Web Security Vulnerabilities

ICS Laboratory, AJOU Univ.

Hyun Soo Ch.

OWASP Top Ten

(Open Web Application Security Project)OWASP

Top Ten Project

List of 10 Most Critical Web Application Security Risks

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

• Injection • Broken Authentication and Session Management• Cross-Site Scripting(XSS)• Insecure Direct Object Reference• Security Misconfiguration• Sensitive Data Exposure • Missing Function Level Access Control• Cross-Site Request Forgery• Using Components with known Vulnerabilities• Unvalidated Redirects and Forwards

OWASP WebGoat

OWASP

WebGoat

Test bed Web Application for practicing OWASP Top 10 Risks

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

1. Move to Download Directory

Setting up WebGoat

2. Download Tomcat, JDK, WebGoat.war

Download packages

Setting up WebGoat

5. Move apache-tomcat file to /usr/local/

6. Move to /usr/local/java to extract tar file

4. Make directory for JDK and move JDK tar file to /usr/local/java

Extract Package

3. Check Downloaded file with ‘ls’

Setting up WebGoat

7. Symbolic Link Setting to use installed java

8. Check if it’s installed properly

9. Export Environmental Variable

Install JDK

Setting up WebGoat

11. Create a file tomcat641 in /etc/init.d directory

10. Move to ‘/usr/local’ and extract apache-tomcat-6.0.41.tar.gz

Setup Tomcat

- Fill the file contents like right figure ->

12. Then change privilege to 755(rwx rw- rw-)

Setting up WebGoat

13. Move to ‘apache-tomcat-XX/conf’ and edit ‘tomcat-users.xml’ files

Setup Tomcat

* To Start the service

** To automatically start when reboot

*** To Stop the service

Setting up WebGoat

Starting WebGoat

14. Copy Downloaded WebGoat.war to tomcat’s webapp directory

15. Start Tomcat

16. Open up Fire Fox(Browser) and get access to WebGoat server!

Setting up WebGoat

WebGoat Setup CompleteYou can also get to the server outside the VM

WebGoat… WebGoat?

General

General Web Technique – Http Basics

1. Enter your name in the input2. Press ‘Go!’

WebGoat… WebGoat?

Buffer Overflows

Buffer Overflows

Hello World!

12 characters

@$#@!_#

7 more characters

What’s Buffer Overflow?

WebGoat… WebGoat?

Buffer Overflows

Tools You’ll be needing

BURPSUITEWeb application Security Testing Tool

http://portswigger.net/burp/download.html

Portable FirefoxFirefox browser that is portable

http://portableapps.com/apps/internet/firefox_portable

JDKJava virtual machine

http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

WebGoat… WebGoat?

Buffer Overflows

1. Open up CMD

2. Change Directory to where the burpsuite.jar file is.

3. Then Execute jar file with jdk

WebGoat… WebGoat?

Buffer Overflows

1. Open up CMD

2. Change Directory to where the burpsuite.jar file is.

3. Then Execute jar file with jdk

4. After some “NEXT”s you will see figure like →

WebGoat… WebGoat?

Buffer Overflows

But we’ll be using just Proxy feature

There are lots of features that Burp Suite supports

WebGoat… WebGoat?

Buffer Overflows

With Proxy Toolbar of Portable Firefox and Proxy-Intercept feature of Burp Suite

it’s possible to intercept and edit generated packet

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

Name For your Proxy Setting

IP address & Port# for Http Proxy

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

Loopback Address(to myself) Port # that is not in use

4. Then Press OK

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

4. Then Press OK

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

4. Then Press OK

5. Edit proxy listener Info

6. Scroll Down &Check “Unhide hidden form fields”

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

4. Then Press OK

5. Edit proxy listener Info

6. Scroll Down &Check “Unhide hidden form fields”

7. Go back to Firefox

8. Click Apply Button

WebGoat… WebGoat?

Buffer Overflows

Actual Intercepted PacketSubmit form Webpage

Pressing “Go” button, Browser will send msg to server,

which will be intercepted by Burp Suite

Intercepted msg can be edited and can be sent by pressing “Forward” button

WebGoat… WebGoat?

Buffer Overflows

Buffer Overflows

WebGoat… WebGoat?

For Solution

http://webappsecmovies.sourceforge.net/webgoat/