diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc index f3053d73c..c73e6ac60 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc @@ -1,6 +1,6 @@ == What is SQL Injection? -=== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application +==== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application === A successful SQL injection exploit can: * Read and modify sensitive data from the database diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java index 874384662..5026a2256 100644 --- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java +++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java @@ -86,13 +86,11 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint { return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build()); } catch (com.thoughtworks.xstream.converters.ConversionException ex) { - ex.printStackTrace(); if (ex.getMessage().contains("Integer")) { return trackProgress(success().feedback("vulnerable-components.success").build()); } return trackProgress(failed().feedback("vulnerable-components.close").build()); - } diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Risk-of-Old-Components.png b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Risk-of-Old-Components.png new file mode 100644 index 000000000..a2315fa5f Binary files /dev/null and b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Risk-of-Old-Components.png differ diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/WebGoat-Vulns.png b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/WebGoat-Vulns.png index 861bede24..d60ee9f24 100644 Binary files a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/WebGoat-Vulns.png and b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/WebGoat-Vulns.png differ diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc index 25d32d11b..989dc2c92 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc @@ -1,7 +1,7 @@ == 2013 OWASP Top 10 - A9 -As early as 2013, thought leaders like OWASP have recognized that "WE" need to pay attention to this problem. +As early as 2013, thought leaders like OWASP recognized that "WE" need to pay attention to this problem. image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="2013 OWASP - Top 10 - A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"] diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc index b56efcc79..cdb5b9be8 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc @@ -1,5 +1,5 @@ == The exploit is not always in "your" code -Below is an example of using the same source and different versions of jquery-ui. One is exploitable; one is not. +Below is an example of using the same WebGoat source code, but different versions of the jquery-ui component. One is exploitable; one is not. === jquery-ui:1.10.4 This example allows the user to specify the content of the "closeText" for the jquery-ui dialog. This is an unlikely development scenario, however the jquery-ui dialog (TBD - show exploit link) does not defend against XSS in the button text of the close dialog. diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc index c54bd6912..de72cf84c 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc @@ -1,6 +1,6 @@ == How do I generate a Bill of Materials -There are several open source and paid-for solutions that will identify risk in components. There are not many tools that will deliver a complete list of "ingredients" used within an application. OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk. +There are several open source and paid-for solutions that will identify risk in components. However, there are not many tools that will deliver a complete list of "ingredients" used within an application. OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk. Dependency check uses several pieces of evidence to determine the library names. Below is a snippet of a report: diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc index 04a06d886..9b553b92c 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc @@ -2,19 +2,24 @@ === What's important? -* Is it old or is it stable -* Was my lack of upgrade a deliberate choice or a lack of knowledge -* Is the project I'm using no longer active +* Is my component old or is it stable * Is my component unpopular +* Was my lack of upgrade a deliberate choice or a lack of knowledge === Summary -* It's really difficult to keep components up to dat +* It's really difficult to keep components up to date +==== For the components analyzed in 25,000 applications it was found that: * 8% of 2 year old components did not have a newer version * 23% of 11 year old components did not have a newer version +* Older components make up the majority of the risk -image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"] +[cols="2a,2a"] +|=== +| image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"] +| image::plugin_lessons/plugin/VulnerableComponents/images/Risk-of-Old-Components.png[caption="Figure: ", title="Risk of Old Components", alt="Risk of Old Components", width="355", height="304", style="lesson-image"] +|=== \ No newline at end of file diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc index 6f8573749..13e725f8f 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc @@ -6,8 +6,10 @@ In November of 2015, the Apache Commons Collections component latest release was Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit] -=== Dinis Cruz and pwntester exploit of XStream -XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC] +=== Dinis Cruz and Alvaro Munoz exploit of XStream +XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. + +Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] + +https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC] You may want to read the article(s) before trying this lesson. Let's see if you can figure out how to exploit this in WebGoat. diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc index 776d2bff1..f31b3ddfe 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc @@ -11,4 +11,4 @@ WebGoat Sends an XML document to add contacts to a contacts database. ---- -For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml). +For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`. diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc index f682f4596..0cc532f34 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc @@ -8,7 +8,7 @@ * *Open source components are the new attack vector.* == What to do -* Generate a bill of materials. +* Generate an OSS Bill of Materials. ** Use http://lmgtfy.com/?q=OSS+bill+of+materials[automated tooling] * Baseline open source consumption in your organization. * Develop an open source component risk management strategy to mitigate current risk and reduce future risk. diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc index 4a691572d..004671a9b 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc @@ -4,12 +4,14 @@ The way we build software has changed. The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref: https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain] -image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="800", height="400", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"] - - This lesson will walk through the difficulties with managing dependent libraries, the risk of not managing those dependencies, and the difficulty in determining if you are at risk. +image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="500", height="300", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"] + + == Goals * Gain awareness that the open source consumed is as important as your own custom code. * Gain awareness of the management, or lack of management, in our open source component consumption. +* Understand the importance of a Bill of Materials in determining open source component risk +