WebGoat is an intentionally insecure web application maintained by OWASP that is used to teach web application security. It contains various security vulnerabilities and lessons organized by the OWASP Top 10. This document discusses how to install WebGoat and provides an overview of some initial lessons on stored XSS, CSRF, SQL injection, XPath injection, and SAX web services injection. It explains these vulnerabilities and provides hints on how to trigger them in WebGoat.

1. OWASP WEBGOAT
Zakaria SMAHI

2. WHAT IS WEBGOAT
 WebGoat is a delibrately insecure J2EE web application
maintained by OWASP.
 Designed to teach Web Application Security.
 Useful to test Security Products (ex.
IPS/IDS, Firewall, Web application Firewalls) against
OWASP TOP 10 promise, XML and AJAX Security Threats.

3. INSTALL WEBGOAT
1. Download from Google Code
2. Unzip the folder
3. Click on WebGoat.bat
4. Goto http://localhost/WebGoat/
5. Login && pass: guest.

4. CONNECTING THE FIRST
TIME

5. 0X000 CODE QUALITY
Hint !!!
Check the Source
Code of the page ;)

6. 0X001 STORED XSS
 ‘Stored attacks are those where the injected code is
permanently stored on the target servers, such as in a
database, in a message forum, visitor log, comment
field, etc. The victim then retrieves the malicious script from
the server when it requests the stored information.’
OWASP

7. 0X001 STORED XSS
Login as tom

8. 0X001 STORED XSS
 View and Edit the profile for tom.
 Select the address field.
 Copy/Paste the following:
 <script>alert(« XSS »)</script>
 Test !!!

9. 0X001 STORED XSS

10. 0X002 CSRF
 ‘CSRF is an attack which forces an end user to execute
unwanted actions on a web application in which he/she is
currently authenticated. With a little help of social
engineering (like sending a link via email/chat), an attacker
may force the users of a web application to execute actions
of the attacker's choosing. A successful CSRF exploit can
compromise end user data and operation in case of normal
user. If the targeted end user is the administrator
account, this can compromise the entire web application.’
OWASP

11. 0X002 CSRF

12. 0X002 CSRF

13. 0X003 SQL INJECTION
 ‘A SQL injection attack consists of insertion or "injection“ of a
SQL query via the input data from the client to the application. A
successful SQL injection exploit can read sensitive data from the
database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown
the DBMS), recover the content of a given file present on the
DBMS file system and in some cases issue commands to the
operating system. SQL injection attacks are a type of injection
attack, in which SQL commands are injected into data-plane
input in order to effect the execution of predefined SQL
commands.’
OWASP

14. 0X003 SQL INJECTION
Hint!!!
Try
‘ OR ‘1’=‘1

15. 0X003 SQL INJECTION

16. 0X004 XPATH INJECTION
 ‘XPath Injection attacks occur when a web site uses user-supplied
information to construct an XPath query for XML data. By sending
intentionally malformed information into the web site, an attacker can find out
how the XML data is structured, or access data that he may not normally
have access to. He may even be able to elevate his privileges on the web
site if the XML data is being used for authentication (such as an XML based
user file).
 Like SQL, you can specify certain attributes to find, and patterns to match.
When using XML for a web site it is common to accept some form of input on
the query string to identify the content to locate and display on the page. This
input must be sanitized to verify that it doesn't mess up the XPath query and
return the wrong data.’
OWASP

17. 0X004 XPATH INJECTION

18. 0X004 XPATH INJECTION
 XPath
login request is:
 //Employee[UserName/text()='" & Request("Username") &
"' And Password/text()='" & Request("Password") & "']
 Let’s add or 1 = 1 or ‘a’ = ‘a so the request becomes:
 //Employee[UserName/text()='what ever you want' or 1=1
or 'a'='a' And Password/text()='what ever you want']
 Try to log in now Bingo !!

19. 0X004 XPATH INJECTION

20. 0X005 SAX WEB SERVICES
INJECTION
 We have seen that it’s possible to send Javascript code
, SQL queries in a non-validated-user-input form.
 It’s also possible to send XML to modify a query.
 It’s used generally in XML web services.
 Some web interfaces make use of Web Services in the
background. If the frontend relies on the web service for all
input validation, it may be possible to corrupt the XML that
the web interface sends.

21. 0X005 SAX WEB SERVICES
INJECTION
<?xml version='1.0' encoding='UTF-8‘?>
<wsns0:Envelope
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:xsd='http://www.w3.org/2001/XMLSchema'
xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:wsns1='http://lessons.webgoat.owasp.org'>
Hint !
<wsns0:Body>
It’s an XML File
<wsns1:changePassword>
<id xsi:type='xsd:int'>101</id>
<password xsi:type='xsd:string'>[password]</password>
</wsns1:changePassword>
</wsns0:Body>
</wsns0:Envelope>

22. 0X005 SAX WEB SERVICES
INJECTION
<?xml version='1.0' encoding='UTF-8'?>
<wsns0:Envelope
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:xsd='http://www.w3.org/2001/XMLSchema'
xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:wsns1='http://lessons.webgoat.owasp.org'>
<wsns0:Body>
<wsns1:changePassword>
<id xsi:type='xsd:int'>101</id>
<password xsi:type='xsd:string'>pass_101</password>
</wsns1:changePassword>
<wsns1:changePassword>
<id xsi:type='xsd:int'>102</id>
<password xsi:type='xsd:string'>pass_102</password>
</wsns1:changePassword>
</wsns0:Body>
</wsns0:Envelope>

23. 0X005 SAX WEB SERVICES
INJECTION

24. Thank You !