WebGoat
WebGoat is a deliberately insecure J2EE web application designed to teach web application security concepts
WebGoat is java web application which can show you a lot of the web attacks that can be performed on your website. It is a must have for all web developers.
You can download it from sourceforge or from google
The package contains a tomcat server and you can run it from the distribution. But in my case there was only windows configuration files so I have to take the war file and put in the standalone tomcat installation. Also move the permissions for the roles/users to my tomcat installation.
After manage to run it you will need some sniffer/proxy to monitor the requests. I have tried it with WebScarab but there is another one here and this one here
- Run WebGoat in tomcat
- Run you proxy/sniffer/pluging or what ever monitoring tool.
- Start your browser
- Setup your browser to use the proxy in case you choose to use proxy
- Redirect your browser to WebGoat application (http://127.0.0.1:8080/WebGoat/attack )
You are ready to pass all the tests. Here are the options extracted from the lates WebGoat version:
- Admin Functions
- General
- Code Quality
- Concurrency
- Unvalidated Parameters
- Access Control Flaws
- Authentication Flaws
- Session Management Flaws
- Cross-Site Scripting (XSS)
- Phishing with XSS
- LAB: Cross Site Scripting
- Stage 1: Stored XSS
- Stage 2: Block Stored XSS using Input Validation
- Stage 3: Stored XSS Revisited
- Stage 4: Block Stored XSS using Output Encoding
- Stage 5: Reflected XSS
- Stage 6: Block Reflected XSS
- Stored XSS Attacks
- Cross Site Request Forgery (CSRF)
- Reflected XSS Attacks
- HTTPOnly Test
- Cross Site Tracing (XST) Attacks
- Buffer Overflows
- Injection Flaws
- Command Injection
- Blind SQL Injection
- Numeric SQL Injection
- Log Spoofing
- XPATH Injection
- LAB: SQL Injection
- Stage 1: String SQL Injection
- Stage 2: Parameterized Query #1
- Stage 3: Numeric SQL Injection
- Stage 4: Parameterized Query #2
- String SQL Injection
- Database Backdoors
- Improper Error Handling
- Insecure Storage
- Denial of Service
- Insecure Configuration
- Web Services
- AJAX Security
- Challenge
J June, 2008 at 11:43 am
Is there anyway i could get all lesson fixes/solutions…
thanks
J June, 2008 at 9:52 am
This is open-source program, you can download it from
http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824
Run it on your local machine, and play with it via your browser
All the lessons are there, and most of them have a solutions in the help.
J June, 2009 at 1:37 pm
= tcpick =
tcpick is a textmode sniffer libpcap-based that can track, reassemble and reorder tcp streams. tcpick is able to save the captured flows in different files or displays them in the terminal, and so it is useful to sniff files that are transmitted via ftp or http. It can display all the stream on the terminal, when the connection is closed in different display modes like hexdump, hexdump + ascii, only printable charachters, raw mode and so on.
Info: http://tcpick.sourceforge.net/
—-
== Brief Tutorial ==
Example:
{{{
tcpick -i eth0 -yP -C -h “not port 22”
}}}
How to display the connection status:
{{{
tcpick -i eth0 -C
}}}
Display the payload and packet headers:
{{{
tcpick -i eth0 -C -yP -h -a
}}}
Display client data only of the first smtp connection:
{{{
tcpick -i eth0 -C -bCU -T1 “port 25”
}}}
Download a file passively:
{{{
tcpick -i eth0 -wR “port ftp-data”
}}}
Log http data in unique files (client and server mixed together):
{{{
tcpick -i eth0 “port 80” -wRub
}}}
Redirect the first connection to a software:
{{{
tcpick -i eth0 –pipe client “port 80” | gzip > http_response.gz
tcpick -i eth0 –pipe server “port 25” | nc foobar.net 25
}}}