[Owasp-o2-platform] How to change a parameter?

dinis cruz dinis.cruz at owasp.org
Fri Dec 3 09:44:38 EST 2010


Hi Thiago

Thanks for giving O2 a try, I've looked at your script and have come up with
a *first-pass-at-a-solution* which you can get from here:
http://o2platform.wordpress.com/2010/12/03/solving-webgoat-sql-injection-lesson-3rd-one/

Expanding on how the blog's entry description on I solved the problem you
where having (i.e. how to change the value of the*
ie.selectLists()[1].options()[0].select()
*field), here are the specific steps/workflow I took to address it:


   - See if there is an Watin_IE extension method that already supports this
   (see Watin_IE_ExtensionMethod.cs<http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/Windows/WatiN/WatiN_IE_ExtensionMethods.cs>for
the full list). Unfortunately, today (unlike TextBoxes for example)
that
   is not there (basically because nobody asked for it before :)  ). Also note
   that this version of WatiN doesn't support the direct editing of this value,
   i.e.: *ie.selectLists()[1].options()[0].Value = PAYLOAD*
   - Since there was no easy way to change it (and I was pressed for time),
   I decided to manipulate directly the HTML (instead of creating the extension
   method):
      - First I tried to change the value of the Option directly:
*ie.selectLists()[1].options()[0].outerHtml("PAYLOAD")
      *which although worked in the control, it broke the HTML of the page
      - I then decided to change the select control directly, ie: *
      ie.selectLists()[1].outerHtml("PAYLOAD") *which worked ok (note that
      that actual payload was a search and replace for the current value of the
      option we wanted to edit
   - Once the Html was modified, it was just a case of submitting the button
   using *ie.button("ViewProfile").click(); *
   - I also added a check at the end to make sure it was working

Couple notes:

   - This script can be dramatically simplified once we add support for
   modifying the Options Html tag to the
Watin_IE_ExtensionMethod.cs<http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/Windows/WatiN/WatiN_IE_ExtensionMethods.cs>).
   There is also a number of debug message that I put in this code to help
   understanding what is going on (which can be removed)
   - There is actually an WebGoat API which could be used to perform a
   number of actions (see
API_WebGoat.cs<http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/WebGoat/API_WebGoat.cs>
   )
   - This script should be converted into an UnitTest with the final check
   done using an Assert.That(...)
   - For performance reasons this script can also be written without IE
   Browser automation (O2 also has extended support for direct Http
   Requests/Responses manipulations)
   - One of the research projects that I'm doing at the moment (and could
   really do with some help) is how to 'translate' this script into something
   that can be consumed by an BlackBox scanner or proxy (one of my targets is
   Custom O2 version of Netsparker <http://www.mavitunasecurity.com/> that
   I'm building)

Let us know if this works out for you

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 3 December 2010 13:12, Thiago Stuckert <thiago.melo.stuckert at gmail.com>wrote:

> Hi, I am trying to solve the third stage of WebGoat sqli through the O2.
> I can select the larry profile in the list with:
> ie.selectLists()[1].options()[0].select().flash();
> but I fail to change the value of the paramater id.
>
> Another way to do this, is intercept the request with webscarab,
> Someone automated the webscarab with O2?
>
> Follow my script:
>
> panel.clear();
> var ie = panel.add_IE().silent(true);
>
> ie.open("http://172.16.234.138");
> ie.link("OWASP WebGoat version 5.3.x").click();
> ie.link("Injection Flaws").click();
> ie.link("LAB: SQL Injection").click();
> ie.link("Stage 3: Numeric SQL Injection").click();
>
> /*Login with larry user*/
> ie.field("password").value("larry");
> ie.button("Login").flash().click();
>
> ie.selectLists()[1].options()[0].select().flash();
> var payload = "101 OR 1=1 ORDER BY salary desc";
>
> /*Change the id*/
> /* I couldnt do this */
>
> ie.button("ViewProfile").click();
>
> return 0;
>
> --
> Thiago
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20101203/3d0476db/attachment.html 


More information about the Owasp-o2-platform mailing list