Scribd
Upload
5K views

WebGoat Lessons

A short set of notes on how to use OWASP's WebGoat tool as a teaching aid for a computer security course. Implemented as part of an independent study.

Uploaded by

Phil
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
5K views

WebGoat Lessons

A short set of notes on how to use OWASP's WebGoat tool as a teaching aid for a computer security course. Implemented as part of an independent study.

Uploaded by

Phil
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

WebGoat Lessons

Http Basics
- Lesson is present: Yes
- Time to complete: About ten seconds, unless you start playing around with the
request in WebGoat.
- Notes: None. Dead simple.

-------

How to Exploit Thread Safety Problems


- Lesson is present: Yes
- Time to complete: Once you realize it wants two completely separate browsers and
not just two browser windows: not that long, maybe 5-10 minutes.
- Notes: By default, the only other browser installed in Ubuntu Linux is w3m. This
might be too difficult for students unfamiliar with the command line to use.
Suggest installing second browser, such as Galeon. Also, when WebGoat claimed I
completed this lesson, I did not in fact see any data from the other user - w3m
got the data it was supposed to, while Firefox actually got no data whatsoever.
However, WebGoat says the lesson was completed.

-------

How to Discover Clues in the HTML


- Lesson is present: Yes
- Time to complete: 2-5 minutes, depending on whether you've ever used 'view
source' before. Beyond that, it's easy to find what you're looking for.
- Notes: none, other than that the situation seems highly unrealistic... I hope it
is, anywway.

-------

How to Exploit Hidden Fields


- Lesson is present: Yes
- Time to complete: 2-5 minutes
- Notes: First problem in the list that requires WebScarab. Very simple.

-------

How to Exploit Unchecked Email


- Lesson is present: Yes
- Time to complete: 2-5 minutes
- Notes: WebScarab lesson. Very simple once you realize you don't actually need to
think of a malicious script so much as you need to intercept the request and
change the email address.

-------

How to Bypass Client-Side JavaScript Validation


- Lesson is present: Yes
- Time to complete: 2-5 minutes (estimated)
- Notes: WebScarab lesson. I had problems getting it to function properly under
Firefox - hitting 'Submit' didn't actually do anything (no request was sent;
WebScarab never reacted at all). Suspect a conflict between Firefox and the
client-side validation JS.

-------
Remote Admin Access
- Lesson is present: Yes
- Time to complete: ?????
- Notes: The hints for this still suck, and I still cannot figure out how to do
this lesson. I'm sure I'll kick myself once I figure out how to do it, but until
then...

-------

LAB: Role-Based Access Control


- Lesson is present: Yes
- Time to complete: part 1, ~1-20 minutes; parts 2-n, ???
- Notes:
* It would be helpful if WebGoat actually gave you the password for one of the
employee accounts. I had to guess that Larry Stooge's password was 'larry'; this
info is nowhere I can find.
* Part 1 is simple enough to do, but I do not understand what part 2 actually
wants - do I actually need to edit the Java?
* Part 3 appeared out of nowhere after I repeated what I did in part 1, so I
don't understand the significance of it either.
* This lab is poorly constructed and unintuitive past the first part.

-------

How to Bypass a Path-Based Access Control Scheme


- Lesson is present: Yes
- Time to complete: 2-5 minutes
- Notes: Very simple lesson.

-------

Using an Access Control Matrix


- Lesson is present: Yes
- Time to complete: 1 minute
- Notes: I don't see the point of this lesson. Log in as Larry and you complete it
successfully.

-------

Forgot Password
- Lesson is present: Yes
- Time to complete: 3 minutes
- Notes: This lesson is guess-and-check. Kind of surprising, but that's brute
force for you.

-------

How to Spoof an Authentication Session


- Lesson is present: Yes
- Time to complete: ???
- Notes: I can't complete this lesson. I don't understand what kind of mechanism
is being used to generate AuthCookie, which seems to be a fundamental part of
doing this lesson correctly.

-------

How to Hijack a Session


- Lesson is present: Yes
- Time to complete: ???
- Notes: It's obvious from the hints it wants me to try brute force, but the hint
about 'gaps where someone has obtained a cookie' make utterly no sense to me. I
haven't completed this lesson.

-------

Basic Authentication
- Lesson is present: yes
- Time to complete: ???
- Notes: I understood what it wanted me to do, but no matter how many times I
base64-encoded 'basic:basic' and stuck it in the authorization header, WebGoat
ignored me.

-------

LAB: Cross-Site Scripting


- Lesson is present: yes
- Time to complete: ???
- Notes: Why does the order of lessons appear to be utterly random? Why would a
lab on XSS be in the list before any lessons on how to use XSS? This makes no
sense whatsoever. For example: stage 1 of the lab is to perform a stored XSS
attack. The lesson on how to perform stored XSS is -after- the lab!

-------

How to Perform Stored XSS


- Lesson is present: yes
- Time to complete: 5 minutes (see notes)
- Notes: I had to do this twice; I put a message with an alert in the body into a
message and it didn't complete, so I did the -exact same thing- and it completed.

-------

How to Perform Reflected XSS Attacks


- Lesson is present: yes
- Time to complete: 5 minutes
- Notes: How is this different from Stored XSS, other than the fact it's not saved
in the database? Very simple once one figures out which field to store the script
tag in.

-------

How to Perform a Cross-Site Trace


- Lesson is present: yes
- Time to complete: ???
- Notes: Not only did I not understand the point (who knows what an HTTP TRACE
command does?), trying to do this lesson actually froze WebScarab, forcing me to
restart it.

-------

Buffer Overflow
- Lesson is present: no

-------

How to Perform Command Injection


- Lesson is present: yes
- Time to complete: 0ms (see below)
- Notes: As soon as I clicked on this lesson, it told me I had completed it
successfully... twice.

-------

How to Perform Parameter Injection


- Lesson is present: no

-------

How to Perform Blind SQL Injection


- Lesson is present: yes
- Time to complete: 30 minutes
- Notes: This is easily the hardest of the SQL injection lessons. Mostly due to
the repetitious nature of brute force using a complex compound SQL query. In my
opinion, this should be the last SQL injection lesson, not the first one. (It also
doesn't help that the hints on Linux are -still- for Access, not InstantDB.)

-------

How to Perform Numeric SQL Injection


- Lesson is present: yes
- Time to complete: 1 minute
- Notes: VERY easy, if you know SQL syntax. Could be trickier if you don't.

-------

How to Perform String SQL Injection


- Lesson is present: yes
- Time to complete: 1 minute
- Notes: Also very easy if you know SQL syntax, probably trickier than the
previous one if you don't.

-------

LAB: SQL Injection


- Lesson is present: yes
- Time to complete: Stage 1 - 1 minute, stage 2+ - ??
- Notes: Once again, it looks like the labs actually want the user to alter the
Java behind the code.

-------

How to Bypass a Fail-Open Authentication Scheme


- Lesson is present: yes
- Time to complete: 2 minutes
- Notes: very easy, now that I understand it requires WebGoat.

-------

Encoding Basics
- Lesson is present: yes
- Time to complete: <1 minute
- Notes: What is the point of this? There's no real way to 'complete' it, or so it
seems.
-------

Denial of Service from Multiple Logins


- Lesson is present: yes
- Time to complete: ???
- Notes: I think this lesson may be broken. It always displays an error about
being unable to generate org.owasp.webgoat.lessons.DOS_Login, and generating the
exact same query that's in the hints does absolutely -nothing-.

-------

Forced Browsing
- Lesson is present: no

You might also like