Presentation is loading. Please wait.

Presentation is loading. Please wait.

MIS 5212.001 Week 5 Site:

Published byAgatha Wilcox Modified over 8 years ago

Similar presentations

Presentation on theme: "MIS 5212.001 Week 5 Site:"— Presentation transcript:

1 MIS 5212.001 Week 5 Site: http://community.mis.temple.edu/mis5212sec001s16 http://community.mis.temple.edu/mis5212sec001s16

2  In the news  Introduction to WebGoat  Next Week 2MIS 5212.001

3  Submitted  http://www.ibtimes.co.uk/dayz-hack-forums- popular-pc-game-breached-all-user-credentials- stolen-1542201 http://www.ibtimes.co.uk/dayz-hack-forums- popular-pc-game-breached-all-user-credentials- stolen-1542201  http://www.tripwire.com/state-of-security/latest- security-news/attackers-leverage-duplicate-logins- to-compromise-21m-alibaba- accounts/#.VrSN67SeATI.twitter http://www.tripwire.com/state-of-security/latest- security-news/attackers-leverage-duplicate-logins- to-compromise-21m-alibaba- accounts/#.VrSN67SeATI.twitter  http://www.bbc.com/news/technology-35491834 http://www.bbc.com/news/technology-35491834 MIS 5212.0013

4  Submitted  http://fortune.com/2016/02/06/data-sheet- saturday-february-6-2016/ http://fortune.com/2016/02/06/data-sheet- saturday-february-6-2016/  http://www.securityweek.com/bitcoin-lending- platform-loanbase-breached http://www.securityweek.com/bitcoin-lending- platform-loanbase-breached  http://www.securityweek.com/top-reasons-pay- attention-dark-web http://www.securityweek.com/top-reasons-pay- attention-dark-web  http://www.infosecurity- magazine.com/news/export-treaty-get-rewrite- win/ http://www.infosecurity- magazine.com/news/export-treaty-get-rewrite- win/ MIS 5212.0014

5  What I noted  http://news.softpedia.com/news/t9000-backdoor- malware-targets-skype-users-records-conversations- 500018.shtml http://news.softpedia.com/news/t9000-backdoor- malware-targets-skype-users-records-conversations- 500018.shtml  http://www.csoonline.com/article/3030207/securit y/the-neutrino-exploit-kit-has-a-new-way-to-detect- security-researchers.html http://www.csoonline.com/article/3030207/securit y/the-neutrino-exploit-kit-has-a-new-way-to-detect- security-researchers.html  http://lcamtuf.coredump.cx/p0f3/ http://lcamtuf.coredump.cx/p0f3/ MIS 5212.0015

6  What is a Web Browser?  Rendering Engine  JavaScript Engine  Network communications layer  …  May also include  Add-Ins  Browser Helper Objects  APIs to/for othere applications MIS 5212.0016

7  Why are we talking about this?  Browser are fairly complicated  Browsers have many sub-components and features  Browsers need to understand many different forms of character encoding  All of this gives us something to work with when attacking Web Applications  Good reference for details  http://taligarsiel.com/Projects/howbrowsers work1.htm http://taligarsiel.com/Projects/howbrowsers work1.htm MIS 5212.0017

8  WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons  The current version is 6.0.1, this is still a work in progress.  WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. MIS 5212.0018

9  You can download WebGoat at:  https://webgoat.atlassian.net/builds/browse/WEB -WGM/latestSuccessful/artifact/shared/WebGoat- Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar https://webgoat.atlassian.net/builds/browse/WEB -WGM/latestSuccessful/artifact/shared/WebGoat- Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar  You will also need Java >= 1.6 (JDK 1.7 Recommended)  http://www.oracle.com/technetwork/java/javase/ downloads/index.html http://www.oracle.com/technetwork/java/javase/ downloads/index.html MIS 5212.0019

10 10

11  Entering URL for WebGoat gives:  Use the down arrow and select “Save As” to save file to the location of your choice. MIS 5212.00111

12  Follow URL to: MIS 5212.00112

13  Selecting “JRE” gives: MIS 5212.00113

14  Click “Accept” and select the OS  Same as WebGoat, use save as option to put the file where you want it  Once downloaded, run the file and follow the prompts  To launch in Windows, open the command line and type:  Java –jar WebGoat-6.0.1-war-exec.jar  Command line will say busy and will look like it hangs at Initializing Spring …. MIS 5212.00114

15  Open a browser and type the following in the URL bar:  http://localhost:8080/WebGoat/ http://localhost:8080/WebGoat/ MIS 5212.00115

16  If the browser doesn’t appear to connect.  Check “Intercept On” is turned of in Proxy MIS 5212.00116

17  Download the “jar” file as described on the earlier slide  Java JRE is already installed in Kali  Open a terminal and execute the same command  Java –jar WebGoat-6.0.1-war-exec.jar  Verify same as earlier slide MIS 5212.00117

18  If you downloaded the jar file to Kali, you are ready to launch the Intercepting Proxy, point the browser at the proxy and start  If you want to work in Windows, you will need to get an intercepting proxy on to your windows machine  Go to:  http://portswigger.net/burp/ http://portswigger.net/burp/  Select “Download” tab and then “Free”  This will bring down another jar file for BurpSuite MIS 5212.00118

19  Once WebGoat is running, you are one of the most vulnerable systems on the internet!  Once you have downloaded the files consider disconnecting from the network MIS 5212.00119

20  In this instance, an intercepting proxy is software that acts as a server and sits between the web browser and your internet connection  Examples  Burp Suite  Webscarab  Paros MIS 5211.00120

21 MIS 5212.00121 Or

22  For this course  Monitor and record ONLY  Do not inject or alter any traffic unless you personally own the web site.  Like your personal copy of WebGoat MIS 5211.00122

23  Start Burp Suite by logging in to Kali and selecting Burp Suite from:  Kali Linux > Web Applications > Web Application Proxies > burpsuite  Kali 2.0 > Applications > Web Application Analysis > burpsuite MIS 5211.00123

24 MIS 5211.00124

25  Once burpsuite is running, you will need to start and configure a browser  Kali’s web browser is “Iceweasel”, an adaptation of Firefox  After starting Iceweasel, navigate to preferences  And select it MIS 5211.00125

26  Navigate to the Network Tab and select settings… for Connection MIS 5211.00126

27  Change selection from “Use system proxy settings” to “Manual proxy configuration and enter “127.0.0.1” for “HTTP Proxy” and “8080” for “Port”  Or any other port number that works for you  8080 is used by WebGoat, so we should pick something else  Also, select check box for “Use this proxy server for all protocols”  Select “OK” when done  Browser is now setup to use burpsuite  See next slide for example MIS 5211.00127

28 MIS 5211.00128

29 MIS 5212.00129

30 MIS 5212.00130

31 MIS 5211.00131

32  In browser, navigate to google.com  Browser will hang and look busy  Select the “Proxy” tab in burpsuite  Burpsuite is waiting for you, select forward MIS 5211.00132

33  Select “I understand the Risks” and follow prompts to add an exception MIS 5211.00133

34 MIS 5211.00134

35 MIS 5212.00135

36 MIS 5212.00136

37  Access Control Flaws  Stage 1 Note: Account for John does not appear to work. However, the correct piece of information you need is listed in the solution notes  Stage 3  Authentication Flaws  Cross-Site Scripting  Phishing  Stage 1  Stage 5  Reflected XSS Attacks  Improper Error Handling  Fail Open Authentication Scheme MIS 5212.00137

38  Injection Flaws:  Command Injection: Note: if you are on a linux box substitute this command for the equivalent that references ipconfig " & netstat -ant & ifconfig“  Numerical SQL Injection: Note: try this as your sql attack “or 1=1”  Log Spoofing  XPATH Injection  String SQL Injection  Modifying Data with SQL Injection  Adding Data with SQL Injection  Blind Numeric SQL Injection  Blind String SQL Injection MIS 5212.00138

39  Test 1  Presentations MIS 5212.00139

40 ? MIS 5212.00140

Download ppt "MIS 5212.001 Week 5 Site:"

Similar presentations

Webgoat.

Webgoat.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
For Removal Info: visit

For Removal Info: visit
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.

EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.

Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
MIS 5212.001 Week 3 Site:

MIS Week 3 Site:
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
MIS 5212.001 Week 11 Site:

MIS Week 11 Site:
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
Simplify Requirement Management for JIRA. Platforms supported by RMsis Operating Systems Microsoft Windows XP/VISTA/7/8 Server 2008, 2012 Linux JIRAJIRA.

Simplify Requirement Management for JIRA. Platforms supported by RMsis Operating Systems Microsoft Windows XP/VISTA/7/8 Server 2008, 2012 Linux JIRAJIRA.
Hosted Exchange 2007. The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.

Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google