Web Security : OWASP & WebGoat
Lecture PDF Download
Table of Contents
- What is WebGoat
- Installing WebGoat
- Exercise) Buffer Overflow
Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks
One of the things that OWASP does is, it produces web-related information security vulnerabilities. This project is called OWASP TOP 10 project. It was updated 4 times (2004/2007/2010/2013). Documents are available at OWASP Top Ten Project Webpage (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Main). In WebGoat, another project of OWASP, users can test each of the vulnerabilities.
What is WebGoat
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this need to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.
1. Download Tomcat, JDK, WebGoat.war from Internet
2. Make directory for JDK and extract JDK tar file
3. Make directory for Apache-Tomcat and extract Tomcat tar file
4. Make link for installed java path
5. Check if it¡¯s installed properly with ¡®java –version¡¯ command
6. Export Environmental Variable ¡®export JAVA_HOME=[JDK path]¡¯
7. Check if it¡¯s properly set with ¡®echo $JAVA_HOME¡¯
8. Write Bash script ¡®/etc/init.d/tomcat¡¯ as below figure
9. Change permission of script file to 755(rwx rw- rw-)
10. Write below contents in <tomcat-users> tag in apache-tomcat-xx/conf/tomcat-users.xml file
11. Move WebGoat.war file to Tomcat¡¯s webapp directory
12. Start tomcat with script written before (¡®/etc/init.d/tomcat start¡¯);
13. Able to access to WebGoat with browser. Write server¡¯s IP address:8080.
14. Can log in with Tomcat accounts set before
Exercise) Buffer Overflow
Most fundamental concept of Buffer Overflow is ¡®Overwriting¡¯. As meaning of ¡®Overflow¡¯ is exceeding the limit, when input has larger size than given buffer size, it exceeds its limit, invade the border and overwrite other area.
WebGoat - Buffer Overflow Exercise
* Before starting the exercise there are 3 tools to prepare
- Portable Firefox
Burp SUITE & JDK
BURPSUITE is a comprehensive web testing tool which supports proxy and other various web testing features. This tool runs on Java Machine, so we need JDK. In this exercise, we will use proxy feature which will let us intercept sent packet and modify the contents.
Portable Firefox is a Web browser Firefox that can be used without installation. In hacker¡¯s Firefox, it has proxy setting menu that helps user change proxy settings easily. With this menu, packets sent from browser takes proxy server in its route. Below figure is appearance of the setting menu
Exercise – Buffer Overflow
Version 5.4 introduced nice Off-by-One Buffer Overflow vulnerability drill. Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language. For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte. As a result, further information is returned back to the user, due to the fact that no null byte was found. As of writing, this lesson has not been developed yet by WebGoat authors.
Other WebGoat Solutions can be found in Youtube and http://webappsecmovies.sourceforge.net/webgoat/
OWASP Top Ten Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
WebGoat User and Install Guide, https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
WebGoat Solution, http://webappsecmovies.sourceforge.net/webgoat/
Copyright © 2014 ICS Lab. Ajou Univ. All rights reserved.