chore: add pre-commit hooks
chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks
This commit is contained in:
Nanne Baars
Nanne Baars
parent
d913967ec5
commit
17acef57b4
2
.github/FUNDING.yml
vendored
2
.github/FUNDING.yml
vendored
@ -1 +1 @@
|
||||
custom: https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat
|
||||
custom: https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat
|
||||
|
||||
1
.github/dependabot.yml
vendored
1
.github/dependabot.yml
vendored
@ -12,4 +12,3 @@ updates:
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
||||
|
||||
2
.github/workflows/branchbuild.txt
vendored
2
.github/workflows/branchbuild.txt
vendored
@ -51,4 +51,4 @@ jobs:
|
||||
file: ./Dockerfile_desktop
|
||||
push: false
|
||||
build-args: |
|
||||
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
|
||||
webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
|
||||
|
||||
29
.github/workflows/pre-commit.yaml
vendored
Normal file
29
.github/workflows/pre-commit.yaml
vendored
Normal file
@ -0,0 +1,29 @@
|
||||
name: Pre-commit check
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
pre-commit:
|
||||
name: Pre-commit check
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout git repository
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup python
|
||||
uses: actions/setup-python@v4
|
||||
with:
|
||||
python-version: "3.9"
|
||||
- uses: actions/setup-java@v3
|
||||
with:
|
||||
distribution: 'temurin'
|
||||
java-version: '17'
|
||||
- name: Pre-commit checks
|
||||
uses: pre-commit/action@v3.0.0
|
||||
- name: pre-commit-ci-lite
|
||||
uses: pre-commit-ci/lite-action@v1.0.1
|
||||
if: always()
|
||||
7
.github/workflows/release.yml
vendored
7
.github/workflows/release.yml
vendored
@ -46,7 +46,7 @@ jobs:
|
||||
files: |
|
||||
target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
|
||||
body: |
|
||||
## Version ${{ github.ref_name }}
|
||||
## Version ${{ github.ref_name }}
|
||||
|
||||
### New functionality
|
||||
|
||||
@ -55,8 +55,8 @@ jobs:
|
||||
### Bug fixes
|
||||
|
||||
- [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
|
||||
|
||||
Full change log: https://github.com/WebGoat/WebGoat/compare/${{ github.ref_name }}...${{ github.ref_name }}
|
||||
|
||||
Full change log: https://github.com/WebGoat/WebGoat/compare/${{ github.ref_name }}...${{ github.ref_name }}
|
||||
|
||||
|
||||
## Contributors
|
||||
@ -147,4 +147,3 @@ jobs:
|
||||
github_token: "${{ secrets.GITHUB_TOKEN }}"
|
||||
title: ${{ github.event.commits[0].message }}
|
||||
target_branch: main
|
||||
|
||||
|
||||
2
.gitignore
vendored
2
.gitignore
vendored
@ -56,4 +56,4 @@ TestClass.class
|
||||
**/*.flattened-pom.xml
|
||||
/.gitconfig
|
||||
|
||||
webgoat.gitconfig
|
||||
webgoat.gitconfig
|
||||
|
||||
28
.pre-commit-config.yaml
Normal file
28
.pre-commit-config.yaml
Normal file
@ -0,0 +1,28 @@
|
||||
ci:
|
||||
autofix_commit_msg: |
|
||||
[pre-commit.ci] auto fixes from pre-commit.com hooks
|
||||
autofix_prs: false # managed in the action step
|
||||
autoupdate_branch: ""
|
||||
autoupdate_commit_msg: "[pre-commit.ci] pre-commit autoupdate"
|
||||
autoupdate_schedule: weekly
|
||||
skip: []
|
||||
submodules: false
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.4.0
|
||||
hooks:
|
||||
- id: check-yaml
|
||||
- id: end-of-file-fixer
|
||||
exclude: ^(README.md|CREATE_RELEASE.md)
|
||||
- id: trailing-whitespace
|
||||
- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
|
||||
rev: v9.5.0
|
||||
hooks:
|
||||
- id: commitlint
|
||||
stages: [commit-msg]
|
||||
- repo: https://github.com/ejba/pre-commit-maven
|
||||
rev: v0.3.4
|
||||
hooks:
|
||||
- id: maven
|
||||
args: [ 'clean compile' ]
|
||||
- id: maven-spotless-apply
|
||||
@ -16,4 +16,4 @@ not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, B
|
||||
|
||||
Getting Source ==============
|
||||
|
||||
Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
|
||||
@ -11,11 +11,11 @@ Update the release notes with the correct version. Use `git shortlog -s -n --sin
|
||||
committers. In order to fetch the list of issues included use: `git log --graph --pretty='%C(auto)%d%Creset%s' v2023.4..origin/main`
|
||||
|
||||
```
|
||||
mvn versions:set
|
||||
mvn versions:set
|
||||
<< update release notes >>
|
||||
mvn verify
|
||||
git commit ....
|
||||
git tag v2023.01
|
||||
git tag v2023.01
|
||||
git push --tags
|
||||
```
|
||||
|
||||
|
||||
1
FAQ.md
1
FAQ.md
@ -5,4 +5,3 @@
|
||||
### Integration tests fail
|
||||
|
||||
Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.
|
||||
|
||||
|
||||
@ -16,4 +16,4 @@ not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, B
|
||||
|
||||
Getting Source ==============
|
||||
|
||||
Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
|
||||
|
||||
@ -16,19 +16,19 @@ The following steps are required when you want to add a new language
|
||||
|
||||
1. Update [main_new.html](src/main/resources/webgoat/static/main_new.html)
|
||||
1. Add the parts for showing the flag and providing the correct value for the flag= parameter
|
||||
2.
|
||||
3. Add a flag image to src/main/resources/webgoat/static/css/img
|
||||
2.
|
||||
2. Add a flag image to src/main/resources/webgoat/static/css/img
|
||||
1. See the main_new.html for a link to download flag resources
|
||||
4. Add a welcome page to the introduction lesson
|
||||
3. Add a welcome page to the introduction lesson
|
||||
1. Copy Introduction_.adoc to Introduction_es.adoc (if in this case you want to add Spanish)
|
||||
2. Add a highlighted section that explains that most parts of WebGoat will still be in English and invite people to translate parts where it would be valuable
|
||||
5. Translate the main labels
|
||||
4. Translate the main labels
|
||||
1. Copy messages.properties to messages_es.properties (if in this case you want to add Spanish)
|
||||
2. Translate the label values
|
||||
6. Optionally translate lessons by
|
||||
5. Optionally translate lessons by
|
||||
1. Adding lang specifc adoc files in documentation folder of the lesson
|
||||
2. Adding WebGoatLabels.properties of a specific language if you want to
|
||||
7. Run mvn clean to see if the LabelAndHintIntegration test passes
|
||||
8. Run WebGoat and verify that your own language and the other languages work as expected
|
||||
6. Run mvn clean to see if the LabelAndHintIntegration test passes
|
||||
7. Run WebGoat and verify that your own language and the other languages work as expected
|
||||
|
||||
If you only want to translate more for a certain language, you only need to do step 4-8
|
||||
|
||||
@ -215,4 +215,3 @@ Special thanks to the following contributors providing us with a pull request:
|
||||
And everyone who provided feedback through Github.
|
||||
|
||||
Team WebGoat
|
||||
|
||||
|
||||
@ -8,4 +8,4 @@
|
||||
<suppress files="ContentTypeAssignment.java" checks="IllegalImportCheck" />
|
||||
<suppress files="SimpleXXE.java" checks="IllegalImportCheck" />
|
||||
<suppress files="HtmlTamperingTask.java" checks="ParameterName" />
|
||||
</suppressions>
|
||||
</suppressions>
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
# WebGoat landing page
|
||||
|
||||
Old GitHub page which now redirects to OWASP website.
|
||||
|
||||
|
||||
@ -11,4 +11,4 @@
|
||||
The page been moved to <a href="https://owasp.org/www-project-webgoat/">https://owasp.org/www-project-webgoat/</a>
|
||||
</h1>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
||||
2
mvnw
vendored
2
mvnw
vendored
@ -246,7 +246,7 @@ else
|
||||
else
|
||||
curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
|
||||
fi
|
||||
|
||||
|
||||
else
|
||||
if [ "$MVNW_VERBOSE" = true ]; then
|
||||
echo "Falling back to using Java to download"
|
||||
|
||||
@ -70,4 +70,3 @@ management.endpoints.web.exposure.include=env, health,configprops
|
||||
|
||||
spring.security.oauth2.client.registration.github.client-id=${WEBGOAT_OAUTH_CLIENTID:dummy}
|
||||
spring.security.oauth2.client.registration.github.client-secret=${WEBGOAT_OAUTH_CLIENTSECRET:dummy}
|
||||
|
||||
|
||||
@ -63,4 +63,4 @@ CREATE TABLE CONTAINER.EMAIL(
|
||||
TITLE VARCHAR(255)
|
||||
);
|
||||
|
||||
ALTER TABLE CONTAINER.EMAIL ALTER COLUMN ID RESTART WITH 2;
|
||||
ALTER TABLE CONTAINER.EMAIL ALTER COLUMN ID RESTART WITH 2;
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
|
||||
ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
|
||||
ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
|
||||
|
||||
|
||||
@ -53,7 +53,7 @@ reset.lesson=Reset lesson
|
||||
sign.in=Sign in
|
||||
register.new=or register yourself as a new user
|
||||
sign.up=Sign up
|
||||
register.title=Register
|
||||
register.title=Register
|
||||
searchmenu=Search lesson
|
||||
|
||||
|
||||
@ -66,7 +66,7 @@ security.enabled=Security enabled, you can try the previous challenges and see t
|
||||
security.disabled=Security enabled, you can try the previous challenges and see the effect!
|
||||
termsofuse=Terms of use
|
||||
register.condition.1=While running this program your machine will be extremely vulnerable to attack.\
|
||||
You should disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.
|
||||
You should disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.
|
||||
register.condition.2=This program is for educational purposes only. If you attempt \
|
||||
these techniques without authorization, you are very likely to get caught. If \
|
||||
you are caught engaging in unauthorized hacking, most companies will fire you. \
|
||||
|
||||
@ -37,5 +37,4 @@ username=Benutzername
|
||||
password=Passwort
|
||||
password.confirm=Wiederhohl Passwort
|
||||
sign.up=Anmelden
|
||||
register.title=Registrieren
|
||||
|
||||
register.title=Registrieren
|
||||
|
||||
@ -59,4 +59,4 @@ register.condition.1=Wanneer u WebGoat runt op uw computer, bent u kwetsbaar voo
|
||||
Zorg dat u geen verbinding heeft met internet en dat toegang tot WebGoat alleen lokaal mogelijk is om het aanvalsoppervlak te verkleinen.
|
||||
register.condition.2=WebGoat is bedoeld als educatieve applicatie op het gebied van secure software development. \
|
||||
Gebruik wat u leert om applicaties beter te maken en niet om zonder toestemming applicaties te schaden. \
|
||||
In dat laatste geval loopt u risico op rechtsvervoling en ontslag.
|
||||
In dat laatste geval loopt u risico op rechtsvervoling en ontslag.
|
||||
|
||||
@ -8,4 +8,3 @@ auth-bypass.hints.verify.1=The attack on this is similar to the story referenced
|
||||
auth-bypass.hints.verify.2=You do want to tamper the security question parameters, but not delete them
|
||||
auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
|
||||
auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?
|
||||
|
||||
|
||||
@ -2,4 +2,4 @@
|
||||
position: relative;
|
||||
padding: 7px;
|
||||
margin-top: 7px;
|
||||
}
|
||||
}
|
||||
|
||||
@ -40,4 +40,4 @@
|
||||
}
|
||||
.review-block-description{
|
||||
font-size:13px;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1 +1 @@
|
||||
The admin forgot where the password is stashed, can you help?
|
||||
The admin forgot where the password is stashed, can you help?
|
||||
|
||||
@ -1 +1 @@
|
||||
Can you login as Larry?
|
||||
Can you login as Larry?
|
||||
|
||||
@ -1 +1 @@
|
||||
Can you login as Tom? It may be a little harder than it was for Larry.
|
||||
Can you login as Tom? It may be a little harder than it was for Larry.
|
||||
|
||||
@ -1 +1 @@
|
||||
Can you still vote?
|
||||
Can you still vote?
|
||||
|
||||
@ -26,4 +26,4 @@ an e-mail.
|
||||
Team WebGoat
|
||||
|
||||
|
||||
image::images/boss.jpg[]
|
||||
image::images/boss.jpg[]
|
||||
|
||||
@ -19,9 +19,9 @@ input.invalid=Input for user, email and/or password is empty or too long, please
|
||||
challenge.flag.correct=Congratulations you have solved the challenge!!
|
||||
challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
|
||||
|
||||
ip.address.unknown=IP address unknown, e-mail has been sent.
|
||||
ip.address.unknown=IP address unknown, e-mail has been sent.
|
||||
|
||||
|
||||
|
||||
required4=Missing username or password, please specify both.
|
||||
user.not.larry=Please try to log in as Larry not {0}.
|
||||
user.not.larry=Please try to log in as Larry not {0}.
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -15,4 +15,4 @@ $(function() {
|
||||
e.preventDefault();
|
||||
});
|
||||
|
||||
});
|
||||
});
|
||||
|
||||
@ -54,4 +54,4 @@ function doVote(stars) {
|
||||
})
|
||||
loadVotes();
|
||||
average();
|
||||
}
|
||||
}
|
||||
|
||||
@ -37,4 +37,4 @@
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
#lesson_wrapper {height: 435px;width: 500px;}
|
||||
#lesson_header {background-image: url(../images/lesson1_header.jpg); width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
|
||||
.lesson_workspace {background-image: url(../images/lesson1_workspace.jpg); width: 490px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}
|
||||
.lesson_workspace {background-image: url(../images/lesson1_workspace.jpg); width: 490px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}
|
||||
|
||||
@ -30,4 +30,4 @@ div.section > div > input {margin:0px;padding-left:5px;font-size:10px;padding-ri
|
||||
}
|
||||
.section{width:104%;}
|
||||
.menu-items{padding-left:0px;}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1 +1 @@
|
||||
No need to pay if you know the code ...
|
||||
No need to pay if you know the code ...
|
||||
|
||||
@ -164,6 +164,3 @@
|
||||
</div>
|
||||
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
client.side.filtering.title=Client side filtering
|
||||
ClientSideFilteringSelectUser=Select user:
|
||||
ClientSideFilteringSelectUser=Select user:
|
||||
ClientSideFilteringUserID=User ID
|
||||
ClientSideFilteringFirstName=First Name
|
||||
ClientSideFilteringLastName=Last Name
|
||||
ClientSideFilteringSSN=SSN
|
||||
ClientSideFilteringSalary=Salary
|
||||
ClientSideFilteringErrorGenerating=Error generating
|
||||
ClientSideFilteringErrorGenerating=Error generating
|
||||
ClientSideFilteringStage1Complete=Stage 1 completed.
|
||||
ClientSideFilteringStage1Question=What is Neville Bartholomew's salary?
|
||||
ClientSideFilteringStage1Question=What is Neville Bartholomew's salary?
|
||||
ClientSideFilteringStage1SubmitAnswer=Submit Answer
|
||||
ClientSideFilteringStage2Finish=Click here when you believe you have completed the lesson.
|
||||
ClientSideFilteringChoose=Choose employee
|
||||
@ -16,7 +16,7 @@ ClientSideFilteringHint2=Use Firebug to find where the information is stored on
|
||||
ClientSideFilteringHint3=Examine the hidden table to see if there is anyone listed who is not in the drop down menu.
|
||||
ClientSideFilteringHint4=Look in the last row of the hidden table.
|
||||
ClientSideFilteringHint5a=Stage 1: You can access the server directly
|
||||
ClientSideFilteringHint5b=here
|
||||
ClientSideFilteringHint5b=here
|
||||
ClientSideFilteringHint5c=to see what results are being returned
|
||||
ClientSideFilteringHint6=Stage 2: The server uses an XPath query against an XML database.
|
||||
ClientSideFilteringHint7=Stage 2: The query currently returns all of the contents of the database.
|
||||
|
||||
@ -39,4 +39,4 @@ function ajaxFunction(userId) {
|
||||
var container = document.getElementById("hiddenEmployeeRecords");
|
||||
container.appendChild(newdiv);
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
@ -61,4 +61,4 @@ $(document).ready(function () {
|
||||
$('#price').text(quantity * 899);
|
||||
}
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
@ -9,29 +9,29 @@
|
||||
<p><b>Lesson Plan Title:</b> Client Side Filtering</p>
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b><br/>
|
||||
It is always a good practice to send to the client
|
||||
only information which they are supposed to have access to.
|
||||
In this lesson, too much information is being sent to the
|
||||
It is always a good practice to send to the client
|
||||
only information which they are supposed to have access to.
|
||||
In this lesson, too much information is being sent to the
|
||||
client, creating a serious access control problem.
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<p><b>General Goal(s):</b><br/>
|
||||
For this exercise, your mission is exploit the extraneous
|
||||
information being returned by the server to discover information
|
||||
to which you should not have access.
|
||||
For this exercise, your mission is exploit the extraneous
|
||||
information being returned by the server to discover information
|
||||
to which you should not have access.
|
||||
</p>
|
||||
|
||||
<b>Solution:</b><br/>
|
||||
<p>
|
||||
This Lab consists of two Stages. In the first Stage you have to
|
||||
This Lab consists of two Stages. In the first Stage you have to
|
||||
get sensitive information . In the second one you have to fix the problem.<br/>
|
||||
</p>
|
||||
<b>Stage 1</b>
|
||||
<p>
|
||||
Use Firebug to solve this stage. If you are using IE you can try it with
|
||||
Use Firebug to solve this stage. If you are using IE you can try it with
|
||||
IEWatch.</p>
|
||||
|
||||
First use any person from the list and see what you get. After doing this you
|
||||
First use any person from the list and see what you get. After doing this you
|
||||
can search for a specific person in Firebug. Make sure you find the hidden table with
|
||||
the information, including the salary and so on. In the same table you will find
|
||||
Neville.
|
||||
@ -44,36 +44,36 @@ Now write the salary into the text edit box and submit your answer!
|
||||
</p>
|
||||
<b>Stage 2</b>
|
||||
<p>
|
||||
In this stage you have to modify the clientSideFiltering.jsp which you will find under
|
||||
In this stage you have to modify the clientSideFiltering.jsp which you will find under
|
||||
the WebContent in the lessons/Ajax folder. The Problem is that
|
||||
the server sends all information to the client. As you could see
|
||||
even if it is hidden it is easy to find the sensitive date. In this
|
||||
stage you will add a filter to the XPath queries. In this file you will find
|
||||
stage you will add a filter to the XPath queries. In this file you will find
|
||||
following construct:<br><br></p>
|
||||
<code>
|
||||
StringBuilder sb = new StringBuilder();<br>
|
||||
|
||||
|
||||
sb.append("/Employees/Employee/UserID | ");<br>
|
||||
sb.append("/Employees/Employee/FirstName | ");<br>
|
||||
sb.append("/Employees/Employee/LastName | ");<br>
|
||||
sb.append("/Employees/Employee/SSN | ");<br>
|
||||
sb.append("/Employees/Employee/Salary ");<br>
|
||||
|
||||
|
||||
String expression = sb.toString();<br>
|
||||
</code>
|
||||
<p>
|
||||
This string will be used for the XPath query. You have to guarantee that a manger only
|
||||
This string will be used for the XPath query. You have to guarantee that a manger only
|
||||
can see employees which are working for him. To archive this you can use
|
||||
filters in XPath. Following code will exactly do this:</p>
|
||||
<code>
|
||||
StringBuilder sb = new StringBuilder();<br>
|
||||
|
||||
|
||||
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
|
||||
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
|
||||
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");<br>
|
||||
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");<br>
|
||||
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");<br>
|
||||
|
||||
|
||||
String expression = sb.toString();<br>
|
||||
</code>
|
||||
<p>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
= Cryptography Basics
|
||||
|
||||
== Concept
|
||||
= Cryptography Basics
|
||||
|
||||
== Concept
|
||||
|
||||
ifeval::["{lang}" == "nl"]
|
||||
Deze les behandelt verschillende cryptografische technieken die voorkomen in webapplicaties.
|
||||
@ -31,5 +31,3 @@ The goal is to get familiar with the following forms of techniques:
|
||||
=== Assignments
|
||||
|
||||
After the explanation of an item there will be several assignments.
|
||||
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
= Security defaults
|
||||
= Security defaults
|
||||
|
||||
A big problem in all kinds of systems is the use of default configurations.
|
||||
E.g. default username/passwords in routers, default passwords for keystores, default unencrypted mode, etc.
|
||||
@ -15,10 +15,10 @@ Are you using an ssh key for GitHub and or other sites and are you leaving it un
|
||||
|
||||
When you are getting a virtual server from some hosting provider, there are usually a lot of not so secure defaults. One of which is that ssh to the server runs on the default port 22 and allows username/password attempts. One of the first things you should do, is to change the configuration that you cannot ssh as user root, and you cannot ssh using username/password, but only with a valid and strong ssh key. If not, then you will notice continuous brute force attempts to login to your server.
|
||||
|
||||
|
||||
|
||||
== Assignment
|
||||
|
||||
In this exercise you need to retrieve a secret that has accidentally been left inside a docker container image. With this secret, you can decrypt the following message: *U2FsdGVkX199jgh5oANElFdtCxIEvdEvciLi+v+5loE+VCuy6Ii0b+5byb5DXp32RPmT02Ek1pf55ctQN+DHbwCPiVRfFQamDmbHBUpD7as=*.
|
||||
In this exercise you need to retrieve a secret that has accidentally been left inside a docker container image. With this secret, you can decrypt the following message: *U2FsdGVkX199jgh5oANElFdtCxIEvdEvciLi+v+5loE+VCuy6Ii0b+5byb5DXp32RPmT02Ek1pf55ctQN+DHbwCPiVRfFQamDmbHBUpD7as=*.
|
||||
You can decrypt the message by logging in to the running container (docker exec ...) and getting access to the password file located in /root. Then use the openssl command inside the container (for portability issues in openssl on Windows/Mac/Linux)
|
||||
You can find the secret in the following docker image, which you can start as:
|
||||
|
||||
@ -28,6 +28,3 @@ You can find the secret in the following docker image, which you can start as:
|
||||
----
|
||||
echo "U2FsdGVkX199jgh5oANElFdtCxIEvdEvciLi+v+5loE+VCuy6Ii0b+5byb5DXp32RPmT02Ek1pf55ctQN+DHbwCPiVRfFQamDmbHBUpD7as=" | openssl enc -aes-256-cbc -d -a -kfile ....
|
||||
----
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
= Cryptography Basics
|
||||
|
||||
== Base64 Encoding
|
||||
= Cryptography Basics
|
||||
|
||||
Encoding is not really cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding.
|
||||
== Base64 Encoding
|
||||
|
||||
Encoding is not really cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding.
|
||||
|
||||
Base64 encoding is a technique used to transform all kinds of bytes to a specific range of bytes. This specific range is the ASCII readable bytes.
|
||||
This way you can transfer binary data such as secret or private keys more easily. You could even print these out or write them down.
|
||||
@ -11,7 +11,7 @@ Encoding is also reversible. So if you have the encoded version, you can create
|
||||
On wikipedia you can find more details. Basically it goes through all the bytes and transforms each set of 6 bits into a readable byte (8 bits). The result is that the size of the encoded bytes is increased with about 33%.
|
||||
|
||||
Hello ==> SGVsbG8=
|
||||
0x4d 0x61 ==> TWE=
|
||||
0x4d 0x61 ==> TWE=
|
||||
|
||||
=== Basic Authentication
|
||||
|
||||
@ -19,8 +19,7 @@ Basic authentication is sometimes used by web applications. This uses base64 enc
|
||||
|
||||
$echo -n "myuser:mypassword" | base64
|
||||
bXl1c2VyOm15cGFzc3dvcmQ=
|
||||
|
||||
|
||||
The HTTP header will look like:
|
||||
|
||||
|
||||
Authorization: Basic bXl1c2VyOm15cGFzc3dvcmQ=
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
= Cryptography Basics
|
||||
|
||||
== Other Encoding
|
||||
= Cryptography Basics
|
||||
|
||||
Also other encodings are used.
|
||||
== Other Encoding
|
||||
|
||||
Also other encodings are used.
|
||||
|
||||
=== URL encoding
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
= Encryption
|
||||
|
||||
== Symmetric encryption
|
||||
= Encryption
|
||||
|
||||
== Symmetric encryption
|
||||
|
||||
Symmetric encryption is based on a shared secret that is used for both encryption as well as decryption. Therefore, both parties (that are involved in exchanging secrets) share the same key.
|
||||
|
||||
@ -12,7 +12,7 @@ Example protocols are:
|
||||
== Asymmetric encryption
|
||||
|
||||
Asymmetric encryption is based on mathematical principles that consist of a key pair. The two keys are usually called a private key and a public key. The private key needs to be protected very well and is only known to one party. All others can freely use the public key. Something encrypted with the private key can be decrypted by all that have the public key, and something encrypted with the public key can only be decrypted with the private key.
|
||||
|
||||
|
||||
Example protocols are:
|
||||
|
||||
* RSA
|
||||
@ -28,5 +28,3 @@ Here is a short description of what happens if you open your browser and go to a
|
||||
* At the end of this process both the browser and the webserver will use the exchanged symmetric key (in the asymmetric key exchange process) to encrypt and decrypt messages that are sent back and forth between the browser and the webserver.
|
||||
|
||||
Symmetric keys are used because it can be used more easily with large sets of data and requires less processing power in doing so. However, the information on these pages is just for a basic understanding of cryptography. Look on the internet for more detailed information about these topics.
|
||||
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
= Cryptography Basics
|
||||
|
||||
== Plain Hashing
|
||||
= Cryptography Basics
|
||||
|
||||
Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques.
|
||||
== Plain Hashing
|
||||
|
||||
Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques.
|
||||
If the original data is changed by even one byte, the resulting hash is also different.
|
||||
|
||||
So in a way it looks like a secure technique. However, it is NOT and even NEVER a good solution when using it for passwords. The problem here is that you can generate passwords from dictionaries and calculate all kinds of variants from these passwords. For each password you can calculate a hash. This can all be stored in large databases. So whenever you find a hash that could be a password, you just look up the hash in the database and find out the password.
|
||||
|
||||
@ -1,35 +1,35 @@
|
||||
= Keystores & Truststores
|
||||
|
||||
A keystore is a place where you store keys. Besides *_keystore_* the term *_truststore_* is also used frequently. A truststore is the same thing as a keystore. Only it usually contains only the certificates (so basically only public keys and issuer information) of trusted certificates or certificate authorities.
|
||||
|
||||
== File based keystores
|
||||
A keystore is a place where you store keys. Besides *_keystore_* the term *_truststore_* is also used frequently. A truststore is the same thing as a keystore. Only it usually contains only the certificates (so basically only public keys and issuer information) of trusted certificates or certificate authorities.
|
||||
|
||||
== File based keystores
|
||||
|
||||
A file based keystore is something that in the end has the keys on a file system.
|
||||
Storing public certificates in a file based keystore is very common
|
||||
|
||||
== Database keystores
|
||||
|
||||
Keys and especially public certificates can of course also be stored in a database.
|
||||
Keys and especially public certificates can of course also be stored in a database.
|
||||
|
||||
== Hardware keystore
|
||||
|
||||
A hardware keystore is a system that has some sort of hardware which contain the actual keys.
|
||||
This is typically done in high end security environments where the private key is really private.
|
||||
In comparison with file based or database keystores, it is impossible to make a copy of the keystore to send it to some unknown and untrusted environment.
|
||||
In comparison with file based or database keystores, it is impossible to make a copy of the keystore to send it to some unknown and untrusted environment.
|
||||
|
||||
Some certificate authorities that are used to provide you with a server certificate for your website, also create the private keys for you (as-a-service). However, it is by definition no longer considered a private key. For all keystore types, you should keep the private key private and use a certificate signing request to order your signing or server certificates.
|
||||
|
||||
== Managed keystores in operating system, browser and other applications
|
||||
|
||||
When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorities is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed.
|
||||
When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorities is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed.
|
||||
Not only the browser maintains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In corporate environments, these are usually maintained by the company and also contain company root certificates.
|
||||
|
||||
== Extra check for website certificates using DNS CAA records
|
||||
|
||||
Some companies inspect all or most internet traffic. Even the ones were you think you have an end-2-end secured connection. This works as follows. An employee opens a browser and googles some information. The browser will use https and go to the site of google. The link looks real and the lock is shown in the browser. However, if you would inspect the certificate, you might notice that it has been issued by one of your companies root CA's! So you have established an end-2-end secure connection with a server of your company, and that server has the secure connection with google.
|
||||
Some companies inspect all or most internet traffic. Even the ones were you think you have an end-2-end secured connection. This works as follows. An employee opens a browser and googles some information. The browser will use https and go to the site of google. The link looks real and the lock is shown in the browser. However, if you would inspect the certificate, you might notice that it has been issued by one of your companies root CA's! So you have established an end-2-end secure connection with a server of your company, and that server has the secure connection with google.
|
||||
In order to prevent such man in the middle connections to your server, modern browsers now will also check the DNS CAA records to see whether or not a certain issuer is allowed for a certain website.
|
||||
More information: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization[Wiki DNS CAA,window=_blank]
|
||||
More information: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization[Wiki DNS CAA,window=_blank]
|
||||
|
||||
== Free certificates from Let's encrypt
|
||||
|
||||
https://letsencrypt.org[Let's encrypt,,window=_blank] is a free, automated and open Certificate Authority. It allows you to create valid certificates for the websites that you control. By following and implementing a certain protocol, your identity is checked and a certificate will be issued. The certificates are free of charge and this is done to stimulate the use of authorised certificates and to lower the use of self-signed certificates on the internet. Certificates are valid for 90 days, so they need to be automatically renewed. (Which makes sure that the proof of identity/ownership also takes place frequently)
|
||||
https://letsencrypt.org[Let's encrypt,,window=_blank] is a free, automated and open Certificate Authority. It allows you to create valid certificates for the websites that you control. By following and implementing a certain protocol, your identity is checked and a certificate will be issued. The certificates are free of charge and this is done to stimulate the use of authorised certificates and to lower the use of self-signed certificates on the internet. Certificates are valid for 90 days, so they need to be automatically renewed. (Which makes sure that the proof of identity/ownership also takes place frequently)
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
= Signing
|
||||
= Signing
|
||||
|
||||
A signature is a hash that can be used to check the validity of some data. The signature can be supplied separately from the data that it validates, or in the case of CMS or SOAP can be included in the same file. (Where parts of that file contain the data and parts contain the signature).
|
||||
|
||||
Signing is used when integrity is important. It is meant to be a guarantee that data sent from Party-A to Party-B was not altered. So Party-A signs the data by calculating the hash of the data and encrypting that hash using an asymmetric private key. Party-B can then verify the data by calculating the hash of the data and decrypting the signature to compare if both hashes are the same.
|
||||
|
||||
== RAW signatures
|
||||
|
||||
A raw signature is usually calculated by Party-A as follows:
|
||||
== RAW signatures
|
||||
|
||||
A raw signature is usually calculated by Party-A as follows:
|
||||
|
||||
* create a hash of the data (e.g. SHA-256 hash)
|
||||
* encrypt the hash using an asymmetric private key (e.g. RSA 2048 bit key)
|
||||
@ -20,7 +20,7 @@ A CMS signature is a standardized way to send data + signature + certificate wit
|
||||
|
||||
== SOAP signatures
|
||||
|
||||
A SOAP signature also contains data and the signature and optionally the certificate. All in one XML payload. There are special steps involved in calculating the hash of the data. This has to do with the fact that the SOAP XML sent from system to system might introduce extra elements or timestamps.
|
||||
A SOAP signature also contains data and the signature and optionally the certificate. All in one XML payload. There are special steps involved in calculating the hash of the data. This has to do with the fact that the SOAP XML sent from system to system might introduce extra elements or timestamps.
|
||||
Also, SOAP Signing offers the possibility to sign different parts of the message by different parties.
|
||||
|
||||
|
||||
@ -36,5 +36,3 @@ Governments usually send official documents with a PDF that contains a certifica
|
||||
== Assignment
|
||||
|
||||
Here is a simple assignment. A private RSA key is sent to you. Determine the modulus of the RSA key as a hex string, and calculate a signature for that hex string using the key. The exercise requires some experience with OpenSSL. You can search on the Internet for useful commands and/or use the HINTS button to get some tips.
|
||||
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
<header>
|
||||
<script>
|
||||
/**
|
||||
* JavaScript to load initial assignment tokens
|
||||
* JavaScript to load initial assignment tokens
|
||||
*/
|
||||
function initialise() {
|
||||
$("#sha256token").load('crypto/hashing/sha256');
|
||||
@ -29,15 +29,15 @@ $(document).ready(initialise);
|
||||
Now suppose you have intercepted the following header:<br/>
|
||||
<div id="basicauthtoken" ></div><br/>
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/encoding/basic-auth">
|
||||
Then what was the username
|
||||
Then what was the username
|
||||
<input name="answer_user" value="" type="TEXT"/>
|
||||
and what was the password:
|
||||
and what was the password:
|
||||
<input name="answer_pwd" value="" type="TEXT"/>
|
||||
<input name="SUBMIT" value="post the answer" type="SUBMIT"/>
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<!-- 3. encoding xor -->
|
||||
<div class="lesson-page-wrapper">
|
||||
@ -71,9 +71,9 @@ $(document).ready(initialise);
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
<!-- 5. encryption -->
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div>
|
||||
@ -88,9 +88,9 @@ $(document).ready(initialise);
|
||||
Now suppose you have the following private key:<br/>
|
||||
<pre><div id="privatekey" ></div></pre><br/>
|
||||
<form class="attack-form" method="POST" name="form" action="crypto/signing/verify">
|
||||
Then what was the modulus of the public key
|
||||
Then what was the modulus of the public key
|
||||
<input name="modulus" value="" type="TEXT"/>
|
||||
and now provide a signature for us based on that modulus
|
||||
and now provide a signature for us based on that modulus
|
||||
<input name="signature" value="" type="TEXT"/>
|
||||
<input name="SUBMIT" value="post the answer" type="SUBMIT"/>
|
||||
</form>
|
||||
@ -98,12 +98,12 @@ $(document).ready(initialise);
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
<!-- 7. keystores -->
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div>
|
||||
</div>
|
||||
|
||||
|
||||
<!-- 8. security defaults -->
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div>
|
||||
|
||||
@ -12,9 +12,9 @@ crypto-hashing.hints.2=Find a online hash database or just google on the hash it
|
||||
|
||||
crypto-signing.hints.1=Use openssl to get the public key from the private key. Apparently both private and public key information are stored.
|
||||
crypto-signing.hints.2=Use the private key to sign the "modulus" value of the public key.
|
||||
crypto-signing.hints.3=Actually the "modulus" of the public key is the same as the private key. You could use openssl rsa -in test.key -pubout > test.pub and then openssl rsa -in test.pub -pubin -modulus -noout or other components.
|
||||
crypto-signing.hints.3=Actually the "modulus" of the public key is the same as the private key. You could use openssl rsa -in test.key -pubout > test.pub and then openssl rsa -in test.pub -pubin -modulus -noout or other components.
|
||||
crypto-signing.hints.4=Make sure that you do not take hidden characters into account. You might want to use echo -n "00AE89..." | openssl dgst -sign somekey -sha256 ... and do not forget to base64 encode the outcome
|
||||
|
||||
|
||||
|
||||
crypto-signing.notok=The signature does not match the data (modulus)
|
||||
crypto-signing.modulusnotok=The modulus is not correct
|
||||
|
||||
@ -72,4 +72,4 @@
|
||||
}
|
||||
.post .post-footer .comments-list .comment > .comments-list {
|
||||
margin-left: 50px;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
== Confirm Flag
|
||||
|
||||
Confirm the flag you should have gotten on the previous page below.
|
||||
Confirm the flag you should have gotten on the previous page below.
|
||||
|
||||
@ -20,4 +20,4 @@ POST /csrf/feedback/message HTTP/1.1
|
||||
More information can be found http://pentestmonkey.net/blog/csrf-xml-post-request[here]
|
||||
|
||||
Remember you need to make the call from another origin (WebWolf can help here) and you need to be logged in into
|
||||
WebGoat.
|
||||
WebGoat.
|
||||
|
||||
@ -20,8 +20,3 @@ with the server are performed with JavaScript. On the server side you only need
|
||||
if this header is not present deny the request.
|
||||
Some frameworks offer this implementation by default however researcher Alex Infuhr found out that this can be bypassed
|
||||
as well. You can read about: https://insert-script.blogspot.com/2018/05/adobe-reader-pdf-client-side-request.html[Adobe Reader PDF - Client Side Request Injection]
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -6,5 +6,3 @@ This is the most simple CSRF attack to perform. For example you receive an e-mai
|
||||
|
||||
If the user is still logged in to the website of bank.com this simple GET request will transfer money from one account to another.
|
||||
Of course in most cases the website might have multiple controls to approve the request.
|
||||
|
||||
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
== Basic Get CSRF Exercise
|
||||
|
||||
Trigger the form below from an external source while logged in. The response will include a 'flag' (a numeric value).
|
||||
|
||||
|
||||
@ -43,4 +43,4 @@ ____
|
||||
|
||||
{nbsp} +
|
||||
Both Firefox and Chrome fixed this issue, but it shows why you should implement a CSRF protection instead
|
||||
of relying on the content-type of your APIs.
|
||||
of relying on the content-type of your APIs.
|
||||
|
||||
@ -2,11 +2,11 @@
|
||||
|
||||
== Login CSRF attack
|
||||
|
||||
In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s username
|
||||
and password at that site. If the forgery succeeds, the honest server responds with a `Set-Cookie` header
|
||||
In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s username
|
||||
and password at that site. If the forgery succeeds, the honest server responds with a `Set-Cookie` header
|
||||
that instructs the browser to mutate its state by storing a session cookie, logging the user into
|
||||
the honest site as the attacker. This session cookie is used to bind subsequent requests to the user's session and hence
|
||||
to the attacker's authentication credentials. Login CSRF attacks can have serious consequences, for example
|
||||
to the attacker's authentication credentials. Login CSRF attacks can have serious consequences, for example
|
||||
see the picture below where an attacker created an account at google.com the victim visits the malicious
|
||||
website and the user is logged in as the attacker. The attacker could then later on gather information about
|
||||
the activities of the user.
|
||||
|
||||
@ -6,4 +6,3 @@ finding somewhere that you want to execute the CSRF attack. The classic example
|
||||
|
||||
But we're keeping it simple here. In this case, you just need to trigger a review submission on behalf of the currently
|
||||
logged in user.
|
||||
|
||||
|
||||
@ -21,7 +21,3 @@ something. Forcing the victim to retrieve data doesn't benefit an attacker becau
|
||||
As such, CSRF attacks target state-changing requests.
|
||||
|
||||
Let's continue with some exercises to address way to perform a CSRF request.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -29,4 +29,4 @@ csrf-login-hint1=First create a new account with csrf-username
|
||||
csrf-login-hint2=Create a form which will log you in as this user (hint 1) and upload it to WebWolf
|
||||
csrf-login-hint3=Visit this assignment again
|
||||
csrf-login-success=Congratulations, now log out and login with your normal user account within WebGoat, remember the attacker knows you solved this assignment
|
||||
csrf-login-failed=The solution is not correct, you are clicking the button while logged in as {0}
|
||||
csrf-login-failed=The solution is not correct, you are clicking the button while logged in as {0}
|
||||
|
||||
@ -43,4 +43,4 @@ $(document).ready(function () {
|
||||
|
||||
});
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
@ -2,4 +2,4 @@
|
||||
|
||||
It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserialized, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain".
|
||||
|
||||
Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code.
|
||||
Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code.
|
||||
|
||||
@ -7,4 +7,4 @@ This lesson describes what is Serialization and how it can be manipulated to per
|
||||
* The user should have a basic understanding of Java programming language
|
||||
* The user will be able to detect insecure deserialization vulnerabilities
|
||||
* The user will be able to exploit insecure deserialization vulnerabilities
|
||||
* Exploiting deserialization is slightly different in other programming languages such as PHP or Python, but the key concepts learnt here also applies to all of them
|
||||
* Exploiting deserialization is slightly different in other programming languages such as PHP or Python, but the key concepts learnt here also applies to all of them
|
||||
|
||||
@ -36,7 +36,7 @@ public class VulnerableTaskHolder implements Serializable {
|
||||
private String taskName;
|
||||
private String taskAction;
|
||||
private LocalDateTime requestedExecutionTime;
|
||||
|
||||
|
||||
public VulnerableTaskHolder(String taskName, String taskAction) {
|
||||
super();
|
||||
this.taskName = taskName;
|
||||
@ -47,7 +47,7 @@ public class VulnerableTaskHolder implements Serializable {
|
||||
private void readObject( ObjectInputStream stream ) throws Exception {
|
||||
//deserialize data so taskName and taskAction are available
|
||||
stream.defaultReadObject();
|
||||
|
||||
|
||||
//blindly run some code. #code injection
|
||||
Runtime.getRuntime().exec(taskAction);
|
||||
}
|
||||
@ -67,4 +67,4 @@ ObjectOutputStream oos = new ObjectOutputStream(bos);
|
||||
oos.writeObject(go);
|
||||
oos.flush();
|
||||
byte[] exploit = bos.toByteArray();
|
||||
----
|
||||
----
|
||||
|
||||
@ -5,4 +5,4 @@ The following input box receives a serialized object (a string) and it deseriali
|
||||
rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l
|
||||
```
|
||||
|
||||
Try to change this serialized object in order to delay the page response for exactly 5 seconds.
|
||||
Try to change this serialized object in order to delay the page response for exactly 5 seconds.
|
||||
|
||||
@ -20,4 +20,4 @@ Many programming languages offer a native capability for serializing objects. Th
|
||||
|
||||
=== Data, not Code
|
||||
|
||||
ONLY data is serialized. Code is not serialized itself. Deserialization creates a new object and copies all the data from the byte stream, in order to obtain and object identical to the object that was serialized.
|
||||
ONLY data is serialized. Code is not serialized itself. Deserialization creates a new object and copies all the data from the byte stream, in order to obtain and object identical to the object that was serialized.
|
||||
|
||||
@ -8,4 +8,4 @@ insecure-deserialization.stringobject=That is not the VulnerableTaskHolder objec
|
||||
|
||||
insecure-deserialization.hints.1=WebGoat probably contains the org.dummy.insecure.framework.VulnerableTaskHolder class as shown on the lesson pages. Use this to construct and serialize your attack.
|
||||
insecure-deserialization.hints.2=The VulnerableTaskHolder might have been updated on the server with a next version number.
|
||||
insecure-deserialization.hints.3=Not all actions are allowed anymore. The readObject has been changed. For serializing it does not effect the data. Follow the additional hints from the feedback on your attempts.
|
||||
insecure-deserialization.hints.3=Not all actions are allowed anymore. The readObject has been changed. For serializing it does not effect the data. Follow the additional hints from the feedback on your attempts.
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
= Hijack a Session
|
||||
|
||||
In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.
|
||||
|
||||
|
||||
@ -2,9 +2,9 @@
|
||||
|
||||
== Concept
|
||||
|
||||
Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.
|
||||
Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.
|
||||
|
||||
|
||||
== Goals
|
||||
|
||||
Gain access to an authenticated session belonging to someone else.
|
||||
Gain access to an authenticated session belonging to someone else.
|
||||
|
||||
@ -30,7 +30,7 @@ Send some clean request (without setting the hijack_cookie) to the /WebGoat/Hija
|
||||
[source, sh]
|
||||
----
|
||||
# command
|
||||
for i in $(seq 1 10); do
|
||||
for i in $(seq 1 10); do
|
||||
curl 'http://localhost:8080/WebGoat/HijackSession/login' \
|
||||
-H 'Connection: keep-alive' \
|
||||
-H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"' \
|
||||
|
||||
@ -5,4 +5,4 @@ input and display it back to the user, illustrating the basics of handling an HT
|
||||
== Try It!
|
||||
|
||||
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input
|
||||
and display it back to the user, illustrating the basics of handling an HTTP request.
|
||||
and display it back to the user, illustrating the basics of handling an HTTP request.
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
== The Quiz
|
||||
|
||||
What type of HTTP command did WebGoat use for this lesson. A POST or a GET.
|
||||
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
= HTTP Basics
|
||||
|
||||
== Concept
|
||||
= HTTP Basics
|
||||
|
||||
== Concept
|
||||
|
||||
This lesson presents the basics for understanding the transfer of data between the browser and the web application and how to trap a request/response with a HTTP proxy.
|
||||
|
||||
== Goals
|
||||
|
||||
The user should become familiar with the features of WebGoat by manipulating the above
|
||||
The user should become familiar with the features of WebGoat by manipulating the above
|
||||
buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using
|
||||
link:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project[OWASP Zed Attack Proxy] for the first time.
|
||||
|
||||
@ -14,9 +14,9 @@ link:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project[OWASP Zed At
|
||||
|
||||
All HTTP transactions follow the same general format. Each client request and server response has three parts: the request or response line, a header section and the entity body.
|
||||
|
||||
The client initiates a transaction as follows:
|
||||
The client initiates a transaction as follows:
|
||||
|
||||
* The client contacts the server and sends a document request. A GET request can have url parameters and those parameters will be available in the web access logs.
|
||||
* The client contacts the server and sends a document request. A GET request can have url parameters and those parameters will be available in the web access logs.
|
||||
|
||||
** GET /index.html?param=value HTTP/1.0
|
||||
|
||||
@ -25,4 +25,3 @@ The client initiates a transaction as follows:
|
||||
** User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*
|
||||
|
||||
* In a POST request, the user supplied data will follow the optional headers and is not part of the contained within the POST URL.
|
||||
|
||||
|
||||
@ -49,7 +49,7 @@
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="HttpBasics/attack2">
|
||||
<script>
|
||||
|
||||
@ -13,4 +13,4 @@ http-basics.reversed=The server has reversed your name: {0}
|
||||
|
||||
http-basics.close=Try again: but this time enter a value before hitting go.
|
||||
http-basics.incorrect=You are close, try again: the HTTP Command is incorrect.
|
||||
http-basics.magic=You are close, try again: the magic number is incorrect.
|
||||
http-basics.magic=You are close, try again: the magic number is incorrect.
|
||||
|
||||
@ -13,4 +13,4 @@ http-basics.reversed=De server heeft je naam omgedraaid: {0}
|
||||
|
||||
http-basics.close=Je bent er bijna, probeer nog eens: {0}
|
||||
http-basics.incorrect=het HTTP commando is niet correct.
|
||||
http-basics.magic=het magische getal is niet correct.
|
||||
http-basics.magic=het magische getal is niet correct.
|
||||
|
||||
@ -7,5 +7,3 @@ Otherwise, this will show you how to set up ZAP as a proxy on your local host.
|
||||
* First download and install https://www.zaproxy.org/download/[ZAP] for your operating system
|
||||
* Start ZAP
|
||||
* Start the browser directly from ZAP
|
||||
|
||||
|
||||
|
||||
@ -26,5 +26,3 @@ image::images/zap_edit_and_send.png[Open/Resend with Request Editor,style="lesso
|
||||
++++
|
||||
|
||||
image::images/zap_edit_and_response.png[Open/Resend response,style="lesson-image"]
|
||||
|
||||
|
||||
|
||||
@ -52,5 +52,3 @@ image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-
|
||||
image::images/chrome-manual-proxy-win.png[Chrome Proxy, 394,346,style="lesson-image"]
|
||||
|
||||
(Win config image above)
|
||||
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
2.http-proxies.title=HTTP Proxies
|
||||
|
||||
http-proxies.intercept.success=Well done, you tampered the request as expected
|
||||
http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
|
||||
http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
|
||||
|
||||
@ -5,4 +5,4 @@ to perform different functions.
|
||||
|
||||
Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile.
|
||||
Change the role to something lower (since higher privilege roles and users are usually lower numbers). Also change the
|
||||
user's color to 'red'.
|
||||
user's color to 'red'.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
==== Edit Your Own Profile
|
||||
|
||||
If an application only exposes a way to view your profile or some object (i.e. 'GET' in RESTful), that does not mean you cannot edit it.
|
||||
Use your intercept proxy to modify the request such that it would modify your profile. Change the color from 'yellow' to 'black' (sans single quotes).
|
||||
Use your intercept proxy to modify the request such that it would modify your profile. Change the color from 'yellow' to 'black' (sans single quotes).
|
||||
|
||||
@ -1 +1 @@
|
||||
Please input the alternate path to the Url to view your own profile. Please start with 'WebGoat' (i.e. disregard 'http://localhost:8080/')
|
||||
Please input the alternate path to the Url to view your own profile. Please start with 'WebGoat' (i.e. disregard 'http://localhost:8080/')
|
||||
|
||||
@ -4,4 +4,4 @@ Many access control issues are susceptible to attack from an authenticated-but-u
|
||||
|
||||
The id and password for the account in this case are 'tom' and 'cat' (It is an insecure app, right?).
|
||||
|
||||
After authenticating, proceed to the next screen.
|
||||
After authenticating, proceed to the next screen.
|
||||
|
||||
@ -4,4 +4,4 @@
|
||||
|
||||
View someone else's profile by using the alternate path you already used to view your own profile. Use the 'View Profile' button
|
||||
and intercept/modify the request to view another profile. Alternatively, you may also just be able to use a manual GET request with
|
||||
your browser.
|
||||
your browser.
|
||||
|
||||
@ -4,4 +4,4 @@
|
||||
|
||||
The application we are working with seems to follow a RESTful pattern so far as the profile goes. Many apps have roles in which an elevated user may access content of another.
|
||||
In that case, just /profile won't work since the own user's session/authentication data won't tell us whose profile they want view.
|
||||
So, what do you think is a likely pattern to view your own profile explicitly using a direct object reference?
|
||||
So, what do you think is a likely pattern to view your own profile explicitly using a direct object reference?
|
||||
|
||||
@ -43,4 +43,4 @@ idor.view.own.profile.failure1=Please try again. The alternate route is very sim
|
||||
idor.view.own.profile.failure2=You need to authenticate as tom first.
|
||||
|
||||
idor.view.other.profile.failure1=You must authenticate first
|
||||
idor.view.other.profile.failure2=<<still working>>
|
||||
idor.view.other.profile.failure2=<<still working>>
|
||||
|
||||
@ -3,4 +3,4 @@ function submit_secret_credentials() {
|
||||
xhttp['open']('POST', 'InsecureLogin/login', true);
|
||||
//sending the request is obfuscated, to descourage js reading
|
||||
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
|
||||
}
|
||||
}
|
||||
|
||||
@ -113,4 +113,4 @@ a.list-group-item.active small {
|
||||
|
||||
.meta a:hover {
|
||||
color: rgba(0, 0, 0, .87);
|
||||
}
|
||||
}
|
||||
|
||||
@ -56,4 +56,3 @@ Instead, use static keys that are securely managed and updated regularly.
|
||||
- **Audit and monitoring**: Regularly audit JWT usage, monitor for suspicious activity, and implement anomaly detection mechanisms.
|
||||
|
||||
- **Security testing**: Regularly perform security testing, including penetration testing and code reviews, to identify and remediate potential vulnerabilities.
|
||||
|
||||
|
||||
@ -3,4 +3,3 @@
|
||||
Below you see two accounts, one of Jerry and one of Tom.
|
||||
Jerry wants to remove Tom's account from Twitter, but his token can only delete his account.
|
||||
Can you try to help him and delete Toms account?
|
||||
|
||||
|
||||
@ -9,4 +9,3 @@ eyJhbGciOiJIUzI1NiJ9.ew0KICAiYXV0aG9yaXRpZXMiIDogWyAiUk9MRV9BRE1JTiIsICJST0xFX1V
|
||||
----
|
||||
|
||||
Copy and paste the following token and decode the token, can you find the user inside the token?
|
||||
|
||||
|
||||
@ -58,4 +58,3 @@ try {
|
||||
----
|
||||
|
||||
Can you spot the weakness?
|
||||
|
||||
|
||||
@ -43,4 +43,4 @@ One of the drawbacks of using this method is that JWT is widely spread for examp
|
||||
|
||||
For more information take a look at the following video:
|
||||
|
||||
video::RijGNytjbOI[youtube, height=480, width=100%]
|
||||
video::RijGNytjbOI[youtube, height=480, width=100%]
|
||||
|
||||
@ -16,4 +16,3 @@ information in the token to identify the user.
|
||||
|
||||
The token contains claims to identify the user and all other information necessary for the server to fulfill the request.
|
||||
Be aware not to store sensitive information in the token and always send it over a secure channel.
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user