This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSecurity Securing WebGoat Section4 Sublesson 17.2

From OWASP
Revision as of 11:23, 27 October 2008 by Stephen Evans (talk | contribs) (add content)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

17. Web Services -> 17.2 WSDL Scanning

Lesson overview

The WebGoat lesson overview is included with the WebGoat lesson solution.

Lesson solution

Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy

This WebGoat lesson demonstrates WSDL Scanning to get credit card information. The vulnerability is that the attacker can call a Web Service directly; in this case, it is 'getCreditCard'. The attacker retrieves the WSDL, observes the parameters of a normal request 'id=101&SUBMIT=Submit', then intercepts and manipulates the parameters to call the function directly: 'id=101&field=getCreditCard&SUBMIT=Submit'

A ModSecurity solution is straightforward: don't allow a user to directly call a specific set of Web Services - in our case 'getCreditCard' - by blocking on the request if that value for the 'field' parameter appears.

Implementation

None

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_17.2&oldid=44694"