OWASP WebGoat v5.3 RC Web Hacking Simulation WalkThrough Series
Lesson category titles (e.g., Unvalidated Parameters) may be dynamically changing per WebGoat new version. Please search your desired movies by lesson titles such as Command Injection, Stored XSS, Forced Browsing. We won't be modifying category titles in our movies in accordance with every new WebGoat version.
New movies will be added whenever WebGoat is updated. If we fail to include, just email us as we may not be aware of WebGoat updates. Tools and techniques used in our movies are not the only way to get through. There are many other alternatives to achieve the same goal.
There are a few movies left intentionally. These are do-it-yourself exercises. Capture your actions with CamStudio. Upload movies to mihd.net. Then send us links. We feature them here.
Should already learnt any unfamiliar concepts in W3Schools, W3c , Google, OWASP, and WASC.
If you don't know what I'm showing, stop the movie and learn the concept. If you get stuck, post your questions via contact form at our home page.
Play Disco/Techno music while viewing to kill your boring! :)
To prevent possible attacks either within or outside your LAN, change all default webgoat passwords in WebGoat-x.x/tomcat/conf/tomcat-users.xml.
OWASP WebGoat: General [View | Download] [Top]
Description: It includes HTTP Basics, HTTP SPLITTING, and 'Create a WebGoat Lesson' tutorial. This lesson presents the basics for understanding the transfer of data between the browser and the web application and how to perform HTTP Splitting attacks.
Size: 3.2 MB
OWASP WebGoat: Code Quality [View | Download] [Top]
Description: It includes Discovering clues in HTML Source [View | Download]. Developers are notorious for leaving statements like FIXME's, Code Broken, Hack, etc... inside the source code. Review the source code for any comments denoting passwords, backdoors, or something doesn't work right.
Size: 2.16 MB
OWASP WebGoat: Concurrency [View | Download] [Top]
Description: It includes Threat Safety Problem and Shopping Cart Concurrency Flaw which are commonly caused due to the improper use of Java Static methods. Web applications can handle many HTTP requests simultaneously. Developers often use variables that are not thread safe. Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time.
Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently.
Size: 6.24 MB
OWASP WebGoat: Unvalidated Parameters [View | Download] [as of 5.3, changed to Parameter Tampering][Top]
Description: It includes Exploiting Hidden Fields, Exploiting Unchecked Emails and Bypassing Client Side JavaScript Validation and Bypassing HTML Field Restrictionsnew [View | Download] . Exploiting Hidden Fields: Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified. It is always a good practice to validate all inputs. Exploiting Unchecked Emails: Most sites allow non-authenticated users to send e-mail to a 'friend'. This is a great mechanism for spammers to send out email using your corporate mail server. Bypassing Client Side JavaScript Validation: Client-side validation should not be considered a secure means of validating parameters. This validation only helps reducing the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application.
Size: 3.71 MB
In a role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control scheme normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow allow privilege escalation to an unauthorized role.In a path based access control scheme, an attacker can traverse a path by providing relative path information. Therefore an attacker can use relative paths to access files that normally are not directly accessible by anyone, or would otherwise be denied if requested directly. Remote Admin Access: applications will often have an administrative interface that allows privileged users access to functionality that normal users shouldn't see. The application server will often have an admin interface as well.
Size: N/A
Web applications frequently provide their users the ability to retrieve a forgotten password. Unfortunately, many web applications fail to implement the mechanism properly. The information required to verify the identity of the user is often overly simplistic. Basic Authentication is used to protect server side resources. The web server will send a 401 authentication request with the response for the requested resource. The client side browser will then prompt the user for a user name and password using a browser supplied dialog box. The browser will base64 encode the user name and password and send those credentials back to the web server. The web server will then validate the credentials and return the requested resource if the credentials are correct. These credentials are automatically resent for each page protected with this mechanism without requiring the user to enter their credentials again.
Size: 3.13 MB
OWASP WebGoat: Session Management Flaws[Top]
Description: It includes Session Fixation [View | Download], Spoofing an Authentication Cookie [View | Download] and Hijacking a Session [View | Download]. Spoofing an Authentication Cookie: Many applications will automatically log a user into their site if the right authentication cookie is specified. Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained. Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability. Some times the cookies maybe intercepted using Cross site scripting. This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.
Before we can hijack a session, we must do Session Analysis [View | Download] to determine exploitable sign.
Hijacking a Session: Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.
Note: There are some good tools used in session hijacking: Portswigger.net's BurpIntruder and SensePost's CrowBar. As far as I've tested, the former is efficient only in Professional version (You must buy) and the latter sucks me that I have to manually analyze the responses I want. I don't want to make good impression using such tools. If you wanna know how to use them, just contact me. I'm willing to make movies for you. OK, so in this 'Session-Hijacking' movie, I used only a pretty simple easy-to-use JHijack, which is based on JAttack.java written by Dafydd Stuttard(Portswigger.net).
Size: N/A
OWASP WebGoat: Improper Error Handling [View | Download] [Top]
Description: It includes Fail-Open Authentication Scheme. This lesson presents the basics for understanding the "fail open" condition regarding authentication. The security term, "fail open" describes a behavior of a verification mechanism. This is when an error (i.e. unexpected exception) occurs during a verification method causing that method to evaluate to true. This is especially dangerous during login. This is analogous to my movie 'Exploiting Logic Flaws'.
Size: N/A
OWASP WebGoat: Denial of Service (DOS) [View | Download] [Top]
Description: It includes Denial of Service from Multiple Logins. Denial of service attacks are a major issue in web applications. If the end user cannot conduct business or perform the service offered by the web application, then both time and money is wasted. Business loses millions of $. If an e-commerce site can generate $1 million per hour, then 1-hr DOS cause loss of $1 million for that business.
Size: N/A
OWASP WebGoat: Insecure Communication | Insecure Login [View | Download] [Top]
Description: Sensitive data should never sent in plaintext! Often applications switch to a secure connection after the authorization. An attacker could just sniff the login and use the gathered information to break into an account. A good webapplication always takes care of encrypting sensitive data. See how easy it is to sniff a password in plaintext. Understand the advantages of encrypting the login data!
Size: N/A
OWASP WebGoat: Insecure Configuration [View | Download] [Top]
Description: It includes Forced Browsing. Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible. One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. This one is what I call 'Directory BruteForcing'.
Size: N/A
OWASP WebGoat: Malicious Execution [View | Download] [Top]
Description: This lesson allows you to upload an image which will be displayed on the page. Features like this are often found on web based discussion boards and social networking sites. This feature is vulnerable to Malicious File Execution. In order to pass this lesson, upload and run a malicious file. In order to prove that your file can execute, it should create another file named \WebGoat-5.3_RC1\tomcat\webapps\webgoat\mfe_target\guest.txt. Once you have created this file, you will pass the lesson.
Size: N/A
Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL). Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends.
Size: N/A
OWASP WebGoat: Challenge [Download] [Top]
Description: The mission is to break the authentication scheme, steal all the credit cards from the database, and then deface the website.
Size: N/A
YGN Ethical Hacker Group (YEHG) :: OWASP WebScarab SeriesLoading ...
These movies show yow how WebScarab is useful in several ways. It is a must-tool for web hacker daily.
Spidering [View Online | Download ]
Description: See how you generate web site tree with WebScarab's Spidering Engine.
Finding Hidden Clues [View Online | Download ]
Description: This is a WebGoat's lesson: Discovering Clues in HTML Comments using WebScarab's Fragments Engine.
Session Analysis [View Online | Download ]
Description: See how WebScarab is of great help in analyzing the stregth of Session using its SessionID Analysis Engine.
XSS Hunting [View Online | Download ]
Description: See how WebScarab is of great help in hunting for low hanging XSS using its XSS/CRLF Engine.
Dir Enumeration [View Online | Download ]
Description: See how WebScarab is of great help in enumerating hidden directories using its Fuzzer Engine.
Backups Enumeration [View Online | Download ]
Description: See how WebScarab is of great help in enumerating backup files and directories using its Extension Engine.
