WebApp Sec mailing list archives
RE: Next WebGoat release
From: "Hearne, Chuck" <Charles.A.Hearne () boeing com>
Date: Tue, 29 Jul 2003 19:06:22 -0700
Jeff, This suggestion is probably just a subset of what you have planned for "3)" or maybe "8)" below, but I'd like to see a WebGoatlesson that deals with the following issue (courtesy of Dawes, Rogan (ZA - Johannesburg) [rdawes () deloitte co za] in a prior post on How to prevent against cookie stealing): "My concern is that, even if the server operator manages to completely secure their own site against XSS (as you rightly indicate that the attacker could get your own browser to submit what is needed to exploit you), other sites nominally in your domain (same .domain.com) could still access the control, and "sign requests" in your name. I seem to recall an advisory about this possibility on this list a while back." Thanks for asking! Regards, Charles A. Hearne Chuck Hearne Engineer/Scientist Information Assurance Strategic Architecture Integrated Defense Systems THE BOEING COMPANY 3370 Miraloma Avenue P.O. Box 3105 MC 031-DB20 Anaheim, California 92803-3105 voice 714-762-3722 fax 714-762-5465 pager 800-946-4646, 1477610 email chuck.hearne () boeing com -----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Tuesday, 29 July, 2003 17:39 To: Jeff Williams @ Aspect; webappsec () securityfocus com Cc: bruce.mayhew () aspectsecurity com Subject: Re: Next WebGoat release I have also run the original code through the Visual Studio .NET Java to C# converter and got a handful of things to convert before we have WebGoat.NET. Any C# people with a few hours on their hands, please drop me a line. ----- Original Message ----- From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com> To: <webappsec () securityfocus com> Cc: <bruce.mayhew () aspectsecurity com> Sent: Tuesday, July 29, 2003 8:08 PM Subject: Re: Next WebGoat release
Ty, WebGoat is being worked. Here is the list of lessons are currently being developed. If you have any suggestions for new lessons, please let me
know.
Please try to describe the lesson like I've done below, so that we have a good sense of what you're thinking and how it would work. Better yet,
just
implement a lesson -- the plug-in architecture makes it really really
easy.
All you have to do is fill in a few methods and bang -- it works. 1) How to bypass client-side security checks -- a simple form with JavaScript checking of field values. Student can intercept the request on the way back to the server and fill in bad values, or can intercept the
page
with the form on the way to the browser and delete the scripts. 2) How to bypass authorization system -- users log on with a role and then are shown certain functions. Student should explore the model and then attempt to access resources for which they are not authorized. 3) How to use XSS to steal cookies, steal form values, and change
content --
an enhanced XSS lesson that allows students to do some serious JavaScript damage. 4) Encoding Basics -- finish this lesson to provide more encodings (and provide a reference implementation of the most common encoding functions) 5) LDAP Injection? -- create a simple LDAP simulation that allows students to inject queries and access more of the LDAP structure than they ought to be allowed to. 6) How to abuse a web email function -- a more realistic simulation of a
web
based emailer that will allow the student to use it as a spam proxy and inject images and attachments. 7) Updated Challenge -- more realistic authentication problems, remove the SSI piece and replace with a more current injection threat, and perhaps
add
some more stages. 8) How to steal sessions -- a lesson that chooses a slightly less than random session key and allows a Session ID attack. Hopefully uses the capabilities of one of the Session ID tools, such as the one built in Exodus. 9) How to reverse engineer an applet -- a lesson demonstrating the futilty of attempting to hide secrets or algorithms in an applet. Students will reverse an applet, extract encryption keys, and use them to decode an encrypted file transferred from the server. Please send your ideas! Thanks, --Jeff Jeff Williams Aspect Security http://www.aspectsecurity.com ----- Original Message ----- From: Ty Bodell To: webappsec () securityfocus com Sent: Tuesday, July 29, 2003 1:21 PM Subject: Next WebGoat release Hey all-- Haven't heard anything about the next release of OWASPs WebGoat in a
while,
is there a release date for version 3 or are we still developing. What
did
everyone think of version 2 if you tried it? I checked the sourceforge
site
for webgoat but it doesn't give an upcoming date :-/ Let me know if you
find
anything. Thanks, Ty Bodell -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers
Current thread:
- Next WebGoat release Ty Bodell (Jul 29)
- Re: Next WebGoat release Jeff Williams @ Aspect (Jul 29)
- Re: Next WebGoat release Mark Curphey (Jul 29)
- <Possible follow-ups>
- RE: Next WebGoat release Hearne, Chuck (Jul 29)
- Re: Next WebGoat release Jeff Williams @ Aspect (Jul 29)