Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.
Chris Shuster. Overview Hacking White Hat Black Hat Web Hacking.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Introduction to Application Penetration Testing
FORESEC Academy FORESEC Academy Security Essentials (II)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Workshop 3 Web Application Security Li Weichao March
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
MIS Week 5 Site:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
JavaScript, Fourth Edition
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Getting Started with OPC.NET OPC.NET Software Client Interface Client Base Server Base OPC Wrapper OPC COM Server Server Interface WCF Alternate.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
AJAX Use Cases for WSRP Subbu Allamaraju BEA Systems Inc WSRP F2F Meeting, May 2006.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
MIS Week 5 Site:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Proctor Caching and System Check September 4, 2014 Becky Hoeft Conference Number: (877) Conference Pin:
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
WebGoat & WebScarab September 9, 2008 By Stephen Carter & Mike Nixon
World Wide Web policy.
Subbu Allamaraju BEA Systems Inc
Webscarab, an introduction.
Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation OWASP Day Belgium 6 Sep Getting started with WebGoat & WebScarab Erwin Geirnaert Partner & Co-founder – ZION SECURITY

OWASP Day – Belgium – 6 Sep Agenda  Configure WebScarab as a local proxy  Intercept HTTP requests and responses  Modify HTTP requests to solve the lesson “Hidden field manipulation”  Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”  Use the session analysis tab in WebScarab  Use the web services tab in WebScarab  Use WebScarab to analyze Ajax XML messages

OWASP Day – Belgium – 6 Sep 2007 Configure WebScarab as a local proxy  Extract WebGoat  Start WebGoat with webgoat.bat  Start WebScarab  Double-click the JAR should work  Otherwise create a.bat file that executes java.exe –jar ‘filename’  A Java executable is included with WebGoat  Configure your browser to use as proxy localhost on port

OWASP Day – Belgium – 6 Sep 2007 Intercept HTTP requests and responses  Open  Login with guest – guest  Do you see a pop-up window in WebScarab?  You can select “Intercept request” and “Intercept response” in the pop-up window or in WebScarab via “Proxy” – “Manual edit” 4

OWASP Day – Belgium – 6 Sep 2007 Modify HTTP requests to solve the lesson “Hidden field manipulation”  Go to the “Hidden field manipulation” lesson in “Unvalidated parameters”  Read the lesson plan  Intercept the request  Change the hidden field 5

OWASP Day – Belgium – 6 Sep 2007 Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”  Go to the lesson “Bypass client-side Javascript validation”  Read the lesson plan  Intercept the response  Remove the Javascript validation  Submit unvalid data 6

OWASP Day – Belgium – 6 Sep 2007 Use the session analysis tab in WebScarab  Go to the lesson “How to hijack a session”  Read the lesson plan  Let the request pass  Go to the tab “Session analysis”  Get 100 cookie values  Examine the difference using the analysis options 7

OWASP Day – Belgium – 6 Sep 2007 Use the web services tab in WebScarab  Go to the web services lesson in WebGoat  Read the lesson plan  Click on the link for the WSDL file  Go to the tab “web services” in WebScarab  Select the WSDL from the drop-down box  Execute a web service request 8

OWASP Day – Belgium – 6 Sep 2007 Use WebScarab to analyze Ajax XML messages  Go to the Ajax security lessons in WebGoat  Read the lesson plans  Try to solve the lessons by examining the XML messages in WebScarab 9

OWASP Day – Belgium – 6 Sep 2007 Coming soon  New lessons in WebGoat  New version of WebScarab NG  WebGoat Solution Guide 10

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.