1 / 21

WebGoat Project Review

Bruce Mayhew WebGoat Project Technical Lead bruce.mayhew@aspectsecurity.com 443.745.7732 . WebGoat Project Review. How Do You Teach Application Security?. Change the way developers think… They have to understand the danger Prove their code can be broken Show them how to exploit flaws.

kaspar
Download Presentation

WebGoat Project Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bruce Mayhew WebGoat Project Technical Lead bruce.mayhew@aspectsecurity.com 443.745.7732 WebGoat Project Review

  2. How Do You Teach Application Security? Change the way developers think… • They have to understand the danger • Prove their code can be broken • Show them how to exploit flaws

  3. What is WebGoat? • Concept • Full web application riddled with holes • Training environment • Hands-on learning for developers • Individual lessons for OWASP Top 10 • Implementation • J2EE Servlet with JDBC database • Basic authenticaton, roles • Declarative and programatic access control • Persistant • Very easy to add new lessons

  4. What's in a Lesson? • Explain the vulnerability. • Show the broken code. • Allow the user to exploit the vulnerabilty. • Show the correct code.

  5. Explain the Vulnerabilty • Fail Open Authentication • This lesson presents the basics for understanding the "fail open" condition regarding authentication. The security term, “fail open” describes a behavior of a verification mechanism. This is when an error (i.e. unexpected exception) occurs during a verification method causing that method to evaluate to true. This is especially dangerous during login.

  6. Show the Broken Code String username = ""; String password = ""; try { username = s.getParser().getRawParameter( USERNAME ); password = s.getParser().getRawParameter( PASSWORD ); // if credentials are bad, send the login page if ( !"webgoat".equals( username ) || !password.equals( "webgoat" ) ) { s.setMessage( "Invalid username and password entered." ); return ( makeLogin( s ) ); } } catch ( Exception e ) { s.setMessage( "Error generating " + this.getClass().getName() ); } return ( makeUser( s, username, "Login Succeeded" ));

  7. Exploit the Vulnerability • Picture of WebGoat Lesson

  8. Exploit the Vulnerability • Picture of WebGoat Lesson

  9. How It Should Be Done String username = ""; String password = ""; try { username = s.getParser().getRawParameter( USERNAME ); password = s.getParser().getRawParameter( PASSWORD ); // if credentials are bad, send the login page if ( "webgoat".equals( username ) && password.equals( "webgoat" ) ) { s.setMessage( "Invalid username and password entered." ); return ( makeUser( s, username, "Login Succeeded" ) ); } } catch ( Exception e ) { s.setMessage( "User name or password is incorrect ); } return ( makeLogin( s ));

  10. It's Simple to Add a Lesson • Set up the framework. • Implement createContent(). • Implement the other methods. • Install and run.

  11. Setup the Framework • Use the WebGoat LessonAdapter. public class NewLesson extends LessonAdapter { protected Element createContent(WebSession s) { return( new StringElement( "Hello World" ) ); } public String getCategory() { } protected List getHints() { } protected String getInstructions() { } protected Element getMenuItem() { } protected Integer getRanking() { } public String getTitle() { } }

  12. Implement createContent() • The “brains” of the lesson. protected Element createContent(WebSession s) { ElementContainer ec = new ElementContainer(); try { // get some input from the user -- see ParameterParser for details String userInput = s.getParser().getStringParameter(INPUT, ""); // do something with the input // -- SQL query?, -- Runtime.exec? -- Some other dangerous thing // generate some output -- a string and an input field ec.addElement(new StringElement("Enter a string: ")); ec.addElement( new Input(Input.TEXT, INPUT, userInput) ); // Tell the lesson tracker the lesson has completed, when lesson has been “hacked” getLessonTracker( s ).setCompleted( true ); } catch (Exception e) { s.setMessage("Error generating " + this.getClass().getName()); e.printStackTrace(); } return (ec); }

  13. Implement the other methods • Add the supporting details • Use Ant to build, install, and run public String getCategory() { return( "New Category or Existing Category" ); } protected List getHints() { // Hints will be returned to the user in the order they appear below // when the user clicks on the "next hint" List hints = new ArrayList(); hints.add("A general hint to put users on the right track"); hints.add("A hint that gives away a little piece of the problem"); hints.add("A hint that basically gives the answer"); return hints; } protected String getInstructions(){ return(“Lesson scenario and instructions"); } protected Element getMenuItem() { return( "MyLesson" ); } protected Integer getRanking() { return new Integer(10); } public String getTitle() { return ("My Lesson's Short Title"); }

  14. It Looked Pretty Easy It Was! You can create a simple lesson in 30 minutes.

  15. How Do You Run WebGoat? • Problems with old installer fixed • Download, Unzip, Click, & Browse • http://sourceforge.net/project/showfiles.php?group_id=64424 • Unzip the distribution • Use WebGoat-3.0b.zip if you have Java • Use WebGoat-3.0b_JAVA.zip if you don’t • Double-click tomcat.bat • Browse to http://localhost/WebGoat/attack

  16. Cool Stuff • Report Card

  17. Cool Stuff • Hackable Admin Interface

  18. WebGoat Supports the OWASP Top 10 • HTML Clues • Encoding Basic • Forced Browsing • HTTP Basic • Fail Open Authentication • Command Injection • Forget password * • Buffer Overflow * • Denial of Service (Login ) ** • Challenge • Thread Safety • Hidden Field Tampering • Anonymous/Dangerous Email • Javascript Validation • Remote Admin • Access Control • Weak Authentication Cookie • Stored and Reflected Cross Site Scripting

  19. Roadmap • For the user: • More lessons • Update the User's Guide • Is it too simple? • Improve the infrastructure: • Use JSP's to replace ECS • Port to Apache struts • Refactor internal database

  20. OWASP Wants Your Ideas! • Is WebGoat part of your training environment? • What features do you need? • How can you get involved? • Even a little effort helps • Great place to learn web application basics • WebGoat could use help with: • Converting to JSP's and Struts ( Java, HTML, Struts ) • Storybooking lessons • Updating lesson plans and lesson instructions

  21. Share your Ideas Bruce Mayhew bruce.mayhew@aspectsecurity.com 443.745.7732 http://www.owasp.org/webgoat

More Related