[OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans

[Bruce Mayhew]

Lesson PlanHi Vincent

1) Has been fixed.  I have a patch release for OWASP but I haven't delivered it yet.  

2) Rogan addressed in separate e-mail

3) Thanks - I'll add to the patch release

4) Working on that.

5) I'll look into that and add that to my patch release.

Thanks for the comments!

Bruce

  ----- Original Message ----- 
  From: Vincent Partington 
  To: owasp-webgoat at lists.sourceforge.net 
  Sent: Saturday, December 03, 2005 10:19 AM
  Subject: [OWASP-WEBGOAT]WebGoat 3.7: bug in StoredXss (on Windows at least), bug in build.xml, can't solve Predictable Session Identifier, missing lesson plans


  Hi,

  First of all, I want to say that I really like WebGoat. I've used it for 
  two secure coding classes now and it works very well to let people get a 
  first hand feel for what the OWASP top ten vulnerabilities are about. 
  The Top Ten itself is good for raising awareness of security issues, but 
  WebGoat makes it even more visible. Thanks!

  I did have a few niggles with it:

  1. The StoredXss lesson doesn't work on Windows with the ODBC driver to 
  connect to the Access database. The code in makeCurrent() wants to 
  retrieve the MESSAGE_COL column twice and the ODBC driver (or the 
  OdbcJdbcBridge) can't handle that. I changed the middle bit to only 
  retrieve the column once (and store it in local variable "messageCol" to 
  make it work:
  ===
     TR row2 = new TR( new TD( new B(new StringElement( "Message:" )) ) );
     String messageCol = results.getString( MESSAGE_COL );
     row2.addElement( new TD( new StringElement( messageCol ) ) );
     t.addElement( row2 );

     // Edited by Chuck Willis - added display of the user who
     // posted the message, so that if users use a cross site
     // request forgery or XSS to make another user post a
     // message, they can see that the message is attributed
     // to that user

     TR row3 = new TR( new TD( new StringElement( "Posted By:" ) ) );
     row3.addElement( new TD( new StringElement(
       results.getString( USER_COL ) ) ) );
     t.addElement( row3 );

     ec.addElement( t );

     if ( messageCol.toLowerCase().indexOf( "script" ) != -1 )
     {
       makeSuccess( s );
     }
  ===

  2. I couldn't solve the Predictable Session Identifier lesson. I used 
  WebScarab (nice tool too!) to plot the session identified and although a 
  weakness seems to be there, I wasn't able to exploit it. Is this lesson 
  a lot harder than the other ones?

  3. There was a typo in DOS_Login.java and it had no lesson plan. I fixed 
  the typo and wrote a lesson plan, see attachments.

  4. The web services lessons also had no lesson plan: Soap Request, WSDL 
  Scanning, and Web Service SQL Injection.

  5. The build.xml did not have a "dist" target, but a "dist_CBT" target. 
  That target seemed to want to invoke the macro's <CopyWebCBTToBuild/> 
  and <WarBuild/> but they hadn't been defined. I changed that to invoke 
  the targets -WebXMLWindows, -CopyWebCBTToBuild and -WarBuild. The first 
  was done to make sure the web-windows.xml was copied to web.xml, because 
  that step would otherwise be skipped. See attachment for the fixed 
  build.xml.

  Well, I hope these remarks are helpful. If you have any more questions, 
  please let me know.

  Thanks for a great tool!

  Regards, Vincent Partington.


  [...original text deleted...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-webgoat/attachments/20051205/88708678/attachment.html