From 6a59cd6e6e92f9c1de78fc2c7228a3bd05eafaa3 Mon Sep 17 00:00:00 2001
From: "sherif.fathy" <sherif.fathy@4033779f-a91e-0410-96ef-6bf7bf53c507>
Date: Fri, 3 Nov 2006 01:14:36 +0000
Subject: [PATCH] git-svn-id: http://webgoat.googlecode.com/svn/trunk@28
4033779f-a91e-0410-96ef-6bf7bf53c507
---
.../org/owasp/webgoat/HammerHead.java | 5 ++-
.../owasp/webgoat/lessons/ForcedBrowsing.java | 30 ++++++++++++------
.../owasp/webgoat/lessons/LogSpoofing.java | 10 ++++++
.../org/owasp/webgoat/session/WebSession.java | 20 ++++++++++++
.../main/project/WebContent/WEB-INF/web.xml | 5 +++
.../project/WebContent/database/webgoat.mdb | Bin 188416 -> 188416 bytes
.../lesson_plans/ForcedBrowsing.html | 26 +++++++++++----
7 files changed, 78 insertions(+), 18 deletions(-)
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
index 6083aefc1..51997f810 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
@@ -307,6 +307,9 @@ public class HammerHead extends HttpServlet
s.setHasHackableAdmin( screen.getRole() );
+ //More bookkeeping here to see if the user was able to force browse to the
+ //config URL.
+ s.setHasHackableConfig( s.getRequest().getRequestURI());
lesson.handleRequest( s );
s.setCurrentMenu( lesson.getCategory().getRanking() );
}
@@ -346,7 +349,7 @@ public class HammerHead extends HttpServlet
// in order to satisfy the remote admin lesson.
s.setHasHackableAdmin( screen.getRole() );
-
+
lesson.handleRequest( s );
s.setCurrentMenu( lesson.getCategory().getRanking() );
}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
index f191920f0..53b65f4f5 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
@@ -4,6 +4,7 @@ import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.WebSession;
@@ -14,8 +15,8 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created October 28, 2003
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created November 02, 2006
*/
public class ForcedBrowsing extends LessonAdapter
{
@@ -28,8 +29,18 @@ public class ForcedBrowsing extends LessonAdapter
*/
protected Element createContent( WebSession s )
{
- // just to get the generic how to text.
- return super.createContent(s);
+ ElementContainer ec = new ElementContainer();
+
+ if ( s.completedHackableConfig() )
+ {
+ makeSuccess( s );
+ }
+ else
+ {
+ ec.addElement( "Can you try to force browse to the config page which "
+ + "should only be accessed by maintenance personnel.");
+ }
+ return ec;
}
@@ -53,15 +64,14 @@ public class ForcedBrowsing extends LessonAdapter
public List getHints()
{
List hints = new ArrayList();
- hints.add( "Lesson Hint 1" );
- hints.add( "Lesson Hint 2" );
-
+ hints.add( "Try to guess the URL for the config page" );
+ hints.add( "The config page is guessable and hackable" );
+ hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." );
+
return hints;
}
-
-
private final static Integer DEFAULT_RANKING = new Integer(15);
protected Integer getDefaultRanking()
@@ -80,7 +90,7 @@ public class ForcedBrowsing extends LessonAdapter
public Element getCredits()
{
- return new StringElement("This screen created by: Your name could go here");
+ return new StringElement("This screen created by: Sherif Koussa");
}
}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
index ed689d92a..ab3b5094b 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
@@ -19,6 +19,16 @@ import org.apache.ecs.html.Table;
import org.apache.ecs.html.PRE;
import org.apache.ecs.HtmlColor;
+/**
+ * Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
+ * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
+ * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
+ * this software.
+ *
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies</a>
+ * @created October 28, 2006
+ */
+
public class LogSpoofing extends LessonAdapter {
private static final String USERNAME = "username";
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
index d92b15090..1211e5241 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
@@ -225,6 +225,8 @@ public class WebSession
private String feedbackAddress = "<A HREF=mailto:webgoat@aspectsecurity.com>webgoat@aspectsecurity.com</A>";
private boolean completedHackableAdmin = false;
+
+ private boolean completedHackableConfig = false;
private int currentMenu;
@@ -724,6 +726,16 @@ public class WebSession
return ( completedHackableAdmin );
}
+ /**
+ * Has the user ever hacked the hackable config URL
+ *
+ * @return The hackable config value
+ */
+ public boolean completedHackableConfig()
+ {
+ return ( completedHackableConfig );
+ }
+
/**
* Gets the authenticated attribute of the WebSession object
*
@@ -1103,6 +1115,14 @@ public class WebSession
}
}
+ public void setHasHackableConfig ( String url)
+ {
+ if ( config.indexOf("config") >= 0)
+ {
+ completedHackableConfig = true;
+ }
+ }
+
/**
* @return Returns the isDebug.
*/
diff --git a/ webgoat/main/project/WebContent/WEB-INF/web.xml b/ webgoat/main/project/WebContent/WEB-INF/web.xml
index 94720c354..f595a0d4c 100644
--- a/ webgoat/main/project/WebContent/WEB-INF/web.xml
+++ b/ webgoat/main/project/WebContent/WEB-INF/web.xml
@@ -227,6 +227,11 @@
<url-pattern>/attack</url-pattern>
</servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>WebGoat</servlet-name>
+ <url-pattern>/config</url-pattern>
+ </servlet-mapping>
+
<servlet-mapping>
<servlet-name>LessonSource</servlet-name>
<url-pattern>/source</url-pattern>
diff --git a/ webgoat/main/project/WebContent/database/webgoat.mdb b/ webgoat/main/project/WebContent/database/webgoat.mdb
index 35f49ec883a4fc9d79a1692f9962f600ddc0dcac..6796f1e657a9b26d7e25862aa8c27f0749887ed5 100644
GIT binary patch
delta 3343
zcmeHJUu=_A6hFVO{o1Zu+pjn_=wfWPVUPrDyFgoHhW?vDW@r?NajCSEvY~~Jb+|z=
zjE4~j&QK>_!UM^C;Lnp~d$^C(5D-#zd(aqP2u2elCTcW3_~1Uz*N)&cX1?vE_vU=(
zoO{pjyXX9Ro9~R58^_CyCB=yivu@|lnDRQEGulm;$(DXF_3_hNXS~6?R&0Lv)N#kR
zv(Nr;RYk|__dm6{cYmbz?uqmgk4~cb+PvYqG53FGxG`LLG_P5%-BvB~f*nD~N#F~U
zXmjCx*CrED6OqY8X6hgk9v9C4b5Xtn95u_g?fB3vZo2RSRN>YTfGXn}PCNm#$fVG1
z#%~UHak^D*N-8rbmR5=Teymr`L>`ik0A6->gou2<wiz{1Y2BKtCVNehjcEPz967Na
zHf_rHX2WWY$ikaoS<rRehy#hCF|3j0BrZavb|cr2KKu2tPrkd2$K=)nIE%FkhyBUn
zD(hwzHgztN7MSg>$5*q}!qRH2@Q#thS{9Gt%j-!9$keOI!MgZfG2e$tc`IFA@_c0+
zCFb{Hok;a#@Ct{T<*og=0P*`?42t0~v<Ob_MVWdHy^!vHcw6P&H<+wsJQ0s2BC&*j
zOEA#m3vT(lv^(taWVE|I8jB`Ep+GDe@<pTJn(*FpvF`S8Bpiw){DDy1-(^Tp?9Abq
zNcABmY*{>IP1mxMp)4k#2y1b=N2&*LTJad=Uvgb^flR>XczCZs_vAOP;5h$QFNu36
z(aG!{vY}P<Ww4=GDhuxfnl{I1n6i|i5q^5<Fdbn%Oh?&1K!^AlXTQMqK-GJTtt^ce
zr$4KryOyH&Q=YL0m&49gvB9NSBa5Lbeq=d(rHbFV6u+-pLx!;#dYz|{b%DJh_6OKo
zrXDGojZQ^8I0;Q`?1N2=ok6qX4pVCkuzXo#^Lpt=^W}5UK1d=ZCi569mYT(xJaUVA
zo7{L9@4?YSJ+y;jlpsI(#izq~27YNPAgsVHqen2I*sN$Eo$hyvxlwH2Wi^jx`v>xw
zkw3;Y{$~_M_T_WgskBBaMdG{S(ZY;Iimn6OI2q&G>$;tNU2jqp_AQ*Gt~(Xe;-1Kj
z;mH$~l^yl->-?`I1NHm2lI&M1b^h!8uOtJ$|2Ukx)`u-q1AcKmYMG>V4)ZYDB^!T9
gjc&9>E=*$;>WxyZ@%vY!B)L&KZ8=rO<+9@a3#h?F1^@s6
delta 643
zcma)4O=uHQ5Psj=-MD1y?n{g&q*{X_1i_#5q85K5sHY%SB(y0ZjUXt91O!n*jE59F
z2#KM6(t}u#RuIZ2p*{qmEA?U#yGT5E5fN#r2Q7h~)W)~A;z0!G<70-IZw6-GD>_Ee
zF>Gog+6b6mQH_~qoy}NE$KdDc^F2NF*uIzRg7@;1SFV3-9A12+iTN*xqP|2~Z$nF^
zkEV#UZG^b1n6{?pI<3yR|G}_-c=iu89}x!(^g!GJnhL++$HUc7$nb>5&uJ+0U2XJ^
zFfgb*z|aj<9Amh-wK8@{Q}KO$pfVP2>@L<(v4i|W0`Y3=?n#mEMu)jQPROf&SmE0S
zGH^-RD@sY|tjq9r@{AGUmkyFE?RMKs>4X=qA|jkq7{$gPGOMmtJ%uJ?A2)MY@B}J&
z_B1Y<&Q$2und}S{S#^jwasfloJ-J67$l;Tx4uKbL%e@lU@T_JhF_F#4^|F0Pfd}%4
zSZwxj$s4ogx!aE&d^v~nyvw0+z9obG&_%irmobqzi*U_;;p4Fq)bM?4)B;g}*ZBQp
zAnzfVOIzT}3POC-8`=`VCiO$a-qNHhqD}cJ#Na#nz&Bn7d*V_`J!ymw<gv42JHJN%
q-NI#yuCK_OWh6!6DayVP7n?=2j7g<tPZ`yvh2xS3ha8MMH1-pRiR@PZ
diff --git a/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html b/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html
index 134656b75..71c4235fa 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html
+++ b/ webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html
@@ -1,9 +1,21 @@
-<div align="Center">
-<p><b>Lesson Plan Title:</b> How to Exploit Forced Browsing</p>
-</div>
-<!-- Start Instructions -->
+<div align="Center">
+<p><b>Lesson Plan Title:</b>Forced Browsing. </p>
+ </div>
+
<p><b>Concept / Topic To Teach:</b> </p>
-How to Exploit Forced Browsing
+How to Exploit Forced Browsing.
+ <br>
+<div align="Left">
+<p>
+<b>How the attacks works:</b>
+</p>
+Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible.
+
+One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found
+</div>
<p><b>General Goal(s):</b> </p>
-This lesson needs a creator!
-<!-- Stop Instructions -->
\ No newline at end of file
+<!-- Start Instructions -->
+* Your goal should be to try to guess the URL for the "config" interface.<br>
+* The "config" URL is only available to the maintenance personnel.<br>
+* The application doesn't check for horizontal priveleges.
+<!-- Stop Instructions -->