This is the second in a series of ten posts for the OWSAP WebGoat vulnerable web application. New posts for WebGoat will post every Monday.

LAB: Role Based Access Control Scheme

Bypass Business Layer Access Control

For this lab you are tasked with logging in as a user named ‘Tom Cat’ and deleting his profile. The password for the profile is ‘tom’

Once you have entered the password click the “Login” button and you should see the following:

From here you can see that “Tom Cat” does not have access to delete any profiles.

Going back to the user login page we see that the user “John Wayne” has admin privileges.

The username for “John Wayne” is “john” so login as John and lets see if his panel is different.

Now that we know John has the privileges to delete profiles. In order to determine what the name of the server action that deletes profiles is we need to launch the Tamper Data service.

By launching the Tamper Data service we are able to intercept the request prior to it being sent to the server and inspect the action name that is being passed to the server. Next you need to click on the Start Tamper button located on the top left of the windows just below the close window button.

Next click on the DeleteProfile button and you should see this:

Click on the Tamper button and you should see this:

Now we have our action name which is DeleteProfile. We see another parameter which is 103. I had selected Curly Stooge as the employee to delete in this example.

Go back to the login page and login as Tom Cat again. Once you are logged in make sure that you have the Start Tamper turned on and select Tom Cat from the listbox. Next click on the ViewProfile button and click the Tamper button when the window pops up.

Now we see that Tom Cat has an employee_id of 105 and the action shows ViewProfile. Change the action to DeleteProfile and click the OK button.

Breaking Data Layer Access Control

For this one you are tasked with exploiting access control to view another employee’s profile. It starts off with logging in as Tom Cat again; unfortunately Tom Cat no longer exists so we will do this task as Larry Stooge. The first thing that we need to do is figure out what the employee_id is for another user so that we can view that user’s profile. So first we are going to log in as John Wayne. Next we will start up the Tamper Data service and then click the Start Tamper button. Click on Eric Walker and then click on the ViewProfile button.  Click the Tamper button and we see that Eric Walker has an employee_id of 104.

Now let’s log in as Larry Stooge. After you have logged in click make sure that you have the Tamer Data enabled and then click on Larry Stooge in the listbox and click on the ViewProfile button. Click the Tamper button and change the employee_id from 101 to 104 so that we can view the profile of Eric Walker.

Click the OK button and you are done.

Remote Admin Access

With this attack you are supposed to gain access to the admin panel of the server (webgoat) itself. This is a pretty straightforward attack; the admin interface is controlled through a URL parameter. Lets take a look at the URL we are going to modify to gain this access:

http://127.0.0.1:8088/WebGoat/attack?Screen=18&menu=200

That is the URL we need to append to make the admin interface appear. To do this we will simply append “&admin=true” without the quotes. Your URL may look different, but ultimately if you append the &admin=true parameter you will get access:

This only gives you access to the Admin Functions but does not complete the task. Next you will want to click on the User Information link which is a sublink of the Admin Functions on the left side of the site. After this you need to again append the URL to add &admin=true and you are finished.

AJAX Security

LAB: DOM-Based cross-site scripting

For this lab you are trying to deface the webgoat website using a provided image located at http://127.0.0.1:8088/WebGoat/images/logos/owasp.jpg

You are prompted for your name. First let’s try to use a straight forward HTML IMG SRC injection. Enter the following into the textbox:

<img src =http://127.0.0.1:8088/WebGoat/images/logos/owasp.jpg/>

Press the submit button and observe:

We got somewhere but I do not see the image being displayed. Let’s move on and try a different way of approaching this.

This time enter the following into the textbox:

<img src=x onerror=;;alert(‘XSS’)/>

Next we are told to use a JavaScript alert using the IFRAME tag.

Enter the following IFRAME injection to the textbox. You will immidalty see the following box. Just click OK and Submit Solution.

After you click Submit Solution you should see this:

Next we need to attempt to create a fake login.

For this we just copy the input they gave us from above and paste it into the textbox, input shown below:

Please enter your password:<BR><input type = “password” name=”pass”/><button onClick=”javascript:alert(‘I have your password: ‘ + pass.value);”>Submit</button><BR><BR><BR><BR><BR><BR><BR><BR> <BR><BR><BR><BR><BR><BR><BR><BR>

After you click Submit you should see the following:

Next up we need to do some work to stop this attack from working. We are going to first open a file called DOMXSS.js located in tomcat\webapps\WebGoat\javascript

When you open the file you will see this code:

function displayGreeting(name) {

if (name != ”){

document.getElementById(“greeting”).innerHTML=”Hello, ” + name + “!”;

}

}

We need to change this code to this:

function displayGreeting(name) {

if (name != ”){

document.getElementById(“greeting”).innerHTML=”Hello, ” + escapeHTML(name); + “!”;

}

}

That’s it for this week, see you next Monday. For now give it a shot now and see if you are still able to do the same attacks.