Security Course. WebGoat Lab sessions

Similar documents
WebGoat Lab session overview

Application vulnerabilities and defences

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Introduction to Ethical Hacking

Web Application Security. Philippe Bogaerts

5 IT security hot topics How safe are you?

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

P2_L12 Web Security Page 1

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Copyright

Certified Secure Web Application Engineer

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Web Application Penetration Testing

CIS 4360 Secure Computer Systems XSS

Sichere Software vom Java-Entwickler

Your Turn to Hack the OWASP Top 10!

WebGoat& WebScarab. What is computer security for $1000 Alex?

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

CS 161 Computer Security

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

CSCE 813 Internet Security Case Study II: XSS

CSWAE Certified Secure Web Application Engineer

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Information Security CS 526 Topic 8

Evaluating the Security Risks of Static vs. Dynamic Websites

Lab 5: Web Attacks using Burp Suite

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Information Security CS 526 Topic 11

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

LiU TopDog Challenge 2018

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

CPTE: Certified Penetration Testing Engineer

UNIT 28 WEBSITE PRODUCTION

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Notes From The field

Getting started with OWASP WebGoat 4.0 and SOAPUI.

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Secure Frame Communication in Browsers Review

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Web Security. Thierry Sans

Bank Infrastructure - Video - 1

Web Security: Vulnerabilities & Attacks

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CSCD 303 Essential Computer Security Fall 2018

Security and social engineering

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web Security Computer Security Peter Reiher December 9, 2014

Cross-Site Request Forgery in Cisco SG220 series

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

EasyCrypt passes an independent security audit

ISDP 2018 Industry Skill Development Program In association with

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

NET 311 INFORMATION SECURITY

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16


Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

The security of Mozilla Firefox s Extensions. Kristjan Krips

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Module 14: SQL Injection

CSCD 303 Essential Computer Security Fall 2017

CS 161 Computer Security

Curso: Ethical Hacking and Countermeasures

Web Security II. Slides from M. Hicks, University of Maryland

Web Applications Penetration Testing

10 FOCUS AREAS FOR BREACH PREVENTION

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

Injecting Security Controls into Software Applications. Katy Anton

Welcome to the OWASP TOP 10

More attacks on clients: Click-jacking/UI redressing, CSRF

Beware of Serialized GUI Objects Bearing Data. David Byrne Rohini Sulatycki

Web Application Firewall Subscription on Cyberoam UTM appliances

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

How to Use Your EV Connect Account

COMP9321 Web Application Engineering

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Ethical Hacking. Content Outline: Session 1

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

1 About Web Security. What is application security? So what can happen? see [?]

Finding Vulnerabilities in Web Applications

Minds.com Platform Full Disclosure

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Cyber Security. Web Application Security 2. Adrian Dabrowski, Christian Kudera

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Transcription:

Security Course WebGoat Lab sessions

WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter Tampering Lab Session 5 Authentication Flaws Password cracking Lab Session 3 SQL Injection XSS Lab Session 6 Session Fixation/Stealing, Phishing

Why are webapplications a raising concern Attacks Used to be on the Operating Systems Now it is easier to attack the (web) applications. See any statistics Why is that so?

OLD

New What is the difference?

The difference Which parts are vulnerable? Client Client Client: Vulnerable, nothing we can do about this Webserver: Vulnerable, but easy to harden Static http page: Invulnerable WebApplication and Database: Very vulnerable you can have them do something for you and they have access to a lot of information (usernames, passwords ) internet webserver static http page internet webserver webapplication database

WEB APPLICATION ARCHITECTURE

Web Application Architecture HTTP Request Web Goat HTTP Response User Sends requests to the services he wants to use (e.g. Facebook, Google, YouTube) Web server Web servers listen for users requests and sends the response (either he wants to listen a song, or visit a friend s profile) Intruder Can play the role of the user, and modify the HTTP request and response Can access directly the web servers to exploit vulnerabilities

HTTP Request/Response While browsing, every time an action is taken, a HTTP Request is created The HTTP Request goes from the browser to the web server The web server make some elaboration (e.g. verify if you are a registered user) and send back a HTTP Response HTTP Request HTTP Response

HTTP Request HTTP REQUEST

HTTP Response

INITIAL SETUP

Tamper Data Tamper Data is a tool allowing you to intercept and modify Request/Response from your Mozilla Firefox Browser If not yet installed, you can download it here: https://addons.mozilla.org/enus/firefox/addon/tamper-data/ You have to click on Start Tamper to start intercepting Request/Response Note that this will intercept, and let you see the HTTP request/response, all your internet traffic you have to Stop Tamper to get back to normal browsing

WEB GOAT (1) Close your Internet Connection (your machine is extremely vulnerable when WebGoat is running) Go to the folder containing your WebGoat installation Execute the webgoat_8080.bat file

WEB GOAT (2) Type the address http://localhost:8080/webgoat/attack in Mozilla Firefox Login as username = guest and pwd= guest

WEB GOAT Setup Press Start WebGoat to access the Lesson Section

LAB SESSION 2

Where to find exercises in WebGoat Lab Session 2 HTTP Basics: General HTTP Basics Lab Session 3 SQL Injection Injection Flaw Modify data with SQL injection Sniffing: Insecure Communication Insecure login XSS Xross-Site-Scripting (XSS) Stage 1: Stored XSS Parameter Tampering: Parameter Tampering Bypass HTML Field Restrictions Exploit Hidden Fields Lab Session 4 Access Control Access Control Stage 3: Bypass Data Layer Access Control

HTTP Basics - Exercise Goal: meet WebGoat and TamperData. Exercise: Go to; exercise General Http Basics Insert your name in the input field and start the tampering Modify the parameter person in the HTTP request in such a way to get back the string webgoat as response from the server

HTTP Basics - Solution Change the value of person to taogbew The server will reverse it and you will get webgoat as final response. 2/22/2013

HTTP Basics - Lesson learned When parameters are in clear (i.e. not encrypted) they can be easily changed by who is listening your internet traffic. In this case it was only your name But Assume you want to make a payment of 800 Euro to the account of your landlord and insert 12345 as the account number The attacker can change such number to 34566 (his account number) In this way he managed to steal 800 Euro from you 2/22/2013

Sniffing - Exercise Goal: Steal the password of the user Jack Exercise: Go to Insecure Communication Insecure Login Press the button Submit and use Tamper Data to steal the password 2/22/2013

Sniffing - Solution Start tampering then press the Submit button Get the value of the field clear_pass The solution is sniffy 2/22/2013

Sniffing - Lesson learned You performed your first sniffing attack You intercepted the traffic of your victim and stolen his password If this is the same password he uses for his internet banking (or email account) you can now easily access it 2/22/2013

Parameter Tampering Exercise Goal: change the total amount charged to your credit card Exercise: Go to Parameter Tampering Exploit Hidden Fields Purchase the TV for 1$ 2/22/2013

Parameter Tampering Solution Start Tampering Data then press the button Purchase Change the parameter Price to the value 1.00$ If successful you will get a Congratulations message

Lesson learned You used your recently learned hacking skills to gain personal advantages You paid 1$ a product worth 3000$ Why is that possible? The web server is not checking that you re paying the right amount of money An hacker who knows this vulnerability is able to exploit it

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback