dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Recommit logging lesson as PR got a lot of conflicts

Browse Source
This commit is contained in:
Jeroen Willemsen 2021-11-16 16:11:23 +01:00 committed by Nanne Baars
parent 36bdd9b1a0
commit 1a64fcd8d4
12 changed files with 338 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
webgoat-lessons/logging/pom.xml Executable file
View File

@ -0,0 +1,25 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>logging</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.2.3-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>

66
webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java Normal file
View File

@ -0,0 +1,66 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.logging;
import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AttackResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import javax.annotation.PostConstruct;
import java.util.Base64;
import java.nio.charset.StandardCharsets;
import java.util.UUID;
@RestController
public class LogBleedingTask extends AssignmentEndpoint {
Logger log = LoggerFactory.getLogger(this.getClass().getName());
private String password;
@PostConstruct
public void generatePassword(){
password = UUID.randomUUID().toString();
log.info("Password for admin: {}", Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));
}
@PostMapping("/LogSpoofing/log-bleeding")
@ResponseBody
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
if (Strings.isEmpty(username) || Strings.isEmpty(password)) {
return failed(this).output("Please provide username (Admin) and password").build();
}
if (username.equals("Admin") && password.equals(this.password)) {
return success(this).build();
}
return failed(this).build();
}
}

47
webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java Normal file
View File

@ -0,0 +1,47 @@
package org.owasp.webgoat.logging;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.Lesson;
import org.springframework.stereotype.Component;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 2014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
*/
@Component
public class LogSpoofing extends Lesson {
@Override
public Category getDefaultCategory() {
return Category.INSECURE_CONFIGURATION;
}
@Override
public String getTitle() {
return "logging.title";
}
}

51
webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java Normal file
View File

@ -0,0 +1,51 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.logging;
import org.apache.logging.log4j.util.Strings;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class LogSpoofingTask extends AssignmentEndpoint {
@PostMapping("/LogSpoofing/log-spoofing")
@ResponseBody
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
if (Strings.isEmpty(username)) {
return failed(this).output(username).build();
}
username = username.replace("\n", "<br/>");
if (username.contains("<p>") || username.contains("<div>")) {
return failed(this).output("Try to think of something simple ").build();
}
if (username.indexOf("<br/>") < username.indexOf("admin")) {
return success(this).output(username).build();
}
return failed(this).output(username).build();
}
}

55
webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html Executable file
View File

@ -0,0 +1,55 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:logging_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:logSpoofing_Task.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task"
method="POST"
action="/WebGoat/LogSpoofing/log-spoofing">
<input type="text" value="" name="username" placeholder="username"/>
<input type="password" value="" name="password" placeholder="password"/>
<input type="submit" value="Submit"/>
</form>
<div class="attack-feedback"></div>
Log output:
<div style="background-color:red;color:white;">Login failed for username:<p class="attack-output"
style="display:inline;"></p></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:sensitive_logging_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:logReading_Task.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" name="task"
method="POST"
action="/WebGoat/LogSpoofing/log-bleeding">
<input type="text" value="" name="username" placeholder="username"/>
<input type="password" value="" name="password" placeholder="password"/>
<input type="submit" value="Submit"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:more_logging.adoc"></div>
</div>
</html>

2
webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties Executable file
View File

@ -0,0 +1,2 @@
logging.title=Logging Security

5
webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc Normal file
View File

@ -0,0 +1,5 @@
=== Let's try
- Some servers provide Administrator credentials at the boot-up of the server.
- The goal of this challenge is to find the secret in the application log of the WebGoat server to login as the Admin user.
- Note that we tried to "protect" it. Can you decode it?

5
webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc Executable file
View File

@ -0,0 +1,5 @@
=== Let's try
- The goal of this challenge is to make it look like username "admin" succeeded in logging in.
- The red area below shows what will be logged in the web server's log file.
- Want to go beyond? Try to elevate your attack by adding a script to the log file.

13
webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc Executable file
View File

@ -0,0 +1,13 @@
== Concept
Logging is very important for modern systems. We use it for various reasons:
- Application monitoring and debugging.
- Audit logging: E.g. record specific actions of your users and systems.
- Security Event Monitoring: e.g. provide information to a SIEM or SOAR system that will trigger based on the information provided in these logs.
== Goals
* The user should have a basic understanding of logging and where to log for.
* The user understands the risks of log spoofing and leaking log information.
* The user will be able to do a simple log spoofing attack.
* The user will be able to tell the basic risks involved in logging.

32
webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc Normal file
View File

@ -0,0 +1,32 @@
=== More About Logging (2)
By now it should be clear that using simple encoding/decoding is not a way to protect sensitive information in a log. Instead, it is better to use different techniques: not logging the data at all, blanking it out, or encrypting it with another shared secret.
There are a few more topics we might want to cover here:
- How to work with log-levels
- How to do Exception Handling
- How to use logging for other purposes
- Some resources to read up on.
==== Log Levels
Explain log levels
==== Exception Handling
exception handling (maybe an example of logging exception towards the client with cryptography and why this is a bad idea)
==== Audit Logging, Security Event Monitoring, and Application Logs
Note that logging is often used for more than just application debugging. Application logs are often used as a feed for other purposes, think of:
- *Audit logging*: Specific events need to be recorded by your application log to create a trail that can be used to reconstruct the actions done on behalf of/by your user. This can later be used, for instance, in court to prove what happened in case of a dispute.
- *Security Event Monitoring (SEM)*: Events generated by your application can often be used by your security department to understand what is going on in the application landscape of the organization. There are various types of events as well as various attributes that can play a role to detect whether the organization is in trouble. For instance: a privileged administrative logon that is only used as a break-glass procedure can already be a very valuable event for them. Another example: While frequently used administrative logons are good to record, they might not trigger an event at the security department by themselves, unless a completely different location is used for that administrative role. A threat model exercise with your security department can often help to understand which types of logs they require, and what they should trigger a security alert on immediately.
- *Fraud Detection*: your application logs can help in fraud detection. For instance: logs that show that someone is trying to move around more money than that they have, could indicate something is going wrong.
- *Business Process Monitoring*: your application logs can be used to see if the business processes are still progressing as they should. For instance: the lack of new events further down a process could indicate that the business process has stopped. This can be valuable information to the business when it comes to steering the company.
- *And many more*...
Note that a lot of these logging purposes differ quite a lot from each other! Therefore it is best to separate your application (debug) logging, from your SEM, and audit logs in terms of output by your application, storage and processing of the logs within your organization.
==== More reading
- link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html[The OWASP Logging Cheat sheet]

36
webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc Normal file
View File

@ -0,0 +1,36 @@
=== More About Logging
As you can tell by now, log-spoofing can become an issue when users try to spoof logs. There are various ways to do this other than a form-post. Think of URL parameters or crafted JSON payloads for instance. Therefore, it is important to do
- apply proper input-sanitization
- make sure you can establish source authenticity and implement integrity controls to detect log-tampering.
- make sure that a user cannot inject logs from any channel
- make sure that the log storage is protected
But there is more to log security than just sanitization against spoofing attacks. Let's have a look at logging sensitive information.
==== Logging Sensitive Information
In the previous exercise, we saw only the username passing by, but no password. Why? Because we want to make sure that an application log does not contain any sensitive information. Let's make sure that when our logs get compromised, we do not have to fear authentication information to be reused.
Similarly, we should not log any other sensitive information, such as symmetric or private keys, access tokens, and such.
==== Logging Personal Information
Be careful with logging personal information. For instance: do not log bank account details, personally identifiable information to which a user did not consent having it logged. Do not log facts that can establish the identity of the subject being logged.
What you basically want to prevent, is that people use the logs to profile people or spy on them. You want to protect the privacy of the subjects using your system.
===== Special case: Access Logs
One special case is always the access logs offered by your ingress and/or application server. These logs should contain at least a few things: Where the request came from, when the request was made, and possibly what the response code was. Additional information can be shared in an access log, depending on the security of the log. For instance: you don't want to share the raw request in the access logs to safeguard the privacy of your users.
And here the problem often starts: access logs sometimes capture the full URL used for the request. This can include sensitive URL parameters. Therefore: be careful with what you put in the URL as parameters & let's make sure that you do not log those in an openly accessible log.
==== Read more
Want to read up on more about logging? Have a look at:
- link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html[The OWASP Logging Cheat sheet]
- link:https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Principles[GDPR article at Wikipedia]

1
webgoat-lessons/pom.xml
View File

@ -42,6 +42,7 @@
<module>crypto</module>
<module>path-traversal</module>
<module>spoof-cookie</module>
</modules>
<dependencies>