This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "WebGoat User Guide Introduction"

From OWASP
Jump to: navigation, search
(Overview)
 
(11 intermediate revisions by 7 users not shown)
Line 2: Line 2:
  
 
==Overview ==
 
==Overview ==
The WebGoatv4 application is designed to illustrate typical security flaws within web-applications. It is intended to teach a structured approach to testing for, and exploiting such vulnerabilities within the context of an Application Security Assessment.
+
The WebGoatV5 application is designed to illustrate typical security flaws within web-applications. It is intended to teach a structured approach to testing for, and exploiting such vulnerabilities within the context of an Application Security Assessment.
  
A full Application Security Assessment testing methodology is being documented by <u>http://www.owasp.org/testing/</u> and this will provide a superset of the issues demonstrated within the WebGoat. If may include a formal design and code review, for example. The WebGoat lessons aim to give practical training and examples relating ot the ''Implementation'' ''Review'' phase of the OWASP Web Application Security Testing Methodology.
+
A full Application Security Assessment testing methodology is being documented by <u>http://www.owasp.org/index.php/OWASP_Testing_Project</u> and this will provide a superset of the issues demonstrated within the WebGoat. It may include a formal design and code review, for example. The WebGoat lessons aim to give practical training and examples relating to the ''Implementation'' ''Review'' phase of the OWASP Web Application Security Testing Methodology.
  
The WebGoatv4 Application provides a testing platform for a typical application security assessment. The assessor is given the same information and rights as a typical customer or client of an on-line application.
+
The WebGoatv5 Application provides a testing platform for a typical application security assessment. The assessor is given the same information and rights as a typical customer or client of an on-line application.
 
* The application is web based
 
* The application is web based
 
* The attack simulations are remote  
 
* The attack simulations are remote  
Line 17: Line 17:
  
 
   
 
   
The current lesson plans provided in WebGoatv4 include:
+
The current lesson plans provided in WebGoatv5 include:
  
 
{| border=1
 
{| border=1
  || Http Basics
+
  || HTTP Basics
 +
|-
 +
|| HTTP Splitting and Cache Poisining
 
|-
 
|-
 
  || How to Exploit Thread Safety Problems
 
  || How to Exploit Thread Safety Problems
Line 32: Line 34:
 
  || How to Bypass Client Side JavaScript Validation
 
  || How to Bypass Client Side JavaScript Validation
 
|-
 
|-
  || Remote Admin Access
+
  || How to Force Browser Web Resources
 +
|-
 +
|| How to Bypass a Role Based Access Control Scheme
 
|-
 
|-
 
  || How to Bypass a Path Based Access Control Scheme
 
  || How to Bypass a Path Based Access Control Scheme
Line 40: Line 44:
 
  || Using an Access Control Matrix
 
  || Using an Access Control Matrix
 
|-
 
|-
  || Forgot Password
+
  || How to Exploit the Forgot Password Page
 
|-
 
|-
 
  || How to Spoof an Authentication Cookie
 
  || How to Spoof an Authentication Cookie
Line 57: Line 61:
 
|-
 
|-
 
  || Buffer Overflow (TBD)
 
  || Buffer Overflow (TBD)
 +
|-
 +
|| [[HTTPOnly]] Test
 
|-
 
|-
 
  || How to Perform Command Injection
 
  || How to Perform Command Injection
Line 64: Line 70:
 
  || How to Perform Blind SQL Injection
 
  || How to Perform Blind SQL Injection
 
|-
 
|-
  || How to Perform Numeric SQL Injection
+
  || How to Perform Numeric SQL Injection  
 +
|-
 +
|| How to Perform String SQL Injection
 +
|-
 +
|| How to Perform Log Spoofing
 
|-
 
|-
  || How to Perform String SQL Injection
+
  || How to Perform XPATH Injection Attacks
 
|-
 
|-
 
  || LAB: SQL Injection
 
  || LAB: SQL Injection
Line 72: Line 82:
 
  || How to Bypass a Fail Open Authentication Scheme
 
  || How to Bypass a Fail Open Authentication Scheme
 
|-
 
|-
  || Encoding Basics
+
  || How to Peform Basic Encoding
 
|-
 
|-
 
  || Denial of Service from Multiple Logins
 
  || Denial of Service from Multiple Logins
 
|-
 
|-
  || Forced Browsing
+
  || How to Create a SOAP Request
 +
|-
 +
|| How to Perform WSDL Scanning
 +
|-
 +
|| How to Perform Web Service SAX Injection
 +
|-
 +
|| How to Perform Web Service SQL Injection
 +
|-
 +
|| How to Perform DOM Injection Attack
 +
|-
 +
|| How to Perform XML Injection Attacks
 
|-
 
|-
  || How to Create a Soap Request
+
  || How to Perform JSON Injection Attack
 
|-
 
|-
  || WSDL Scanning
+
  || How to Perform Silent Transactions Attacks
 
|-
 
|-
  || Web Service SQL Injection
+
  || How to Add a New Lesson
 
|-
 
|-
  || The Challenge
+
  || The Challenge  
 
|-
 
|-
 
|}
 
|}

Latest revision as of 17:20, 30 November 2009

WebGoat User and Install Guide Table of Contents

Overview

The WebGoatV5 application is designed to illustrate typical security flaws within web-applications. It is intended to teach a structured approach to testing for, and exploiting such vulnerabilities within the context of an Application Security Assessment.

A full Application Security Assessment testing methodology is being documented by http://www.owasp.org/index.php/OWASP_Testing_Project and this will provide a superset of the issues demonstrated within the WebGoat. It may include a formal design and code review, for example. The WebGoat lessons aim to give practical training and examples relating to the Implementation Review phase of the OWASP Web Application Security Testing Methodology.

The WebGoatv5 Application provides a testing platform for a typical application security assessment. The assessor is given the same information and rights as a typical customer or client of an on-line application.

  • The application is web based
  • The attack simulations are remote

All of the described techniques may be performed from any connected location.

  • The testing is black-box

Source code is not supplied, but it can be viewed and downloaded.

  • Credentials and operational information is provided

Of course, the teaching aspect of WebGoat means that certain information will be revealed that would not typically be available. This makes it possible to guide the tester through an assessment process.


The current lesson plans provided in WebGoatv5 include:

HTTP Basics
HTTP Splitting and Cache Poisining
How to Exploit Thread Safety Problems
How to Discover Clues in the HTML
How to Exploit Hidden Fields
How to Exploit Unchecked Email
How to Bypass Client Side JavaScript Validation
How to Force Browser Web Resources
How to Bypass a Role Based Access Control Scheme
How to Bypass a Path Based Access Control Scheme
LAB: Role based Access Control
Using an Access Control Matrix
How to Exploit the Forgot Password Page
How to Spoof an Authentication Cookie
How to Hijack a Session
Basic Authentication
LAB: Cross Site Scripting
How to Perform Stored Cross Site Scripting (XSS)
How to Perform Reflected Cross Site Scripting (XSS)
How to Perform Cross Site Trace Attacks (XSS)
Buffer Overflow (TBD)
HTTPOnly Test
How to Perform Command Injection
How to Perform Parameter Injection
How to Perform Blind SQL Injection
How to Perform Numeric SQL Injection
How to Perform String SQL Injection
How to Perform Log Spoofing
How to Perform XPATH Injection Attacks
LAB: SQL Injection
How to Bypass a Fail Open Authentication Scheme
How to Peform Basic Encoding
Denial of Service from Multiple Logins
How to Create a SOAP Request
How to Perform WSDL Scanning
How to Perform Web Service SAX Injection
How to Perform Web Service SQL Injection
How to Perform DOM Injection Attack
How to Perform XML Injection Attacks
How to Perform JSON Injection Attack
How to Perform Silent Transactions Attacks
How to Add a New Lesson
The Challenge


Future releases of WebGoat will include more lessons and functionality. Should you have any suggestions for improvement or new lessons please contact [email protected] with your ideas.


WebGoat User and Install Guide Table of Contents