RE: Next WebGoat release

["Hearne, Chuck" <Charles.A.Hearne () boeing com>]

Jeff,

This suggestion is probably just a subset of what you have planned for "3)"
or maybe "8)" below, but I'd like to see a WebGoatlesson that deals with the
following issue (courtesy of Dawes, Rogan (ZA - Johannesburg)
[rdawes () deloitte co za] in a prior post on How to prevent against cookie
stealing):

"My concern is that, even if the server operator manages to completely
secure their own site against XSS (as you rightly indicate that the attacker
could get your own browser to submit what is needed to exploit you), other
sites nominally in your domain (same .domain.com) could still access the
control, and "sign requests" in your name. I seem to recall an advisory
about this possibility on this list a while back."

Thanks for asking! 

Regards,

Charles A. Hearne

Chuck Hearne

Engineer/Scientist
Information Assurance 
Strategic Architecture
Integrated Defense Systems
THE BOEING COMPANY
3370 Miraloma Avenue
P.O. Box 3105
MC 031-DB20
Anaheim, California 92803-3105
voice 714-762-3722
fax 714-762-5465
pager 800-946-4646, 1477610
email chuck.hearne () boeing com



-----Original Message-----
From: Mark Curphey [mailto:mark () curphey com] 
Sent: Tuesday, 29 July, 2003 17:39
To: Jeff Williams @ Aspect; webappsec () securityfocus com
Cc: bruce.mayhew () aspectsecurity com
Subject: Re: Next WebGoat release


I have also run the original code through the Visual Studio .NET Java to C#
converter and got a handful of things to convert before we have WebGoat.NET.
Any C# people with a few hours on their hands, please drop me a line.
----- Original Message ----- 
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
To: <webappsec () securityfocus com>
Cc: <bruce.mayhew () aspectsecurity com>
Sent: Tuesday, July 29, 2003 8:08 PM
Subject: Re: Next WebGoat release


> Ty,
>
> WebGoat is being worked.  Here is the list of lessons are currently 
> being developed.  If you have any suggestions for new lessons, please 
> let me
know.
> Please try to describe the lesson like I've done below, so that we 
> have a good sense of what you're thinking and how it would work.  
> Better yet,
just
> implement a lesson -- the plug-in architecture makes it really really
easy.
> All you have to do is fill in a few methods and bang -- it works.
>
> 1) How to bypass client-side security checks -- a simple form with 
> JavaScript checking of field values.  Student can intercept the 
> request on the way back to the server and fill in bad values, or can 
> intercept the
page
> with the form on the way to the browser and delete the scripts.
>
> 2) How to bypass authorization system -- users log on with a role and 
> then are shown certain functions.  Student should explore the model 
> and then attempt to access resources for which they are not 
> authorized.
>
> 3) How to use XSS to steal cookies, steal form values, and change
content -- 
> an enhanced XSS lesson that allows students to do some serious 
> JavaScript damage.
>
> 4) Encoding Basics -- finish this lesson to provide more encodings 
> (and provide a reference implementation of the most common encoding 
> functions)
>
> 5) LDAP Injection? -- create a simple LDAP simulation that allows 
> students to inject queries and access more of the LDAP structure than 
> they ought to be allowed to.
>
> 6) How to abuse a web email function -- a more realistic simulation of 
> a
web
> based emailer that will allow the student to use it as a spam proxy 
> and inject images and attachments.
>
> 7) Updated Challenge -- more realistic authentication problems, remove 
> the SSI piece and replace with a more current injection threat, and 
> perhaps
add
> some more stages.
>
> 8) How to steal sessions -- a lesson that chooses a slightly less than 
> random session key and allows a Session ID attack.  Hopefully uses the 
> capabilities of one of the Session ID tools, such as the one built in 
> Exodus.
>
> 9) How to reverse engineer an applet -- a lesson demonstrating the 
> futilty of attempting to hide secrets or algorithms in an applet.  
> Students will reverse an applet, extract encryption keys, and use them 
> to decode an encrypted file transferred from the server.
>
> Please send your ideas!  Thanks,
>
> --Jeff
>
> Jeff Williams
> Aspect Security
> http://www.aspectsecurity.com
>
>
>
> ----- Original Message -----
> From: Ty Bodell
> To: webappsec () securityfocus com
> Sent: Tuesday, July 29, 2003 1:21 PM
> Subject: Next WebGoat release
>
>
> Hey all--
> Haven't heard anything about the next release of OWASPs WebGoat in a
while,
> is there a release date for version 3 or are we still developing.  
> What
did
> everyone think of version 2 if you tried it?  I checked the 
> sourceforge
site
> for webgoat but it doesn't give an upcoming date :-/ Let me know if 
> you
find
> anything.
> Thanks,
> Ty Bodell
> --
> __________________________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> CareerBuilder.com has over 400,000 jobs. Be smarter about your job 
> search http://corp.mail.com/careers