350 likes | 634 Views
WebGoat. Contents. Overview Environment Install Required Software Install WebGoat Getting Started Usage of WebGoat Example. Overview. Illustrate Typical Security Flaws within Web-Applications Teach a Structured Approach to Testing and Exploiting Give Practical Training and Examples.
E N D
Contents • Overview • Environment • Install Required Software • Install WebGoat • Getting Started • Usage of WebGoat • Example INSA@CCU
Overview • Illustrate Typical Security Flaws within Web-Applications • Teach a Structured Approach to Testing and Exploiting • Give Practical Training and Examples INSA@CCU
Environment • OS • Red Hat Linux 7.3 (2.4.18-3) • Required Software • Java Development Kit • Apache Ant 1.6.1 • Tomcat 5.0.25 INSA@CCU
Install Required Software • Java 2 SDK, Standard Edition 1.4.2_04 http://java.sun.com/ INSA@CCU
Install Required Software (cont.) • Unpacking the Package INSA@CCU
Install Required Software (cont.) • Installing JDK RPM Package INSA@CCU
Install Required Software • Downloading Apache ANT 1.6.1 http://ant.apache.org/srcdownload.cgi INSA@CCU
Install Required Software (cont.) • Unpacking the Package INSA@CCU
Install Required Software (cont.) • Building and Installing Apache Ant INSA@CCU
Install Required Software (cont.) • Downloading Tomcat 5 http://jakarta.apache.org/site/sourceindex.cgi INSA@CCU
Install Required Software (cont.) • Uncompressing the Package INSA@CCU
Install Required Software (cont.) • Building All Components of Tomcat 5 INSA@CCU
Install Required Software (cont.) • Running Tomcat 5 INSA@CCU
Install Required Software (cont.) • Testing Tomcat 5 INSA@CCU
Install WebGoat • Download WebGoat Source Distribution http://www.owasp.org/development/webgoat INSA@CCU
Install WebGoat (cont.) • Put catalina-ant.jar into /usr/local/ant/lib INSA@CCU
Install WebGoat (cont.) • Unpacking the WebGoat src Distribution INSA@CCU
Install WebGoat (cont.) • Modify catalina.home property in build.xml to specify tomcat installation directory INSA@CCU
Install WebGoat (cont.) • Add <user name="webgoat" password="webg0@t“ roles="admin,manager,standard,tomcat"/> to the tomcat_home/conf/tomcat-users.xml file INSA@CCU
Install WebGoat (cont.) • Uncomment the invoker mapping in web.xml INSA@CCU
Install WebGoat (cont.) • Starting the Compile INSA@CCU
Install WebGoat (cont.) • Create a New WebGoat .war File INSA@CCU
Install WebGoat (cont.) • Installing WebGoat INSA@CCU
Getting Started • Running Tomcat 5 and Trying http://[server_ip]:8080/WebGoat/attack INSA@CCU
Usage of WebGoat Lesson Plans INSA@CCU
Lesson Plans • Http Basics • How to Perform Database Cross Site Scripting (xss) • How to Spoof an Authentication Cookie • How to Exploit Hidden Fields • How to Discover Clues in the HTML • How to Perform Parameter Injection • How to Perform SQL Injection • How to Exploit Thread Safety Problems • How to Exploit Unchecked Email • How to Spoof an Authentication Cookie • Putting it all together INSA@CCU
Lesson Plans (cont.) INSA@CCU
Example: SQL Injection INSA@CCU
Example: SQL Injection (cont.) INSA@CCU
Example: SQL Injection (cont.) INSA@CCU
Example: SQL Injection (cont.) INSA@CCU
Example: SQL Injection (cont.) INSA@CCU
Example: SQL Injection (cont.) INSA@CCU