 Completed
Intercept the HTTP Request with WebScarab and click on the ?Raw? tab. Make sure that ?Intercept Responses?
is selected.
General Goal(s):
This screen is the API for a web service. Check the WSDL file for this web service and try to get some customer
credit numbers.
Figure 1 Lesson 22
Solution:
Intercept the request with WebScarab and change the parameter to getCreditCard
Figure 2 WebScarab raw request
General Goal(s):
Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for
all input validation, it may be possible to corrupt the XML that the web interface sends.
In this exercise, try to change the password for a user other than 101.
Solution:
To succeed this lesson it is required to reset the password of the user with a different user-ID then 101 (which is
your user-ID)
.
When you fill out a password and click on "Go!" the following XML request will be created, submit and parsed by
the SAX parser:
SAX parsers will parse anything that is well-formed, meaning that there are matching end and close tags and that
the schema is correct. When you are able to add a new changePAssword element with corresponding id tag and
password tag, the SAX parser will be more than happy to change the password for the user-ID provided.
So you need to have something like this as a final result:
There are field-limitations in the HTML input field, so it is required to intercept the HTTP Request with
WebScarab and replace the parameter password with the payload.
Intercept the request in WebScarab and replace the string test with the payload.
Figure 114 Intercept request
Figure 115 Inject XML payload
General Goal(s):
Check the web service description language (WSDL) file and try to obtain multiple customer credit card numbers.
You will not see the results returned to this screen. When you believe you have suceeded, refresh the page and
look for the 'green star'.
Solution:
This lesson can be solved easily by using a web services tool called SOAPUI. But here you will only use
WebScarab. Go in WebScarab to the tab "Web Services". You will see a history of invoked web services or
WSDL files.
Figure 1 Lesson 23
Open the WebGoat WSDL file for this lesson (WsSqlInjection?WSDL) in a new window.
In WebScarab you can select this WSDL from the top drop-down box. And WebScarab will parse the XML file so
you can select the operations to invoke. Then you can enter a value for the parameters used to invoke the
operation. For example fill out the integer 101 for the ID value and click "Execute". WebScarab will pop-up a
basic authentication window. Enter username:guest, password:guest and host:localhost then click "Ok". If the
pop-up does not appear you have to go to "Tools" > "Credentials". There you should activate "Ask when
required".
Figure 2 Basic authentication
What happens if you change 101 to 1 OR 1=1? Will you get all the credit cards?
Yes
Figure 4 All the credit cards
Remark: when you don't get any responses you might want to select the service and operation again from the
drop-down box. A nice feature here would be the ability to make a raw SOAP request.