Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
97 lines (59 sloc) 3.3 KB

h2

1.

https://juhaveijalainen.wordpress.com/2018/09/03/h2-1/

2.

Do at least three WebGoat exercises

Setting up WebGoat

I downloaded the latest version of WebGoat from https://github.com/WebGoat/WebGoat/releases and followed these instructions to get it running.

Latest versions of jre and jdk came with Kali so I only installed maven

sudo apt install maven

To run WebGoat I navigated to /Downloads where I downloaded WebGoat and ran

sudo java --add-modules java.xml.bind -jar webgoat-server-8.0.0.M21.jar

Setting up ZAP

ZAP was already pre-installed in Kali. I followed this guide to get it running.

Configuring ZAP as browser proxy in Firefox

Preferences -> Advanced -> Network -> Settings Select Manual proxy configuration, HTTP Proxy: localhost, Port: 8090. Remove localhost from "No proxy for" -field.

Configuring local proxies in ZAP to make it work with WebGoat

Tools -> Options -> Local proxies Address: localhost Port: 8090

Right click anything in the History tab -> Exclude from -> Proxy -> add both of these lines

http://localhost:8080/WebGoat/.*.lesson.lesson
http://localhost:8080/WebGoat/service/.*

Authentication Bypasses

Verify account without answering security questions.

I clicked the green round button in ZAP to cause ZAP to intercept the next HTML request made and submitted a request by clicking the "Submit" button. ZAP popped up and I altered "secQuestion0" and "secQuestion1" parameters to "secQuestion00" and "secQuestion10".

Clicking the play button then allowed the altered HTML request to go through and me to change the password without answering the security questions.

HTML tampering

Tamper with HTML to get a discount.

After poking around with Firefoxes developer tools and not really managing to get anything done, I tried to intercept requests the same way as before with "authentication bypasses". Intercepting the request with ZAP worked and was able to change the values of "QTY" to 999 and "Total" to 1.

My tampered request went through and so I bought 999 televisions for a dollar.

Client side filtering

1. Salary manager

Figure out Neville Bartholomews salary.

I again started with developer tools. It didn't take long for me to stumble upon table called "hiddenEmployeeRecords" and within it, among other employees, Neville Bartholomew and Neville Bartholomews salary.

2. Free phone

Figure out a checkout code to get a free phone.

I noticed /WebGoat/clientSideFiltering/challenge-store/coupons/ in developer tools Network -tab.

I opened it in new tab and found all possible discount codes listed within it. One of them was for 100% off.


Course page: http://terokarvinen.com/2018/penetration-testing-course-autumn-2018

https://github.com/WebGoat/WebGoat/releases https://github.com/WebGoat/WebGoat https://github.com/zaproxy/zap-core-help/wiki/HelpIntro

  • Lenovo Ideapad 720s
  • Kali Xfce 64 live usb
  • Intel Core i7-8550U
  • GeForce MX150
  • 8 GB RAM
  • 500 GB SSD
You can’t perform that action at this time.