OWASP WEBGOAT
Alaa Darabseh
Akbar Siami Namin
Department of Computer Science
Texas Tech University, USA
alaa.darabseh@ttu.edu
Department of Computer Science
Texas Tech University, USA
akbar.namin@ttu.edu
WHAT IS WEBGOAT
 WEBGOAT is a deliberately insecure web application maintained by OWASP.
 Designed to teach Web Application Security.
 Useful to test Security Products (ex. XML and AJAX Security Threats)
INSTALL WEBGOAT
1.
2.
3.
4.
5.
Download from Google Code. http://code.google.com/p/webgoat/downloads/list
Unzip the folder
Click on WebGoat.bat
Go to http://localhost/WebGoat/attack
Login && pass: guest
CONNECTION THE FIRST TIME
BACKGROUND
 A computer program is a passive collection of instructions; a process is the actual execution
of those instructions ( It contains the program code and its current activity). Several processes
may be associated with the same program; for example, opening up several instances of the
same program often means more than one process is being executed.
 A thread of execution is the smallest sequence of programmed instructions that can be
managed independently by an operating system.
 Depending on the operating system (OS), a process may be made up of multiple threads of
execution that execute instructions concurrently.
 Threads shares state, memory and resources with other threads in the same process. Since
each thread gets its own call stack, local variables aren’t shared. Instance and class variables,
however, are shared across threads.
ATTACKS




Concurrency – Thread Safety Problems.
Shopping Cart Concurrency Flaw.
XPATH Injection.
Silent Transaction Attacks.
Concurrency – Thread Safety Problems.
•Web applications can handle many HTTP requests concurrently. However, developers
often use variables that are not thread safe, means that the fields of an object or class
always maintain a valid state when used concurrently by multiple threads.
•Because all threads share the same method area, and the method area is where all class
variables are stored, multiple threads can attempt to use the same class variables
concurrently.
•This problem is caused by using incorrect Java code:
The root-cause of this exploit is that the Java code uses a static variable for the user name. When submitting
twice, the same thread and hence the same static variable containing the username of the first request will be
used.
private static String currentUser;
.
Count…
General Goal:
The user should be able to exploit the concurrency error in the web application and view
login information for another user that is attempting the same function at the same time
1. Start WebGoat : Click on Concurrency > Thread Safety Problems
2. This will require the use of two browsers. Valid user names are 'jeff' and 'dave‘.
3. Simply open two browsers on the same web page and enter “dave” in one user name
box and “jeff” in the other. Submit both as quickly as possible and they both return the
same user ID.
Shopping Cart Concurrency Flaw
General Goal(s):
For this attack, your mission is to exploit the concurrency issue which will allow
you to purchase merchandise for a lower price.
1. Start WebGoat : Click on Concurrency > Shopping Cart Concurrency flaw
2. Now, create two Tabs of same link, In same Browser : Tab X and Tab Y .
3. Now, you can see there are Cart Items, Quantity and Price, our task is Get Sony Vaio
with Intel Centrino just for 169$ at the price of Hitachi Hard Drive.
4. In Tab X Choose lower price item with 1 Quantity and Click on Purchase.
5. Now the Browser sent request to server That user want to Purchase item Just require the
Confirmation. So Server already got a request of Purchase with Price value and Quantity.
6. Just at the Same time switch to second tab Y and Choose Higher Price Item with same
Quantity and Click on Update Cart.
7. The Trick is here only, First your browser sent a request of 1 Quantity of item with
the Price of 169$ to Purchase. But After a minute Hacker changed his mind and
updated cart with different item = 1 quantity with the price of 1,799$, The variable
of the price has been overwritten now.
XPATH Injection.
•
Similar to SQL Injection, XPath Injections operate on web sites that uses usersupplied information to construct an XPath query for XML data. By sending
intentionally malformed information into the web site, an attacker can find out how
the XML data is structured, or access data that he may not normally have access to.
He may even be able to elevate his privileges on the web site if the XML data is
being used for authentication (such as an XML based user file).
•
•
•
Start WebGoat : Click on Injection Flaws > XPATH Injection
First time :Enter Mike, test123 and hit submit.
Second time: Enter ' or '1' ='1 and hit submit.
Silent Transaction Attacks
•
•
•
This lesson shows a money transfer page with the user's balance, the recipient's
account ID and the amount of money to transfer.
Normally, the HTML code calls the 'processData()' function which does
authorization and validation, then calls the 'submitData' function.
The application uses AJAX to submit the transaction have a vulnerability is that
malicious code injected into the page can call the AJAX code directly - bypassing
client side validation - which results in a silent transaction without the user's
authorization.
Used 4567 for ‘Transfer to Account’. Specified amount as 500000 and hit the
confirm button which duly informed me I cannot transfer more funds than are
available in the account.
Opened Firebug and in the ‘console’ section inputted: Javascript:submitData(4567,
500000).
Thanks
Q&A
Darabseh and Namin, “The Accuracy of User Authentication Through Keystroke Features Using Most Frequent Words”, CISRC , Oak Ridge, Tennessee, USA, April2014