[OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans

Vincent Partington vpartington at xebia.com
Sat Dec 3 10:24:07 EST 2005 

Hi,

(I am resending this message without the attachments. Forgot I was 
sending it to a list. If you want the files, please let me know.)

First of all, I want to say that I really like WebGoat. I've used it for
two secure coding classes now and it works very well to let people get a
first hand feel for what the OWASP top ten vulnerabilities are about.
The Top Ten itself is good for raising awareness of security issues, but
WebGoat makes it even more visible. Thanks!

I did have a few niggles with it:

1. The StoredXss lesson doesn't work on Windows with the ODBC driver to
connect to the Access database. The code in makeCurrent() wants to
retrieve the MESSAGE_COL column twice and the ODBC driver (or the
OdbcJdbcBridge) can't handle that. I changed the middle bit to only
retrieve the column once (and store it in local variable "messageCol" to
make it work:
===
    TR row2 = new TR( new TD( new B(new StringElement( "Message:" )) ) );
    String messageCol = results.getString( MESSAGE_COL );
    row2.addElement( new TD( new StringElement( messageCol ) ) );
    t.addElement( row2 );
	
    // Edited by Chuck Willis - added display of the user who
    // posted the message, so that if users use a cross site
    // request forgery or XSS to make another user post a
    // message, they can see that the message is attributed
    // to that user
					
    TR row3 = new TR( new TD( new StringElement( "Posted By:" ) ) );
    row3.addElement( new TD( new StringElement(
      results.getString( USER_COL ) ) ) );
    t.addElement( row3 );
					
    ec.addElement( t );
	
    if ( messageCol.toLowerCase().indexOf( "script" ) != -1 )
    {
      makeSuccess( s );
    }
===

2. I couldn't solve the Predictable Session Identifier lesson. I used
WebScarab (nice tool too!) to plot the session identified and although a
weakness seems to be there, I wasn't able to exploit it. Is this lesson
a lot harder than the other ones?

3. There was a typo in DOS_Login.java and it had no lesson plan. I fixed
the typo and wrote a lesson plan. Where can I submit these changes?

4. The web services lessons also had no lesson plan: Soap Request, WSDL
Scanning, and Web Service SQL Injection.

5. The build.xml did not have a "dist" target, but a "dist_CBT" target.
That target seemed to want to invoke the macro's <CopyWebCBTToBuild/>
and <WarBuild/> but they hadn't been defined. I changed that to invoke
the targets -WebXMLWindows, -CopyWebCBTToBuild and -WarBuild. The first
was done to make sure the web-windows.xml was copied to web.xml, because
that step would otherwise be skipped:
   <target name="dist_CBT" depends="clean, compile"
       description="Create CBT binary distribution">
     <antcall target="-WebXMLWindows" />
     <antcall target="-CopyWebCBTToBuild" />
     <antcall target="-WarBuild" />
   </target>

Well, I hope these remarks are helpful. If you have any more questions,
please let me know.

Thanks for a great tool!

Regards, Vincent Partington.

More information about the Owasp-webgoat mailing list