OWASP WEBGOAT

1. OWASP WEBGOAT

2. WHAT IS WEBGOAT • WEBGOAT is a deliberately insecure web application maintained by OWASP. • Designed to teach Web Application Security. • Useful to test Security Products (ex. XML and AJAX Security Threats)

3. INSTALL WEBGOAT • Download from Google Code. http://code.google.com/p/webgoat/downloads/list • Unzip the folder • Click on WebGoat.bat • Go to http://localhost/WebGoat/attack • Login && pass: guest

4. CONNECTION THE FIRST TIME

5. BACKGROUND • A computer program is a passive collection of instructions; a process is the actual execution of those instructions ( It contains the program code and its current activity). Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed. • A  thread of execution is the smallest sequence of programmed instructions that can be managed independently by an operating system. • Depending on the operating system (OS), a process may be made up of multiple threads of execution that execute instructions concurrently. • Threads shares state, memory and resources with other threads in the same process. Since each thread gets its own call stack, local variables aren’t shared. Instance and class variables, however, are shared across threads.

6. ATTACKS • Concurrency – Thread Safety Problems. • Shopping Cart Concurrency Flaw. • XPATH Injection. • Silent Transaction Attacks.

7. Concurrency – Thread Safety Problems. • Web applications can handle many HTTP requests concurrently. However, developers often use variables that are not thread safe, means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. • Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently. • This problem is caused by using incorrect Java code: • The root-cause of this exploit is that the Java code uses a static variable for the user name. When submitting • twice, the same thread and hence the same static variable containing the username of the first request will be • used. • private static String currentUser; • .

8. Count… • General Goal: • The user should be able to exploit the concurrency error in the web application and view login information for another user that is attempting the same function at the same time • Start WebGoat : Click on Concurrency > Thread Safety Problems • This will require the use of two browsers. Valid user names are 'jeff' and 'dave‘. • Simply open two browsers on the same web page and enter “dave” in one user name box and “jeff” in the other. Submit both as quickly as possible and they both return the same user ID.

9. Shopping Cart Concurrency Flaw General Goal(s):For this attack, your mission is to exploit the concurrency issue which will allow you to purchase merchandise for a lower price. • Start WebGoat : Click on Concurrency > Shopping Cart Concurrency flaw • Now, create two Tabs of same link, In same Browser : Tab X and Tab Y . • Now, you can see there are Cart Items, Quantity and Price, our task is Get Sony Vaio with Intel Centrino just for 169$ at the price of Hitachi Hard Drive. • In Tab X Choose lower price item with 1 Quantity and Click on Purchase. • Now the Browser sent request to server That user want to Purchase item Just require the Confirmation. So Server already got a request of Purchase with Price value and Quantity. • Just at the Same time switch to second tab Y and Choose Higher Price Item with same Quantity and Click on Update Cart. • The Trick is here only, First your browser sent a request of 1 Quantity of item with the Price of 169$ to Purchase. But After a minute Hacker changed his mind and updated cart with different item = 1 quantity with the price of 1,799$, The variable of the price has been overwritten now.

10. XPATH Injection. • Similar to SQL Injection, XPath Injections operate on web sites that uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file). • Start WebGoat : Click on Injection Flaws > XPATH Injection • First time :Enter Mike, test123 and hit submit. • Second time: Enter ' or '1' ='1 and hit submit.

11. Silent Transaction Attacks • This lesson shows a money transfer page with the user's balance, the recipient's account ID and the amount of money to transfer. Normally, the HTML code calls the 'processData()' function which does authorization and validation, then calls the 'submitData' function. •  The application uses AJAX to submit the transaction have a vulnerability is that malicious code injected into the page can call the AJAX code directly - bypassing client side validation - which results in a silent transaction without the user's authorization. • Used 4567 for ‘Transfer to Account’. Specified amount as 500000 and hit the confirm button which duly informed me I cannot transfer more funds than are available in the account.Opened Firebug and in the ‘console’ section inputted: Javascript:submitData(4567, 500000).

12. Thanks Q & A Darabseh and Namin, “The Accuracy of User Authentication Through Keystroke Features Using Most Frequent Words”, CISRC , Oak Ridge, Tennessee, USA, April2014