HTTP Vulnerabilities

Description

The goal of this assignment is to get you started with two software tools, WebGoat and ZAP, developed by the Open Web Application Security Project (OWASP), to exploit some common web vulnerabilites. OWASP is a group of committed security professionals who dedicate their time and expertise to spread the word about common web vulnerabilities and secure web developemnt. Their main site, available at

https://www.owasp.org/

is technically the largest repository of application security knowledge.

WebGoat

Webgoat is a deliberately insecure J2EE web application designed for teaching about web application security. You will need to download and install version 5.2 of WebGoat (not higher versions) from

http://sourceforge.net/projects/owasp/files/WebGoat/WebGoat 5.2/

Follow the installation instructions for your particular platform. To avoid conflict with other servers running on your platform, make sure you use port 8080 for the TomCat server deployed with WebGoat.

Note that the running WebGoat will expose your computer to attacks, so run it when your computer is offline or behind a firewall on a secure network.

Zed Attack Proxy (ZAP)

For some exercises, you will need to use a web testing proxy. The lessons you are to complete in this assignment refer to WebScarab as a proxy. The development of Webscarab slowed in the past year, and its official successor seems to be ZAP (Zed Attack Proxy). The functionality of ZAP is very similar to WebScarab, and you should be able to switch easily from one to the other. ZAP has a friendlier interface and is easier to install. My recommendation is to use ZAP, available for download from

https://www.owasp.org/index.php/ZAP

Both ZAP and Webscarab are much more than web proxies. They include a large amount of cunctionality, and can be used as penetration testing tool for finding vulnerabilities in web applications. In this assignment we will use ZAP only to intercept HTTP traffic between the browser and the web server.

Exercises

Complete the following WebGoat lessons:

1. Introduction
1a. How to work with WebGoat
2. General
    2a. HTTP basics
    2b. HTTP Splitting
    Additional material available https://www.owasp.org/index.php/HTTP_Response_Splitting
3. Session Management Flaws
3b. Spoof an Authenticated Cookie
4. Cross-Site Scripting (XSS)
4d. Cross Site Request Forgery
Additional material available https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Videos that walk you through all steps required to complete these lessons are also avilable at

http://webappsecmovies.sourceforge.net/webgoat/

For lessons 2, 3 and 4, run a web proxy (ZAP or WebScarab) and configure your browser to use the ZAP proxy running on localhost, port 8008 (this is the default port). Inspect the HTTP GET and POST packets exchanged between your browser and the Tomcat server, to understand the dynamics of the HTTP protocol. Make sure to restore the normal browser configuration (no proxy) at the end of your lessons.

Submission

The WebGoat maintains a score card, which shows which lessons you have done. When you are done with a lesson, take a screenshot of your WebGoat screen showing your completed lesson. Email your instructor these screenshots in a .pdf file.