* Hints added

* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@301 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel
2008-04-07 14:28:38 +00:00
parent 84f01ba70a
commit 5d930ec235
137 changed files with 4230 additions and 479 deletions

View File

@ -0,0 +1,50 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage2</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents
a set of access permissions and privileges. A user can be
assigned one or more roles. A role-based access control
normally consists of two parts: role permission management
and role assignment. A broken role-based access
control scheme might allow a user to perform accesses
that are not allowed by his/her assigned roles, or
somehow obtain unauthorized roles.
</p>
<p><b>General Goal(s):</b><br/>
Your goal is to explore the access control
rules that govern this site. Each role has permission to
certain resources (A-F). Each user is assigned one or more roles.
Only the user with the [Admin] role should have access
to the 'F' resources. In a successful attack, a user doesn't
have the [Admin] role can access resource F.
</p>
<p>
<b>Solution:</b><br/>
You have to be sure that the user is AUTHORIZED to do an action! So you have to check for his authorization.
You have to write some code in the class
org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessControl.java.
Alter the handleRequest method as there is happening the dispatching.
There is already a method called isAuthorized which you can use:
</p>
<pre><code>
//***************CODE HERE*************************
if(!isAuthorized(s, userId, requestedActionName))
{
throw new UnauthorizedException();
}
//*************************************************
</code></pre>
Try the attack again and you will see that the authorization fails and the
lesson is completed.
</body>
</html>

View File

@ -0,0 +1,56 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage4</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents
a set of access permissions and privileges. A user can be
assigned one or more roles. A role-based access control
normally consists of two parts: role permission management
and role assignment. A broken role-based access
control scheme might allow a user to perform accesses
that are not allowed by his/her assigned roles, or
somehow obtain unauthorized roles.
</p>
<p><b>General Goal(s):</b><br/>
Your goal is to explore the access control
rules that govern this site. Each role has permission to
certain resources (A-F). Each user is assigned one or more roles.
Only the user with the [Admin] role should have access
to the 'F' resources. In a successful attack, a user doesn't
have the [Admin] role can access resource F.
</p>
<p>
<b>Solution:</b><br/>
You have to be sure that the user is AUTHORIZED to do an action and that
he is authorized to do this action on a certain employee! So you have to check for his authorization.
You have to write some code in the class
org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessControl.java.
Alter the handleRequest method as there is happening the dispatching.
Action has already a method called isAuthorizedForEmployee which you can use:
</p>
<pre><code>
//***************CODE HERE*************************
if(!isAuthorized(s, userId, requestedActionName))
{
throw new UnauthorizedException();
}
if(!action.isAuthorizedForEmployee(s, userId, employeeId))
{
throw new UnauthorizedException();
}
//*************************************************
</code></pre>
Try the attack again and you will see that the authorization fails and the
lesson is completed.
</body>
</html>

View File

@ -0,0 +1,48 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage1</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents
a set of access permissions and privileges. A user can be
assigned one or more roles. A role-based access control
normally consists of two parts: role permission management
and role assignment. A broken role-based access
control scheme might allow a user to perform accesses
that are not allowed by his/her assigned roles, or
somehow obtain unauthorized roles.
</p>
<p><b>General Goal(s):</b><br/>
Your goal is to explore the access control
rules that govern this site. Each role has permission to
certain resources (A-F). Each user is assigned one or more roles.
Only the user with the [Admin] role should have access
to the 'F' resources. In a successful attack, a user doesn't
have the [Admin] role can access resource F.
</p>
<p>
<b>Solution:</b><br/>
To solve this exercise you have to know the name of the action, which
deletes employees. Of course you could just guess
it because it has a really logical name.
But we will look it up. So your first step is to log in as John with john as
password. Use WebScarab to intercept the delete request.
<center>
<img src="/WebGoat/lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
</center>
As you can see the delete action is called DeleteProfile.
Now log in as Tom. Click in the list on his name and make sure WebScarab
will intercept the next request. Click on a button, for example the
'ViewProfile' button. Change in WebScarab the action to DeleteProfile
and you are done!
</body>
</html>

View File

@ -0,0 +1,46 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage3</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents
a set of access permissions and privileges. A user can be
assigned one or more roles. A role-based access control
normally consists of two parts: role permission management
and role assignment. A broken role-based access
control scheme might allow a user to perform accesses
that are not allowed by his/her assigned roles, or
somehow obtain unauthorized roles.
</p>
<p><b>General Goal(s):</b><br/>
Your goal is to explore the access control
rules that govern this site. Each role has permission to
certain resources (A-F). Each user is assigned one or more roles.
Only the user with the [Admin] role should have access
to the 'F' resources. In a successful attack, a user doesn't
have the [Admin] role can access resource F.
</p>
<p>
<b>Solution:</b><br/>
In stage 1 we tried to use an action we are not authorised to use.
In this stage we want to view a profile of an other person. We have the permission
for the action ViewProfile but we should not have the permission to see a profile
of another employee!
</p>
<p>
Log in as Tom with tom as password. Click on Tom's name in the list and make sure
webscarab will intercept the next request. Change the employee_id for example to 101.
<center>
<img src="/WebGoat/lesson_solutions/Lab Access Control/images/access_control_stage1.png" width=450px alt="deleteAction" />
</center>
</body>
</html>

Binary file not shown.

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 34 KiB