- Add reference to the WebWolf icon in the top right corner.
- Format all text of the lesson
This commit is contained in:
Nanne Baars
Nanne Baars
@ -1,7 +1,7 @@
|
||||
== Introducing WebWolf
|
||||
|
||||
You only need WebWolf if a lesson specifies you can use it. For a lot of lessons you use WebGoat without
|
||||
using WebWolf. Lessons where you can use WebWolf are marked with the following icon (top right in assignment):
|
||||
You only need WebWolf if a lesson specifies that you can use it. For many lessons, you use WebGoat without
|
||||
using WebWolf. Lessons where you can use WebWolf, are marked with the following icon (top right in the assignment):
|
||||
|
||||
{nbsp}
|
||||
|
||||
@ -9,16 +9,17 @@ image::images/wolf-enabled.png[width=115,height=128]
|
||||
|
||||
{nbsp}
|
||||
|
||||
Even if the icon is present, you are not obliged to use WebWolf, you can also use any intercepting tool you like.
|
||||
Even if the icon is present, you are not obliged to use WebWolf. You can also use any intercepting tool you like.
|
||||
(`netcat` etc.)
|
||||
|
||||
WebWolf opens in a new browser tab and is a separate web application which simulates an attacker's machine. It makes it possible for us to
|
||||
make a clear distinction between what takes place on the attacked website and the actions you need to do as
|
||||
an "attacker". WebWolf was introduced after a couple of workshops where we received feedback that there
|
||||
You can always open WebWolf by clicking the icon in the top right corner.
|
||||
|
||||
WebWolf opens in a new browser tab and is a separate web application that simulates an attacker's machine. It makes it possible for us to
|
||||
distinguish between what takes place on the attacked website and what actions you need to take as
|
||||
an "attacker." The idea for WebWolf came about after a couple of workshops where we received feedback that there
|
||||
was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the
|
||||
website. The following items are supported in WebWolf:
|
||||
website. WebWolf supports the following functionality:
|
||||
|
||||
* Hosting a file
|
||||
* Receiving email
|
||||
* Landing page for incoming requests
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
== Landing page
|
||||
|
||||
This page will show all the requests made to '/landing/**'. This means
|
||||
you can use WebWolf as your landing page for harvesting cookies etc which
|
||||
is helpful when you perform a XSS lesson.
|
||||
you can use WebWolf as your landing page for harvesting cookies etc. which
|
||||
is helpful when you perform an XSS lesson.
|
||||
|
||||
image::images/requests.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
@ -10,16 +10,15 @@ image::images/requests.png[caption="Figure: ", style="lesson-image"]
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
*For this exercise you need to login to WebWolf first.*
|
||||
*For this exercise, you need to log in to WebWolf first.*
|
||||
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
Suppose we tricked a user to click on a link he/she received in an email, this link will open up our crafted
|
||||
Suppose we tricked a user into clicking on a link he/she received in an email. This link will open up our crafted
|
||||
password reset link page. The user does not notice any differences compared to the normal password reset page of the company.
|
||||
The user enters a new password and hits enter. The new password will be sent to your host. In this case the new
|
||||
The user enters a new password and hits enter. The new password will be sent to your host. In this case, the new
|
||||
password will be sent to WebWolf. Try to locate the unique code.
|
||||
|
||||
Please be aware that after resetting the password the user will receive an error page. In a real attack scenario the
|
||||
user would probably see a normal success page (this is due to a limit what we can control with WebWolf)
|
||||
Please be aware that the user will receive an error page after resetting the password. In a real attack scenario the user would probably see a normal success page (this is due to a limit on what we can control with WebWolf)
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
== Your own mailbox
|
||||
== Your mailbox
|
||||
|
||||
WebWolf offers a mail client which will contain the e-mail sent during a lesson.
|
||||
This mailbox is user specific so each user has a separate mailbox. All e-mail
|
||||
WebWolf offers a mail client containing the e-mail sent during a lesson.
|
||||
This mailbox is user-specific, so each user has a separate mailbox. All e-mail
|
||||
sent to {user}@.... will end up in this inbox.
|
||||
|
||||
{nbsp}
|
||||
@ -14,5 +14,5 @@ image::images/mailbox.png[caption="Figure: ", style="lesson-image"]
|
||||
{nbsp}
|
||||
{nbsp}
|
||||
|
||||
Try it, type in your e-mail address below and check your inbox in
|
||||
Try it; type in your e-mail address below and check your inbox in
|
||||
WebWolf. Then type in the unique code from the e-mail in the field below.
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
== Uploading files
|
||||
|
||||
In this section you can upload files. These files will be available from outside
|
||||
the application. For example if you want to reference a DTD which you
|
||||
reference from an xml in an XXE attack, you can use WebWolf to serve this DTD.
|
||||
In this section, you can upload files. These files will be available from outside
|
||||
the application. For example, if you want to reference a DTD that you
|
||||
reference from an XML in an XXE attack, you can use WebWolf to serve this DTD.
|
||||
|
||||
image::images/files.png[caption="Figure: ", style="lesson-image"]
|
||||
|
||||
{nbsp}
|
||||
|
||||
After uploading a file you can use the 'Link' to get the full URL to the uploaded
|
||||
After uploading a file, you can use the 'Link' to get the full URL to the uploaded
|
||||
file.
|
||||
|
||||
Reference in New Issue
Block a user