WebGoat Project Review OWASP AppSec June 2004 NYC Bruce Mayhew WebGoat Project Technical Lead [email protected] 443.745.7732 Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute.
Download
Report
Transcript WebGoat Project Review OWASP AppSec June 2004 NYC Bruce Mayhew WebGoat Project Technical Lead [email protected] 443.745.7732 Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute.
WebGoat Project Review
OWASP
AppSec
June 2004 NYC
Bruce Mayhew
WebGoat Project Technical Lead
[email protected]
443.745.7732
Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org
How Do You Teach Application Security?
Change the way developers think…
They have to understand the danger
Prove their code can be broken
Show them how to exploit flaws
OWASP AppSec 2004
1
What is WebGoat?
Concept
Full web application riddled with holes
Training environment
Hands-on learning for developers
Individual lessons for OWASP Top 10
Implementation
J2EE Servlet with JDBC database
Basic authenticaton, roles
Declarative and programatic access control
Persistant
Very easy to add new lessons
OWASP AppSec 2004
1
What's in a Lesson?
Explain the vulnerability.
Show the broken code.
Allow the user to exploit the vulnerabilty.
Show the correct code.
OWASP AppSec 2004
1
Explain the Vulnerabilty
Fail Open Authentication
This lesson presents the basics for understanding the "fail
open" condition regarding authentication. The security
term, “fail open” describes a behavior of a verification
mechanism. This is when an error (i.e. unexpected
exception) occurs during a verification method causing
that method to evaluate to true. This is especially
dangerous during login.
OWASP AppSec 2004
1
Show the Broken Code
String username = "";
String password = "";
try
{
username = s.getParser().getRawParameter( USERNAME );
password = s.getParser().getRawParameter( PASSWORD );
// if credentials are bad, send the login page
if ( !"webgoat".equals( username ) || !password.equals( "webgoat" ) )
{
s.setMessage( "Invalid username and password entered." );
return ( makeLogin( s ) );
}
}
catch ( Exception e )
{
s.setMessage( "Error generating " + this.getClass().getName() );
}
return ( makeUser( s, username, "Login Succeeded" ));
OWASP AppSec 2004
1
Exploit the Vulnerability
Picture of WebGoat Lesson
OWASP AppSec 2004
1
Exploit the Vulnerability
Picture of WebGoat Lesson
OWASP AppSec 2004
1
How It Should Be Done
String username = "";
String password = "";
try
{
username = s.getParser().getRawParameter( USERNAME );
password = s.getParser().getRawParameter( PASSWORD );
// if credentials are bad, send the login page
if ( "webgoat".equals( username ) && password.equals( "webgoat" ) )
{
s.setMessage( "Invalid username and password entered." );
return ( makeUser( s, username, "Login Succeeded" ) );
}
}
catch ( Exception e )
{
s.setMessage( "User name or password is incorrect );
}
return ( makeLogin( s ));
OWASP AppSec 2004
1
It's Simple to Add a Lesson
Set up the framework.
Implement createContent().
Implement the other methods.
Install and run.
OWASP AppSec 2004
1
Setup the Framework
Use the WebGoat LessonAdapter.
public class NewLesson extends LessonAdapter
{
protected Element createContent(WebSession s)
{
return( new StringElement( "Hello World" ) );
}
public String getCategory()
protected List getHints()
{ }
{ }
protected String getInstructions()
protected Element getMenuItem()
protected Integer getRanking()
public String getTitle()
}
{ }
{ }
{ }
{ }
OWASP AppSec 2004
1
Implement createContent()
The “brains” of the lesson.
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try {
// get some input from the user -- see ParameterParser for details
String userInput = s.getParser().getStringParameter(INPUT, "");
// do something with the input
//
-- SQL query?,
-- Runtime.exec?
-- Some other dangerous thing
// generate some output -- a string and an input field
ec.addElement(new StringElement("Enter a string: "));
ec.addElement( new Input(Input.TEXT, INPUT, userInput) );
// Tell the lesson tracker the lesson has completed, when lesson has been “hacked”
getLessonTracker( s ).setCompleted( true );
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
OWASP AppSec 2004
1
Implement the other methods
Add the supporting details
public String getCategory()
{ return( "New Category or Existing Category" );
}
protected List getHints()
{
// Hints will be returned to the user in the order they appear below
// when the user clicks on the "next hint"
List hints = new ArrayList();
hints.add("A general hint to put users on the right track");
hints.add("A hint that gives away a little piece of the problem");
hints.add("A hint that basically gives the answer");
return hints;
}
protected String getInstructions(){ return(“Lesson scenario and instructions"); }
protected Element getMenuItem()
{ return( "MyLesson" );
protected Integer getRanking()
{ return new Integer(10); }
public String getTitle()
}
{ return ("My Lesson's Short Title");
}
Use Ant to build, install, and run
OWASP AppSec 2004
1
It Looked Pretty Easy
It Was!
You can create a simple
lesson in 30 minutes.
OWASP AppSec 2004
1
How Do You Run WebGoat?
Problems with old installer fixed
Download, Unzip, Click, & Browse
http://sourceforge.net/project/showfiles.php?group_id=64424
Unzip the distribution
Use WebGoat-3.0b.zip if you have Java
Use WebGoat-3.0b_JAVA.zip if you don’t
Double-click tomcat.bat
Browse to http://localhost/WebGoat/attack
OWASP AppSec 2004
1
Cool Stuff
Report Card
OWASP AppSec 2004
1
Cool Stuff
Hackable Admin Interface
OWASP AppSec 2004
1
WebGoat Supports the OWASP Top 10
Thread Safety
HTML Clues
Hidden Field Tampering
Encoding Basic
Anonymous/Dangerous Email
Forced Browsing
Javascript Validation
HTTP Basic
Remote Admin
Fail Open Authentication
Access Control
Command Injection
Weak Authentication Cookie
Forget password *
Stored and Reflected Cross Site
Scripting
Buffer Overflow *
Denial of Service (Login ) **
Challenge
OWASP AppSec 2004
1
Roadmap
For the user:
More lessons
Update the User's Guide
Is it too simple?
Improve the infrastructure:
Use JSP's to replace ECS
Port to Apache struts
Refactor internal database
OWASP AppSec 2004
1
OWASP Wants Your Ideas!
Is WebGoat part of your training environment?
What features do you need?
How can you get involved?
Even a little effort helps
Great place to learn web application basics
WebGoat could use help with:
Converting to JSP's and Struts ( Java, HTML, Struts )
Storybooking lessons
Updating lesson plans and lesson instructions
OWASP AppSec 2004
1
Share your Ideas
Bruce Mayhew
[email protected]
443.745.7732
http://www.owasp.org/webgoat
OWASP AppSec 2004
1