Draft Vuln components
This commit is contained in:
mayhew64
@ -0,0 +1,39 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:VulnerableComponents_plan.adoc"></div>
|
||||
</div>
|
||||
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:VulnerableComponents_content2.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<div id="lessonContent">
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>
|
||||
<script>
|
||||
webgoat.customjs.jquery_2_1_4(document).ready(function() { alert(webgoat.customjs.jquery_2_1_4().jquery); });
|
||||
$(document).ready(function() { alert(jQuery.fn.jquery); });
|
||||
</script>
|
||||
<div id="dialog" title="Dialog Title">Content here!</div>
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
|
||||
</div>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</html>
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 1.0 MiB |
@ -0,0 +1,30 @@
|
||||
= HTTP Basics : Proxy
|
||||
|
||||
== HTTP Proxy Setup
|
||||
|
||||
HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
|
||||
OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
|
||||
this will show you how to set up ZAP to act as a proxy on your localhost.
|
||||
|
||||
=== Setting up ZAP
|
||||
|
||||
Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
|
||||
|
||||
* Start ZAP
|
||||
* Configure the local proxy port
|
||||
* Point the browser at the proxy
|
||||
|
||||
=== Start ZAP
|
||||
When ZAP starts, you will be presented with a dialog such as the one below ...
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
|
||||
|
||||
=== Configure Proxy's Port
|
||||
|
||||
. Select Tools > Options from the menu
|
||||
. Select Local Proxy on the left
|
||||
. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
|
||||
. Click OK
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
|
||||
|
||||
@ -0,0 +1,31 @@
|
||||
== HTTP Proxy Setup: The Browser
|
||||
|
||||
=== Point Browser at Proxy
|
||||
|
||||
There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
|
||||
This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
|
||||
|
||||
==== Firefox Proxy Config
|
||||
|
||||
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
|
||||
. Select _Advanced_ on the left
|
||||
. Select _Network_ in the in Advanced Pane
|
||||
. Click _Settings_
|
||||
. Select _Manual proxy configuration_
|
||||
.. input *127.0.0.1* as the Proxy
|
||||
.. input *8090* as the port
|
||||
.. check the _Use this proxy server for all protocols_ checkbox
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
|
||||
|
||||
==== Chrome Proxy Config
|
||||
|
||||
. Bring up Chrome's settings form the menu
|
||||
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
|
||||
. Click the _Change proxy settings_ button
|
||||
. Select the _proxies_ tab
|
||||
. Select Web Proxy (HTTP)
|
||||
. Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
|
||||
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
|
||||
@ -0,0 +1,6 @@
|
||||
=== Confirm it's working
|
||||
|
||||
You should now be able to browse somewhere. We suggest starting with a plain http host.
|
||||
If it's working, ZAP's history tab will start to look something like this.
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]
|
||||
@ -0,0 +1,8 @@
|
||||
|
||||
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
|
||||
|
||||
The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
|
||||
|
||||
== Try It!
|
||||
|
||||
Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
|
||||
@ -0,0 +1,4 @@
|
||||
== The Quiz
|
||||
|
||||
What type of HTTP command did WebGoat use for this lesson. A POST or a GET.
|
||||
|
||||
@ -0,0 +1,11 @@
|
||||
= Vulnerable Components
|
||||
|
||||
== Concept
|
||||
|
||||
The way we build software has changed. The open source community is maturing and the availability of open source software has become prolific without regard to determining the provenance of the libraries used in our applications. Ref:
|
||||
|
||||
== Goals
|
||||
|
||||
The user will become familiar with exploiting components with known vulnerabilities.
|
||||
|
||||
image::plugin_lessons/plugin/VulnerableComponents/images/OWASP-2013-A9.png[caption="Figure: ", title="OWASP-2013-A9", alt="A9", width="800", height="500", style="lesson-image" link="https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities"]
|
||||
@ -0,0 +1,5 @@
|
||||
= HTTP Basics
|
||||
|
||||
== Solution
|
||||
|
||||
Solution goes here
|
||||
@ -0,0 +1,14 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this block for each 'page' of content -->
|
||||
<!-- include content here ... will be first page/tab multiple -->
|
||||
<div class="adoc-content" th:replace="doc:VulnerableComponents_solution.adoc"></div>
|
||||
</div>
|
||||
|
||||
|
||||
</html>
|
||||
@ -0,0 +1,3 @@
|
||||
vulnerable-components.title=Vulnerable Components
|
||||
EnterYourName=Enter your Name
|
||||
Go!=Go!
|
||||
Reference in New Issue
Block a user