dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/develop' into develop

Browse Source
This commit is contained in:
Jason White 2017-02-16 09:09:58 -05:00
commit 0763eac26b
12 changed files with 25 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc
View File

@ -1,6 +1,6 @@
== What is SQL Injection? == What is SQL Injection?
=== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application ==== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application
=== A successful SQL injection exploit can: === A successful SQL injection exploit can:
* Read and modify sensitive data from the database * Read and modify sensitive data from the database

2
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
View File

@ -86,13 +86,11 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build()); return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build());
} catch (com.thoughtworks.xstream.converters.ConversionException ex) { } catch (com.thoughtworks.xstream.converters.ConversionException ex) {
ex.printStackTrace();
if (ex.getMessage().contains("Integer")) if (ex.getMessage().contains("Integer"))
{ {
return trackProgress(success().feedback("vulnerable-components.success").build()); return trackProgress(success().feedback("vulnerable-components.success").build());
} }
return trackProgress(failed().feedback("vulnerable-components.close").build()); return trackProgress(failed().feedback("vulnerable-components.close").build());
} }

BIN
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/Risk-of-Old-Components.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/images/WebGoat-Vulns.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 310 KiB

After

Width:  |  Height:  |  Size: 105 KiB

2
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content1.adoc
View File

@ -1,7 +1,7 @@
== 2013 OWASP Top 10 - A9 == 2013 OWASP Top 10 - A9
As early as 2013, thought leaders like OWASP have recognized that "WE" need to pay attention to this problem. As early as 2013, thought leaders like OWASP recognized that "WE" need to pay attention to this problem.
image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="2013 OWASP - Top 10 - A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"] image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="2013 OWASP - Top 10 - A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"]

2
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content2.adoc
View File

@ -1,5 +1,5 @@
== The exploit is not always in "your" code == The exploit is not always in "your" code
Below is an example of using the same source and different versions of jquery-ui. One is exploitable; one is not. Below is an example of using the same WebGoat source code, but different versions of the jquery-ui component. One is exploitable; one is not.
=== jquery-ui:1.10.4 === jquery-ui:1.10.4
This example allows the user to specify the content of the "closeText" for the jquery-ui dialog. This is an unlikely development scenario, however the jquery-ui dialog (TBD - show exploit link) does not defend against XSS in the button text of the close dialog. This example allows the user to specify the content of the "closeText" for the jquery-ui dialog. This is an unlikely development scenario, however the jquery-ui dialog (TBD - show exploit link) does not defend against XSS in the button text of the close dialog.

2
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4.adoc
View File

@ -1,6 +1,6 @@
== How do I generate a Bill of Materials == How do I generate a Bill of Materials
There are several open source and paid-for solutions that will identify risk in components. There are not many tools that will deliver a complete list of "ingredients" used within an application. OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk. There are several open source and paid-for solutions that will identify risk in components. However, there are not many tools that will deliver a complete list of "ingredients" used within an application. OWASP Dependency Check provides the ability to generate a bill of materials and identify potential security risk.
Dependency check uses several pieces of evidence to determine the library names. Below is a snippet of a report: Dependency check uses several pieces of evidence to determine the library names. Below is a snippet of a report:

15
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc
View File

@ -2,19 +2,24 @@
=== What's important? === What's important?
* Is it old or is it stable * Is my component old or is it stable
* Was my lack of upgrade a deliberate choice or a lack of knowledge
* Is the project I'm using no longer active
* Is my component unpopular * Is my component unpopular
* Was my lack of upgrade a deliberate choice or a lack of knowledge
=== Summary === Summary
* It's really difficult to keep components up to dat * It's really difficult to keep components up to date
====
For the components analyzed in 25,000 applications it was found that: For the components analyzed in 25,000 applications it was found that:
* 8% of 2 year old components did not have a newer version * 8% of 2 year old components did not have a newer version
* 23% of 11 year old components did not have a newer version * 23% of 11 year old components did not have a newer version
* Older components make up the majority of the risk
image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"] [cols="2a,2a"]
|===
| image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
| image::plugin_lessons/plugin/VulnerableComponents/images/Risk-of-Old-Components.png[caption="Figure: ", title="Risk of Old Components", alt="Risk of Old Components", width="355", height="304", style="lesson-image"]
|===

6
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc
View File

@ -6,8 +6,10 @@ In November of 2015, the Apache Commons Collections component latest release was
Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit] Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit]
=== Dinis Cruz and pwntester exploit of XStream === Dinis Cruz and Alvaro Munoz exploit of XStream
XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC] XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. +
Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] +
https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]
You may want to read the article(s) before trying this lesson. Let's see if you can figure out how to exploit this in WebGoat. You may want to read the article(s) before trying this lesson. Let's see if you can figure out how to exploit this in WebGoat.

2
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc
View File

@ -11,4 +11,4 @@ WebGoat Sends an XML document to add contacts to a contacts database.
</contact> </contact>
---- ----
For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml). For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.

2
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content6.adoc
View File

@ -8,7 +8,7 @@
* *Open source components are the new attack vector.* * *Open source components are the new attack vector.*
== What to do == What to do
* Generate a bill of materials. * Generate an OSS Bill of Materials.
** Use http://lmgtfy.com/?q=OSS+bill+of+materials[automated tooling] ** Use http://lmgtfy.com/?q=OSS+bill+of+materials[automated tooling]
* Baseline open source consumption in your organization. * Baseline open source consumption in your organization.
* Develop an open source component risk management strategy to mitigate current risk and reduce future risk. * Develop an open source component risk management strategy to mitigate current risk and reduce future risk.

8
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_plan.adoc
View File

@ -4,12 +4,14 @@
The way we build software has changed. The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref: https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain] The way we build software has changed. The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref: https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain]
image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="800", height="400", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"]
This lesson will walk through the difficulties with managing dependent libraries, the risk of not managing those dependencies, and the difficulty in determining if you are at risk. This lesson will walk through the difficulties with managing dependent libraries, the risk of not managing those dependencies, and the difficulty in determining if you are at risk.
image::plugin_lessons/plugin/VulnerableComponents/images/OpenSourceGrowing.png[caption="Figure: ", title="Software Supply Chain", alt="SSC", width="500", height="300", style="lesson-image" link="https://www.sonatype.com/hubfs/SSC/Software_Supply_Chain_Inforgraphic.pdf?t=1485298506170[Software Supply Chain"]
== Goals == Goals
* Gain awareness that the open source consumed is as important as your own custom code. * Gain awareness that the open source consumed is as important as your own custom code.
* Gain awareness of the management, or lack of management, in our open source component consumption. * Gain awareness of the management, or lack of management, in our open source component consumption.
* Understand the importance of a Bill of Materials in determining open source component risk