YGN Ethical Hacker Group (YEHG) :: OWASP WebGoat Web Hacking Simulation Series

Loading ...

Webscarab |More Trainings>>

OWASP WebGoat v5.2 Web Hacking Simulation WalkThrough Series

Movie Note: New movies will be added whenever WebGoat is updated. Tools and techniques used in our movies are not the only way to get through. There are many other alternatives to achieve the same goal. There are a few movies left intentionally. These are do-it-yourself exercises. Capture your actions with CamStudio. Upload movies to mihd.net. Then send us links. We feature them here.

Note:

Download WebGoat, WebScarab, Burp Suite, and YEHG's HackerFirefox and YEHG's JHijack.
Should already learnt any unfamiliar concepts in W3Schools, W3c , Google, OWASP, and WASC.
If you don't know what I'm showing, stop the movie and learn the concept. If you get stuck, post your questions via contact form at our home page.
Play Disco/Techno music while viewing to kill your boring! :)
To prevent possible attacks either within or outside your LAN, change all default webgoat passwords in WebGoat-x.x/tomcat/conf/tomcat-users.xml.
PHP Charset Encoder has been mirrored at http://yehg.net/encoding.
Check out other movies which might reinforce your skills.
Check out our collected web security bookmarks

Keywords: Webgoat Lessons, Webgoat Tutorials, Webgoat Trainings, Webgoat Movies

OWASP WebGoat: General [View Online | Download]
Description: It includes HTTP Basics, HTTP SPLITTING, and 'Create a WebGoat Lesson' tutorial. This lesson presents the basics for understanding the transfer of data between the browser and the web application and how to perform HTTP Splitting attacks.
Size: 3.2 MB
OWASP WebGoat: Code Quality [View Online | Download]
Description: It includes Discovering clues in HTML Source [View Online | Download]. Developers are notorious for leaving statements like FIXME's, Code Broken, Hack, etc... inside the source code. Review the source code for any comments denoting passwords, backdoors, or something doesn't work right.
Size: 2.16 MB
OWASP WebGoat: Concurrency [View Online | Download]
Description: It includes Threat Safety Problem and Shopping Cart Concurrency Flaw which are commonly caused due to the improper use of Java Static methods. Web applications can handle many HTTP requests simultaneously. Developers often use variables that are not thread safe. Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time. Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently.
Size: 6.24 MB
OWASP WebGoat: Unvalidated Parameters [View Online | Download]
Description: It includes Exploiting Hidden Fields, Exploiting Unchecked Emails and Bypassing Client Side JavaScript Validation. Exploiting Hidden Fields: Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified. It is always a good practice to validate all inputs. Exploiting Unchecked Emails: Most sites allow non-authenticated users to send e-mail to a 'friend'. This is a great mechanism for spammers to send out email using your corporate mail server. Bypassing Client Side JavaScript Validation: Client-side validation should not be considered a secure means of validating parameters. This validation only helps reducing the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application
Size: 3.71 MB
WebGoat: Access Control Flaws
Description: It includes
- Using an Access Control Matrix [View Online | Download]
- Bypass a Path Based Access Control Scheme [View Online | Download]
- LAB: Role Based Access Control
- Stage 1: Bypass Business Layer Access Control [View Online | Download]
- Stage 2: Add Business Layer Access Control
- Stage 3: Bypass Data Layer Access Control [View Online | Download]
- Stage 4: Add Data Layer Access Control
- Remote Admin Access [View Online | Download]
In a role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control scheme normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow allow privilege escalation to an unauthorized role.In a path based access control scheme, an attacker can traverse a path by providing relative path information. Therefore an attacker can use relative paths to access files that normally are not directly accessible by anyone, or would otherwise be denied if requested directly. Remote Admin Access: applications will often have an administrative interface that allows privileged users access to functionality that normal users shouldn't see. The application server will often have an admin interface as well. Size: N/A
OWASP WebGoat: Authentication Flaws
Description: It includes
- Exploiting Forgot Password [View Online | Download] *same file
- Probing Basic Authentication [View Online | Download] *same file
- Multi-Level Login 1 [View Online | Download]
- Multi-Level Login 2 [View Online | Download]
Web applications frequently provide their users the ability to retrieve a forgotten password. Unfortunately, many web applications fail to implement the mechanism properly. The information required to verify the identity of the user is often overly simplistic. Basic Authentication is used to protect server side resources. The web server will send a 401 authentication request with the response for the requested resource. The client side browser will then prompt the user for a user name and password using a browser supplied dialog box. The browser will base64 encode the user name and password and send those credentials back to the web server. The web server will then validate the credentials and return the requested resource if the credentials are correct. These credentials are automatically resent for each page protected with this mechanism without requiring the user to enter their credentials again.
Size: 3.13 MB
OWASP WebGoat: Session Management Flaws
Description: It includes Session Fixation [View Online | Download], Spoofing an Authentication Cookie [View Online | Download] and Hijacking a Session [View Online | Download]. Spoofing an Authentication Cookie: Many applications will automatically log a user into their site if the right authentication cookie is specified. Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained. Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability. Some times the cookies maybe intercepted using Cross site scripting. This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.

Before we can hijack a session, we must do Session Analysis [View Online | Download] to determine exploitable sign.

Hijacking a Session: Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.
Note: There are some good tools used in session hijacking: Portswigger.net's BurpIntruder and SensePost's CrowBar. As far as I've tested, the former is efficient only in Professional version (You must buy) and the latter sucks me that I have to manually analyze the responses I want. I don't want to make good impression using such tools. If you wanna know how to use them, just contact me. I'm willing to make movies for you. OK, so in this 'Session-Hijacking' movie, I used only a pretty simple easy-to-use JHijack, which is based on JAttack.java written by Dafydd Stuttard(Portswigger.net).
Size: N/A
WebGoat: Cross-Site Scripting (XSS)
Description: It includes
- Phishing with XSS [View Online | Download]
- LAB: Cross Site Scripting
- Stage 1: Stored XSS [View Online | Download]
- Stage 2: Block Stored XSS using Input Validation
- Stage 3: Stored XSS Revisited [View Online | Download]
- Stage 4: Block Stored XSS using Output Encoding [View Online | Download]
- Stage 5: Reflected XSS [View Online | Download]
- Stage 6: Block Reflected XSS
- Stored XSS Attacks [View Online | Download]
- Reflected XSS Attacks [View Online | Download]
- Cross Site Request Forgery (CSRF) [View Online | Download]
- HTTPOnly Test [View Online | Download]
- Cross Site Tracing (XST) Attacks [View Online | Download]
Size: N/A
OWASP WebGoat: Buffer Overflows
Description: As of writing, this lesson has not been developed yet by WebGoat authors.
Size: N/A
OWASP WebGoat: Improper Error Handling [View Online | Download]
Description: It includes Fail-Open Authentication Scheme. This lesson presents the basics for understanding the "fail open" condition regarding authentication. The security term, "fail open" describes a behavior of a verification mechanism. This is when an error (i.e. unexpected exception) occurs during a verification method causing that method to evaluate to true. This is especially dangerous during login. This is analogous to my movie 'Exploiting Logic Flaws'.
Size: N/A
OWASP WebGoat: Insecure Storage [View Online | Download]
Description: It includes Probing Encoding Basics. This lesson will familiarize the user with different encoding schemes.
Size: N/A
OWASP WebGoat: Denial of Service (DOS) [View Online | Download]
Description: It includes Denial of Service from Multiple Logins. Denial of service attacks are a major issue in web applications. If the end user cannot conduct business or perform the service offered by the web application, then both time and money is wasted. Business loses millions of $. If an e-commerce site can generate $1 million per hour, then 1-hr DOS cause loss of $1 million for that business.
Size: N/A
OWASP WebGoat: Insecure Configuration [View Online | Download]
Description: It includes Forced Browsing. Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible. One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. This one is what I call 'Directory BruteForcing'.
Size: N/A
OWASP WebGoat: Web Services
Description: It includes
- Create a SOAP Request [View Online | Download]
- WSDL Scanning [View Online | Download]
- Web Service SAX Injection [View Online | Download]
- Web Service SQL Injection [View Online | Download]
Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL). Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends.
Size: N/A
OWASP WebGoat: AJAX Security
Description: It includes
- LAB: Client Side Filtering [View Online | Download]
- LAB: DOM-Based cross-site scripting [View Online | Download]
- DOM Injection [View Online | Download]
- Same Origin Policy Protection [View Online | Download]
- XML Injection [View Online | Download]
- JSON Injection [View Online | Download]
- Silent Transactions Attacks [View Online | Download]
- Insecure Client Storage [View Online | Download]
- Dangerous Use of Eval [View Online | Download]
Size: N/A
OWASP WebGoat: Challenge
Description: The mission is to break the authentication scheme, steal all the credit cards from the database, and then deface the website.
Size: N/A