This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Section 4: Mitigating the WebGoat lessons"

From OWASP
Jump to: navigation, search
(Overall strategy: add content)
(Overall strategy)
Line 41: Line 41:
  
 
The best way to open the discussion about the overall strategy used is to show a chunk of the initialization file:
 
The best way to open the discussion about the overall strategy used is to show a chunk of the initialization file:
{{{
+
 
 +
<nowiki>
 
<LocationMatch "^/WebGoat/attack$">
 
<LocationMatch "^/WebGoat/attack$">
 
   # Group 1: the following block pertain to pages that don't have Screen or menu parameters
 
   # Group 1: the following block pertain to pages that don't have Screen or menu parameters
 
1.  SecRule &ARGS:Screen "!@eq 0" chain,skipAfter:200
 
1.  SecRule &ARGS:Screen "!@eq 0" chain,skipAfter:200
 
2.  SecRule &ARGS:menu "!@eq 0" "t:none"
 
2.  SecRule &ARGS:menu "!@eq 0" "t:none"
}}}
+
</nowiki>
  
 
=== Using the Lua scripting language ===
 
=== Using the Lua scripting language ===

Revision as of 09:39, 24 July 2008

Project metrics

See Section 2 for the WebGoat lesson Table of Contents, and an overview of the results from doing the WebGoat lessons. Appendix A contains a zip file which is made up of the lesson plans and solutions - in HTML format - which were taken from WebGoat and can be viewed stand-alone.

Out of 51 possible lessons, the following are teaching lessons, not vulnerabilities, and therefore have no context for ModSecurity rules:

  • 1.1 Http Basics
  • 4.1 Password Strength
  • 15.3 Bypass Client Side JavaScript Validation
  • 17.1 Create a SOAP Request

Therefore there is a total number of 47 lessons to do; half is 24 so that was the goal of the first 50% of project completion. The lowest hanging fruit was taken first because considerable effort was put into: (1) setup and configuration of the environment; (2) getting familiar with WebGoat and taking all of the lessons; (3) learning ModSecurity (and Remo); (4) re-learning regular expressions; (5) learning Lua script; and (6) developing an efficient work methodology.

The total number of sublessons mitigated by ModSecurity rules: 25 - thereby achieving the goal of at least 50% of sublessons mitigated.

They are:

  • Sublesson 1.2
  • Sublesson 2.4
  • Sublessons 4.2, 4.4, 4.5
  • Sublesson 6.1
  • Sublessons 8.1, 8.2, 8.4, 8.5, 8.7
  • Sublesson 10.1
  • Sublessons 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.8
  • Sublesson 13.1
  • Sublessons 15.1, 15.2
  • Sublessons 17.3, 17.4

Overall strategy

4.2 Overall strategy

The intention of mitigating the vulnerabilities is to demonstrate the largest variety of mitigating solutions and features of ModSecurity as possible: - Some lessons are solved using the easiest way possible for convenience (and to count towards achieving the goal of 50% complete!) - Some lessons are solved by using rules from the core rulesets provided by Breach Security - Some mitigating solutions are meant to be global, meaning being in effect at all times, like the XSS and Command Injection core rules from Breach Security - One lesson demonstrates the use of a session variable - Some lessons require persistence beyond what is offered by ModSecurity; Lua scripts are used to achieve this - Some lessons require a more robust capability than ModSecurity's regular expressions, 'and/or' logical mechanisms, and goto statements (skip and skipAfter); again, Lua scripts are used to achieve this. - One lesson uses the 'append' action to append Javascript to the end of a response body, which alters the content and behavior of the HTML page

The rulesets can be used all together or, for a specific WebGoat sublesson, the initialization file (rulefile_00_initialize.conf) plus that sublesson's ruleset can be used.

The best way to open the discussion about the overall strategy used is to show a chunk of the initialization file:

<LocationMatch "^/WebGoat/attack$"> # Group 1: the following block pertain to pages that don't have Screen or menu parameters 1. SecRule &ARGS:Screen "!@eq 0" chain,skipAfter:200 2. SecRule &ARGS:menu "!@eq 0" "t:none"

Using the Lua scripting language

Structure of mitigating a lesson

The mitigating solutions