- Added new challenges
- Added new webapplication called WebWolf to make attacks more realistic - Added WebWolf lesson to explain the concepts behind this new application
This commit is contained in:
Nanne Baars
@ -0,0 +1,21 @@
|
||||
== Introducing WebWolf
|
||||
|
||||
WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
|
||||
make a clear distinction between what takes place on the attacked website and the actions you need to do as
|
||||
an "attacker". WebWolf was introduced after a couple of workshops where we received feedback about the fact there
|
||||
was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the
|
||||
website. The following items are supported in WebWolf:
|
||||
|
||||
* Hosting a file
|
||||
* Receiving email
|
||||
* Landing page for incoming requests
|
||||
|
||||
WebWolf runs as a separate web application and is started automatically when using the Docker image. If you
|
||||
are not using the Docker image you will need to download the jar file and start it:
|
||||
|
||||
```
|
||||
java -jar webwolf-<<version>>.jar
|
||||
```
|
||||
|
||||
This will start the application on port 8081, in your browser type: `http://localhost:8081/WebWolf`
|
||||
You will be redirected to the login page where you need to login with your WebGoat username and password
|
||||
@ -0,0 +1,25 @@
|
||||
== Landing page
|
||||
|
||||
This page will show all the requests made to '/' or '/challenge'. This means
|
||||
you can use WebWolf as your landing page for harvesting cookies etc which
|
||||
is helpful when you perform a XSS lesson.
|
||||
|
||||
image::images/requests.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
*For this exercise you need to login to WebWolf first.*
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
Suppose we tricked a user to click on a link he/she received in an email, this link will open up our crafted
|
||||
password reset link page. The user does not see any difference with the normal password reset page of the company.
|
||||
The user enters a new password and hits enter, the new password will be send to your host. In this case the new
|
||||
password will be send to WebWolf. Try to locate the unique code.
|
||||
|
||||
Please be aware after resetting the password the user will receive an error page in a real attack scenario the
|
||||
user would probably see a normal success page (this is due to a limit what we can control with WebWolf)
|
||||
|
||||
@ -0,0 +1,18 @@
|
||||
== Your own mailbox
|
||||
|
||||
WebWolf offers a mail client which will contain the e-mail send during a lesson.
|
||||
This mailbox is user specific so each user has a separate mailbox. All e-mail
|
||||
send to {user}@.... wil end up in this inbox.
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
image::images/mailbox.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
Try it, type in your e-mail address below and check in
|
||||
WebWolf your e-mail and type in the unique code below.
|
||||
@ -0,0 +1,12 @@
|
||||
== Uploading files
|
||||
|
||||
In this section you can upload files these files will be available from outside
|
||||
the application. For example in a XXE attack you want to reference a DTD which you
|
||||
reference from a xml, you can use WebWolf to serve this DTD.
|
||||
|
||||
image::images/files.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
{nbsp}
|
||||
|
||||
After uploading a file you can use the 'Link' to get the full URL to the uploaded
|
||||
file.
|
||||
Reference in New Issue
Block a user