Web Security Vulnerabilities ICS Laboratory, AJOU Univ. Hyun Soo Ch.
Web Security Vulnerabilities
ICS Laboratory, AJOU Univ.
Hyun Soo Ch.
OWASP Top Ten
(Open Web Application Security Project)OWASP
Top Ten Project
List of 10 Most Critical Web Application Security Risks
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• Injection • Broken Authentication and Session Management• Cross-Site Scripting(XSS)• Insecure Direct Object Reference• Security Misconfiguration• Sensitive Data Exposure • Missing Function Level Access Control• Cross-Site Request Forgery• Using Components with known Vulnerabilities• Unvalidated Redirects and Forwards
OWASP WebGoat
OWASP
WebGoat
Test bed Web Application for practicing OWASP Top 10 Risks
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
1. Move to Download Directory
Setting up WebGoat
2. Download Tomcat, JDK, WebGoat.war
Download packages
Setting up WebGoat
5. Move apache-tomcat file to /usr/local/
6. Move to /usr/local/java to extract tar file
4. Make directory for JDK and move JDK tar file to /usr/local/java
Extract Package
3. Check Downloaded file with ‘ls’
Setting up WebGoat
7. Symbolic Link Setting to use installed java
8. Check if it’s installed properly
9. Export Environmental Variable
Install JDK
Setting up WebGoat
11. Create a file tomcat641 in /etc/init.d directory
10. Move to ‘/usr/local’ and extract apache-tomcat-6.0.41.tar.gz
Setup Tomcat
- Fill the file contents like right figure ->
12. Then change privilege to 755(rwx rw- rw-)
Setting up WebGoat
13. Move to ‘apache-tomcat-XX/conf’ and edit ‘tomcat-users.xml’ files
Setup Tomcat
* To Start the service
** To automatically start when reboot
*** To Stop the service
Setting up WebGoat
Starting WebGoat
14. Copy Downloaded WebGoat.war to tomcat’s webapp directory
15. Start Tomcat
16. Open up Fire Fox(Browser) and get access to WebGoat server!
Setting up WebGoat
WebGoat Setup CompleteYou can also get to the server outside the VM
WebGoat… WebGoat?
General
General Web Technique – Http Basics
1. Enter your name in the input2. Press ‘Go!’
WebGoat… WebGoat?
Buffer Overflows
Buffer Overflows
Hello World!
12 characters
@$#@!_#
7 more characters
What’s Buffer Overflow?
WebGoat… WebGoat?
Buffer Overflows
Tools You’ll be needing
BURPSUITEWeb application Security Testing Tool
http://portswigger.net/burp/download.html
Portable FirefoxFirefox browser that is portable
http://portableapps.com/apps/internet/firefox_portable
JDKJava virtual machine
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
WebGoat… WebGoat?
Buffer Overflows
1. Open up CMD
2. Change Directory to where the burpsuite.jar file is.
3. Then Execute jar file with jdk
WebGoat… WebGoat?
Buffer Overflows
1. Open up CMD
2. Change Directory to where the burpsuite.jar file is.
3. Then Execute jar file with jdk
4. After some “NEXT”s you will see figure like →
WebGoat… WebGoat?
Buffer Overflows
But we’ll be using just Proxy feature
There are lots of features that Burp Suite supports
WebGoat… WebGoat?
Buffer Overflows
With Proxy Toolbar of Portable Firefox and Proxy-Intercept feature of Burp Suite
it’s possible to intercept and edit generated packet
WebGoat… WebGoat?
Buffer Overflows
1. Click Add ICON
2. Click Next
WebGoat… WebGoat?
Buffer Overflows
1. Click Add ICON
2. Click Next
3. Enter Proxy Info
Name For your Proxy Setting
IP address & Port# for Http Proxy
WebGoat… WebGoat?
Buffer Overflows
1. Click Add ICON
2. Click Next
3. Enter Proxy Info
Loopback Address(to myself) Port # that is not in use
4. Then Press OK
WebGoat… WebGoat?
Buffer Overflows
1. Click Add ICON
2. Click Next
3. Enter Proxy Info
4. Then Press OK
WebGoat… WebGoat?
Buffer Overflows
1. Click Add ICON
2. Click Next
3. Enter Proxy Info
4. Then Press OK
5. Edit proxy listener Info
6. Scroll Down &Check “Unhide hidden form fields”
WebGoat… WebGoat?
Buffer Overflows
1. Click Add ICON
2. Click Next
3. Enter Proxy Info
4. Then Press OK
5. Edit proxy listener Info
6. Scroll Down &Check “Unhide hidden form fields”
7. Go back to Firefox
8. Click Apply Button
WebGoat… WebGoat?
Buffer Overflows
Actual Intercepted PacketSubmit form Webpage
Pressing “Go” button, Browser will send msg to server,
which will be intercepted by Burp Suite
Intercepted msg can be edited and can be sent by pressing “Forward” button
WebGoat… WebGoat?
Buffer Overflows
Buffer Overflows
WebGoat… WebGoat?
For Solution
http://webappsecmovies.sourceforge.net/webgoat/