[OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans

[Vincent Partington]

Hi,

First of all, I want to say that I really like WebGoat. I've used it for 
two secure coding classes now and it works very well to let people get a 
first hand feel for what the OWASP top ten vulnerabilities are about. 
The Top Ten itself is good for raising awareness of security issues, but 
WebGoat makes it even more visible. Thanks!

I did have a few niggles with it:

1. The StoredXss lesson doesn't work on Windows with the ODBC driver to 
connect to the Access database. The code in makeCurrent() wants to 
retrieve the MESSAGE_COL column twice and the ODBC driver (or the 
OdbcJdbcBridge) can't handle that. I changed the middle bit to only 
retrieve the column once (and store it in local variable "messageCol" to 
make it work:
===
   TR row2 = new TR( new TD( new B(new StringElement( "Message:" )) ) );
   String messageCol = results.getString( MESSAGE_COL );
   row2.addElement( new TD( new StringElement( messageCol ) ) );
   t.addElement( row2 );
	
   // Edited by Chuck Willis - added display of the user who
   // posted the message, so that if users use a cross site
   // request forgery or XSS to make another user post a
   // message, they can see that the message is attributed
   // to that user
					
   TR row3 = new TR( new TD( new StringElement( "Posted By:" ) ) );
   row3.addElement( new TD( new StringElement(
     results.getString( USER_COL ) ) ) );
   t.addElement( row3 );
					
   ec.addElement( t );
	
   if ( messageCol.toLowerCase().indexOf( "script" ) != -1 )
   {
     makeSuccess( s );
   }
===

2. I couldn't solve the Predictable Session Identifier lesson. I used 
WebScarab (nice tool too!) to plot the session identified and although a 
weakness seems to be there, I wasn't able to exploit it. Is this lesson 
a lot harder than the other ones?

3. There was a typo in DOS_Login.java and it had no lesson plan. I fixed 
the typo and wrote a lesson plan, see attachments.

4. The web services lessons also had no lesson plan: Soap Request, WSDL 
Scanning, and Web Service SQL Injection.

5. The build.xml did not have a "dist" target, but a "dist_CBT" target. 
That target seemed to want to invoke the macro's <CopyWebCBTToBuild/> 
and <WarBuild/> but they hadn't been defined. I changed that to invoke 
the targets -WebXMLWindows, -CopyWebCBTToBuild and -WarBuild. The first 
was done to make sure the web-windows.xml was copied to web.xml, because 
that step would otherwise be skipped. See attachment for the fixed 
build.xml.

Well, I hope these remarks are helpful. If you have any more questions, 
please let me know.

Thanks for a great tool!

Regards, Vincent Partington.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: StoredXss.java
Url: http://lists.owasp.org/pipermail/owasp-webgoat/attachments/20051203/bd448f04/attachment.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: DOS_Login.java
Url: http://lists.owasp.org/pipermail/owasp-webgoat/attachments/20051203/bd448f04/attachment-0001.pl 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-webgoat/attachments/20051203/bd448f04/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: build.xml
Type: text/xml
Size: 20453 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-webgoat/attachments/20051203/bd448f04/attachment.xml