Owasp webgoat

24
OWASP WEBGOAT Zakaria SMAHI

Transcript of Owasp webgoat

Page 1: Owasp webgoat

OWASP WEBGOAT Zakaria SMAHI

Page 2: Owasp webgoat

WHAT IS WEBGOAT WebGoat is a delibrately insecure J2EE web application maintained by OWASP. Designed to teach Web Application Security. Useful to test Security Products (ex. IPS/IDS, Firewall, Web application Firewalls) against OWASP TOP 10 promise, XML and AJAX Security Threats.

Page 3: Owasp webgoat

INSTALL WEBGOAT1. Download from Google Code2. Unzip the folder 3. Click on WebGoat.bat4. Goto http://localhost/WebGoat/5. Login && pass: guest.

Page 4: Owasp webgoat

CONNECTING THE FIRST TIME

Page 5: Owasp webgoat

0X000 CODE QUALITY

Hint !!!Check the Source

Code of the page ;)

Page 6: Owasp webgoat

0X001 STORED XSS ‘Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.’

OWASP

Page 7: Owasp webgoat

0X001 STORED XSS

Login as tom

Page 8: Owasp webgoat

0X001 STORED XSS View and Edit the profile for tom. Select the address field. Copy/Paste the following: <script>alert(« XSS »)</script> Test !!!

Page 9: Owasp webgoat

0X001 STORED XSS

Page 10: Owasp webgoat

0X002 CSRF ‘CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.’

OWASP

Page 11: Owasp webgoat

0X002 CSRF

Page 12: Owasp webgoat

0X002 CSRF

Page 13: Owasp webgoat

0X003 SQL INJECTION ‘A SQL injection attack consists of insertion or "injection“ of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.’

OWASP

Page 14: Owasp webgoat

0X003 SQL INJECTION

Hint!!!Try

‘ OR ‘1’=‘1

Page 15: Owasp webgoat

0X003 SQL INJECTION

Page 16: Owasp webgoat

0X004 XPATH INJECTION ‘XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file). Like SQL, you can specify certain attributes to find, and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data.’

OWASP

Page 17: Owasp webgoat

0X004 XPATH INJECTION

Page 18: Owasp webgoat

0X004 XPATH INJECTION XPath login request is: //Employee[UserName/text()='" & Request("Username") & "' And Password/text()='" & Request("Password") & "'] Let’s add or 1 = 1 or ‘a’ = ‘a so the request becomes: //Employee[UserName/text()='what ever you want' or 1=1 or 'a'='a' And Password/text()='what ever you want'] Try to log in now Bingo !!

Page 19: Owasp webgoat

0X004 XPATH INJECTION

Page 20: Owasp webgoat

0X005 SAX WEB SERVICES INJECTION We have seen that it’s possible to send Javascript code , SQL queries in a non-validated-user-input form. It’s also possible to send XML to modify a query. It’s used generally in XML web services. Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends. 

Page 21: Owasp webgoat

0X005 SAX WEB SERVICES INJECTION

<?xml version='1.0' encoding='UTF-8‘?><wsns0:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsns1='http://lessons.webgoat.owasp.org'> <wsns0:Body> <wsns1:changePassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'>[password]</password> </wsns1:changePassword> </wsns0:Body></wsns0:Envelope>

<?xml version='1.0' encoding='UTF-8‘?><wsns0:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsns1='http://lessons.webgoat.owasp.org'> <wsns0:Body> <wsns1:changePassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'>[password]</password> </wsns1:changePassword> </wsns0:Body></wsns0:Envelope>

Hint !It’s an XML File

Page 22: Owasp webgoat

0X005 SAX WEB SERVICES INJECTION

<?xml version='1.0' encoding='UTF-8'?><wsns0:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsns1='http://lessons.webgoat.owasp.org'> <wsns0:Body> <wsns1:changePassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'>pass_101</password> </wsns1:changePassword> <wsns1:changePassword> <id xsi:type='xsd:int'>102</id> <password xsi:type='xsd:string'>pass_102</password> </wsns1:changePassword> </wsns0:Body></wsns0:Envelope>

Page 23: Owasp webgoat

0X005 SAX WEB SERVICES INJECTION

Page 24: Owasp webgoat

Thank You !