Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byLogan Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation OWASP Day Belgium 6 Sep 2007 http://www.owasp.org/ Getting started with WebGoat & WebScarab Erwin Geirnaert Partner & Co-founder – ZION SECURITY Erwin.geirnaert@zionsecurity.com www.linkedin.com/in/erwingeirnaert

2 OWASP Day – Belgium – 6 Sep 2007 2 Agenda  Configure WebScarab as a local proxy  Intercept HTTP requests and responses  Modify HTTP requests to solve the lesson “Hidden field manipulation”  Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”  Use the session analysis tab in WebScarab  Use the web services tab in WebScarab  Use WebScarab to analyze Ajax XML messages

3 OWASP Day – Belgium – 6 Sep 2007 Configure WebScarab as a local proxy  Extract WebGoat  Start WebGoat with webgoat.bat  Start WebScarab  Double-click the JAR should work  Otherwise create a.bat file that executes java.exe –jar ‘filename’  A Java executable is included with WebGoat  Configure your browser to use as proxy localhost on port 8008 3

4 OWASP Day – Belgium – 6 Sep 2007 Intercept HTTP requests and responses  Open http://localhost/WebGoat/attackhttp://localhost/WebGoat/attack  Login with guest – guest  Do you see a pop-up window in WebScarab?  You can select “Intercept request” and “Intercept response” in the pop-up window or in WebScarab via “Proxy” – “Manual edit” 4

5 OWASP Day – Belgium – 6 Sep 2007 Modify HTTP requests to solve the lesson “Hidden field manipulation”  Go to the “Hidden field manipulation” lesson in “Unvalidated parameters”  Read the lesson plan  Intercept the request  Change the hidden field 5

6 OWASP Day – Belgium – 6 Sep 2007 Modify HTTP responses to solve the lesson “Bypass client-side Javascript validation”  Go to the lesson “Bypass client-side Javascript validation”  Read the lesson plan  Intercept the response  Remove the Javascript validation  Submit unvalid data 6

7 OWASP Day – Belgium – 6 Sep 2007 Use the session analysis tab in WebScarab  Go to the lesson “How to hijack a session”  Read the lesson plan  Let the request pass  Go to the tab “Session analysis”  Get 100 cookie values  Examine the difference using the analysis options 7

8 OWASP Day – Belgium – 6 Sep 2007 Use the web services tab in WebScarab  Go to the web services lesson in WebGoat  Read the lesson plan  Click on the link for the WSDL file  Go to the tab “web services” in WebScarab  Select the WSDL from the drop-down box  Execute a web service request 8

9 OWASP Day – Belgium – 6 Sep 2007 Use WebScarab to analyze Ajax XML messages  Go to the Ajax security lessons in WebGoat  Read the lesson plans  Try to solve the lessons by examining the XML messages in WebScarab 9

10 OWASP Day – Belgium – 6 Sep 2007 Coming soon  New lessons in WebGoat  New version of WebScarab NG  WebGoat Solution Guide 10

Download ppt "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

Webgoat.

Webgoat.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Chris Shuster. Overview Hacking White Hat Black Hat Web Hacking.

Chris Shuster. Overview Hacking White Hat Black Hat Web Hacking.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)

Similar presentations

Ads by Google