Thursday, May 21, 2009

WebScarab and WebGoat - learning security!

Application Development: the funnest job in the world, right? But how do you feel about that fun when early in your career you first encounter the classic adage: "80% of your code will run only 20% of the time?" Bullet-proofing your code can be a real buzz kill for the wonder lusted developer.

Well fret no more. Securing an application isn't a tedious bore - it's an opportunity to step into the exciting shoes of a web hacker/cracker and have yourself a truly fun learning experience. I've spent the last two days using WebScarab and WebGoat, both open and free software provided by OWASP, as reliable (and awesome) learning tools to hack legitimate applications:
  • Tamper with request parameters on the fly
  • Embed Cross Site Scripting (XSS) attacks and Injection attacks to hijack sessions and elevate application authorization (make me an admin, please... woot. )
  • Manipulate requests to take advantage of vulnerabilities in Web Services.
the list goes on, but honestly I had the most fun just tampering with hidden input fields, altering drop down, and adding parameters to a request. I was able to do some amazing stuff, including hack into admin accounts and cause my own application to kick off emails in a malicious manner... A true learning experience.

Enough gab Here's the deal:

WebGoat:
This is a well designed application that is built to contain vulnerabilities on purpose. It is ready for you to do some Cross Site scripting and other common hacks on it, and feel the thrill of hacking into a system! It downloads and runs on its own servlet container right out of the box.
->Download here: http://code.google.com/p/webgoat/downloads/list
->Install Instructions here: http://www.owasp.org/index.php/WebGoat_Installation
At this time, version 5.2 is the latest release. Download the zip, run the batch file, and access the app at your localhost domain, running on either port 80 or 8080 depending on which batch file you ran. It's that easy. Linux users may want to check out the documentation I just linked above.

WebScarab:
This is a tool which will intercept your outgoing HTTP Requests and incoming HTTP Responses, giving you a chance to change them any way you like as you go. You just filled in a username and password? Let's see what happens when you decide to add onto the request a cookie that you stole from someone else's session, logging you in as them...
->Download here: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download

I am failling to find good instructions for this tool, but it's not hard to figure out. It's most compatible with firefox, so don't waste your time with IE. Simply change your firefox proxy settings to point to localhost, port 8008 (and remember to clear out the NO PROXY FOR field!!), fire up WebScarab, and click the "intercept requests" checkbox within WebScarab. WebScarab will act as a proxy, but if you use a proxy to the internet anyhow, then you'll need to tell WebScarab which proxy to forward to... Simply click the Proxies toolbar at the top of WebScarab and punch in your proxy server address. Port 3128 is pretty standard for a proxy.

Have fun guys
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)