dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Buffer Overflow lesson, added and updated solutions, fixed errors in lessons preventing them from being completed correctly

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@436 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
x71c4l@gmail.com
2011-08-12 03:00:27 +00:00
parent be8b4311e0
commit 4059bb5d33
110 changed files with 2590 additions and 1116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/main/webapp/lesson_plans/English/BufferOverflow.html
View File

@ -1,9 +0,0 @@
<div align="Center">
<p><b>Lesson Plan Title:</b> How to Exploit Buffer Overflows</p>
</div>
<!-- Start Instructions -->
<p><b>Concept / Topic To Teach:</b> </p>
How to Exploit Buffer Overflows.
<p><b>General Goal(s):</b> </p>
This lesson needs a creator!
<!-- Stop Instructions -->

2
src/main/webapp/lesson_plans/English/CSRF.html
View File

@ -21,6 +21,6 @@ In this way, the attacker can make the victim perform actions that they didn't i
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.
Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/><b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
<!-- Stop Instructions -->

3
src/main/webapp/lesson_plans/English/CsrfPromptByPass.html
View File

@ -27,6 +27,7 @@ parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the sh
left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever
receives this email and happens to be authenticated at that time will have his funds transferred.
When you think the attack is successful, refresh the page and you will find the green check on
the left hand side menu.
the left hand side menu.<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
<!-- Stop Instructions -->

3
src/main/webapp/lesson_plans/English/CsrfTokenByPass.html
View File

@ -31,7 +31,8 @@ request to transfer funds. To successfully complete you need to obtain a valid
The page that presents the transfer funds form contains a valid request token. The URL for the
transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load
this page, read the token and append the token in a forged request to transferFunds. When you think
the attack is successful, refresh the page and you will find the green check on the left hand side menu.
the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
<!-- Stop Instructions -->

12
src/main/webapp/lesson_plans/English/HowToWork.html
View File

@ -33,17 +33,11 @@ solution for complete details.</p>
<p>
To read and edit Parameters you need a local proxy to intercept the HTTP request.
Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter.
After installing WebScarab and configuring your browser to use it as proxy on localhost we can start.<br><br>
<img src="images/introduction/HowToUse_1.jpg"><br><br>
We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
<img src="images/introduction/HowToUse_2.jpg"><br><br>
Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.
</p>
<h2>Read And Edit Cookies</h2>
<p>
Often it is not only necessary to change the value of the parameters but to change the value of cookies.
We can use WebScarab to intercept the request and change cookies values just like parameter data as explained in the last topic.<br><br>
<img src="images/introduction/HowToUse_3.jpg"><br><br>
We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them.
Often it is not only necessary to change the value of the parameters but to change the value of cookies.
WebScarab has functionality for this as well.
</p>
<!-- Stop Instructions -->

1
src/main/webapp/lesson_plans/English/HttpSplitting.html
View File

@ -30,5 +30,6 @@ Date: Fri, 30 Dec 2005 17:32:47 GMT</blockquote>
<!-- Start Instructions -->
<p>This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.</p>
<p>Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) characters to exploit the attack. Your goal should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage. After stage 2 is exploited successfully, you will find the green check in the left menu.</p>
<p>You may find the <a href="http://yehg.net/encoding/">PHP Charset Encoder</a> useful. The Encode and DecodeURIComponent buttons translate CR and LF.</p>
<!-- Stop Instructions -->

21
src/main/webapp/lesson_plans/English/OffByOne.html Normal file
View File

@ -0,0 +1,21 @@
<div align="Center">
<p><b>Lesson Plan Title:</b> How to Exploit "Off-by-One" Buffer Overflow Vulnerabilities</p>
</div>
<p><b>Concept / Topic To Teach:</b></p>
How to Exploit a Web Based "Off-by-One" Buffer Overflow.
<br>
<div align="Left">
<p><b>How the attack works:</b>
</p>
Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language.
For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte.
As a result, further information is returned back to the user, due to the fact that no null byte was found.
</div>
<p><b>Lesson Goal(s):</b> </p>
<!-- Start Instructions -->
<p>Welcome to the <b>OWASP Hotel</b>! Can you find out which room a VIP guest is staying in?</p>
<!-- Stop Instructions -->
* Understand how a buffer overflow vulnerability can be triggered on a web application.<br>
* Understand what type of value lengths are likely to trigger a buffer overflow.<br>

9
src/main/webapp/lesson_plans/English/UsefulTools.html
View File

@ -12,6 +12,15 @@ operates as an intercepting proxy, we can review and modify requests
and responses.<br><br>
<img src="images/introduction/webscarab.jpg"><br><br>
Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
<br>The .jar install file can be found at the <a href="http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823">OWASP Sourceforge Page</a></p>
<p>After installing WebScarab and configuring your browser to use it as proxy on localhost we can start. If you are using localhost for your Tomcat server, remember to <a href="https://www.owasp.org/index.php/WebScarab_Getting_Started">put a "." after the hostname when browsing to WebGoat</a>.<br><br>
<img src="images/introduction/HowToUse_1.jpg"><br><br>
We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
<img src="images/introduction/HowToUse_2.jpg"><br><br>
Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.<br><br>
WebScarab is also used to intercept the request and change cookies values just like parameter data:<br><br>
<img src="images/introduction/HowToUse_3.jpg"><br><br>
We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit their values.
</p>
<h2>Firebug:</h2>
<p>