[OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans
bruce.mayhew at aspectsecurity.com
Mon Dec 5 08:49:07 EST 2005
Lesson PlanHi Vincent
1) Has been fixed. I have a patch release for OWASP but I haven't delivered it yet.
2) Rogan addressed in separate e-mail
3) Thanks - I'll add to the patch release
4) Working on that.
5) I'll look into that and add that to my patch release.
Thanks for the comments!
----- Original Message -----
From: Vincent Partington
To: owasp-webgoat at lists.sourceforge.net
Sent: Saturday, December 03, 2005 10:19 AM
Subject: [OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans
First of all, I want to say that I really like WebGoat. I've used it for
two secure coding classes now and it works very well to let people get a
first hand feel for what the OWASP top ten vulnerabilities are about.
The Top Ten itself is good for raising awareness of security issues, but
WebGoat makes it even more visible. Thanks!
I did have a few niggles with it:
1. The StoredXss lesson doesn't work on Windows with the ODBC driver to
connect to the Access database. The code in makeCurrent() wants to
retrieve the MESSAGE_COL column twice and the ODBC driver (or the
OdbcJdbcBridge) can't handle that. I changed the middle bit to only
retrieve the column once (and store it in local variable "messageCol" to
make it work:
TR row2 = new TR( new TD( new B(new StringElement( "Message:" )) ) );
String messageCol = results.getString( MESSAGE_COL );
row2.addElement( new TD( new StringElement( messageCol ) ) );
t.addElement( row2 );
// Edited by Chuck Willis - added display of the user who
// posted the message, so that if users use a cross site
// request forgery or XSS to make another user post a
// message, they can see that the message is attributed
// to that user
TR row3 = new TR( new TD( new StringElement( "Posted By:" ) ) );
row3.addElement( new TD( new StringElement(
results.getString( USER_COL ) ) ) );
t.addElement( row3 );
ec.addElement( t );
if ( messageCol.toLowerCase().indexOf( "script" ) != -1 )
makeSuccess( s );
2. I couldn't solve the Predictable Session Identifier lesson. I used
WebScarab (nice tool too!) to plot the session identified and although a
weakness seems to be there, I wasn't able to exploit it. Is this lesson
a lot harder than the other ones?
3. There was a typo in DOS_Login.java and it had no lesson plan. I fixed
the typo and wrote a lesson plan, see attachments.
4. The web services lessons also had no lesson plan: Soap Request, WSDL
Scanning, and Web Service SQL Injection.
5. The build.xml did not have a "dist" target, but a "dist_CBT" target.
That target seemed to want to invoke the macro's <CopyWebCBTToBuild/>
and <WarBuild/> but they hadn't been defined. I changed that to invoke
the targets -WebXMLWindows, -CopyWebCBTToBuild and -WarBuild. The first
was done to make sure the web-windows.xml was copied to web.xml, because
that step would otherwise be skipped. See attachment for the fixed
Well, I hope these remarks are helpful. If you have any more questions,
please let me know.
Thanks for a great tool!
Regards, Vincent Partington.
[...original text deleted...]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-webgoat