1 / 34

WebGoat

WebGoat. Contents. Overview Environment Install Required Software Install WebGoat Getting Started Usage of WebGoat Example. Overview. Illustrate Typical Security Flaws within Web-Applications Teach a Structured Approach to Testing and Exploiting Give Practical Training and Examples.

adie
Download Presentation

WebGoat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. WebGoat

  2. Contents • Overview • Environment • Install Required Software • Install WebGoat • Getting Started • Usage of WebGoat • Example INSA@CCU

  3. Overview • Illustrate Typical Security Flaws within Web-Applications • Teach a Structured Approach to Testing and Exploiting • Give Practical Training and Examples INSA@CCU

  4. Environment • OS • Red Hat Linux 7.3 (2.4.18-3) • Required Software • Java Development Kit • Apache Ant 1.6.1 • Tomcat 5.0.25 INSA@CCU

  5. Install Required Software • Java 2 SDK, Standard Edition 1.4.2_04 http://java.sun.com/ INSA@CCU

  6. Install Required Software (cont.) • Unpacking the Package INSA@CCU

  7. Install Required Software (cont.) • Installing JDK RPM Package INSA@CCU

  8. Install Required Software • Downloading Apache ANT 1.6.1 http://ant.apache.org/srcdownload.cgi INSA@CCU

  9. Install Required Software (cont.) • Unpacking the Package INSA@CCU

  10. Install Required Software (cont.) • Building and Installing Apache Ant INSA@CCU

  11. Install Required Software (cont.) • Downloading Tomcat 5 http://jakarta.apache.org/site/sourceindex.cgi INSA@CCU

  12. Install Required Software (cont.) • Uncompressing the Package INSA@CCU

  13. Install Required Software (cont.) • Building All Components of Tomcat 5 INSA@CCU

  14. Install Required Software (cont.) • Running Tomcat 5 INSA@CCU

  15. Install Required Software (cont.) • Testing Tomcat 5 INSA@CCU

  16. Install WebGoat • Download WebGoat Source Distribution http://www.owasp.org/development/webgoat INSA@CCU

  17. Install WebGoat (cont.) • Put catalina-ant.jar into /usr/local/ant/lib INSA@CCU

  18. Install WebGoat (cont.) • Unpacking the WebGoat src Distribution INSA@CCU

  19. Install WebGoat (cont.) • Modify catalina.home property in build.xml to specify tomcat installation directory INSA@CCU

  20. Install WebGoat (cont.) • Add <user name="webgoat" password="webg0@t“ roles="admin,manager,standard,tomcat"/> to the tomcat_home/conf/tomcat-users.xml file INSA@CCU

  21. Install WebGoat (cont.) • Uncomment the invoker mapping in web.xml INSA@CCU

  22. Install WebGoat (cont.) • Starting the Compile INSA@CCU

  23. Install WebGoat (cont.) • Create a New WebGoat .war File INSA@CCU

  24. Install WebGoat (cont.) • Installing WebGoat INSA@CCU

  25. Getting Started • Running Tomcat 5 and Trying http://[server_ip]:8080/WebGoat/attack INSA@CCU

  26. Usage of WebGoat Lesson Plans INSA@CCU

  27. Lesson Plans • Http Basics • How to Perform Database Cross Site Scripting (xss) • How to Spoof an Authentication Cookie • How to Exploit Hidden Fields • How to Discover Clues in the HTML • How to Perform Parameter Injection • How to Perform SQL Injection • How to Exploit Thread Safety Problems • How to Exploit Unchecked Email • How to Spoof an Authentication Cookie • Putting it all together INSA@CCU

  28. Lesson Plans (cont.) INSA@CCU

  29. Example: SQL Injection INSA@CCU

  30. Example: SQL Injection (cont.) INSA@CCU

  31. Example: SQL Injection (cont.) INSA@CCU

  32. Example: SQL Injection (cont.) INSA@CCU

  33. Example: SQL Injection (cont.) INSA@CCU

  34. Example: SQL Injection (cont.) INSA@CCU

More Related