Avoid common mistake in web programming

May 8th, 2008 | by admin |

WebGoat

WebGoat is a deliberately insecure J2EE web application designed to teach web application security concepts

WebGoat is java web application which can show you a lot of the web attacks that can be performed on your website. It is a must have for all web developers.

You can download it from sourceforge or from google

The package contains a tomcat server and you can run it from the distribution. But in my case there was only windows configuration files so I have to take the war file and put in the standalone tomcat installation. Also move the permissions for the roles/users to my tomcat installation.

After manage to run it you will need some sniffer/proxy to monitor the requests. I have tried it with WebScarab but there is another one here and this one here

  • Run WebGoat in tomcat
  • Run you proxy/sniffer/pluging or what ever monitoring tool.
  • Start your browser
  • Setup your browser to use the proxy in case you choose to use proxy
  • Redirect your browser to WebGoat application (http://127.0.0.1:8080/WebGoat/attack )

You are ready to pass all the tests. Here are the options extracted from the lates WebGoat version:

  • Admin Functions
  • General
  • Code Quality
  • Concurrency
  • Unvalidated Parameters
  • Access Control Flaws
  • Authentication Flaws
  • Session Management Flaws
  • Cross-Site Scripting (XSS)
    • Phishing with XSS
    • LAB: Cross Site Scripting
    • Stage 1: Stored XSS
    • Stage 2: Block Stored XSS using Input Validation
    • Stage 3: Stored XSS Revisited
    • Stage 4: Block Stored XSS using Output Encoding
    • Stage 5: Reflected XSS
    • Stage 6: Block Reflected XSS
    • Stored XSS Attacks
    • Cross Site Request Forgery (CSRF)
    • Reflected XSS Attacks
    • HTTPOnly Test
    • Cross Site Tracing (XST) Attacks
  • Buffer Overflows
  • Injection Flaws
    • Command Injection
    • Blind SQL Injection
    • Numeric SQL Injection
    • Log Spoofing
    • XPATH Injection
    • LAB: SQL Injection
    • Stage 1: String SQL Injection
    • Stage 2: Parameterized Query #1
    • Stage 3: Numeric SQL Injection
    • Stage 4: Parameterized Query #2
    • String SQL Injection
    • Database Backdoors
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration
  • Web Services
  • AJAX Security
  • Challenge

  1. 2 Responses to “Avoid common mistake in web programming”

  2. By webby on Jun 1, 2008 | Reply

    Is there anyway i could get all lesson fixes/solutions…

    thanks

  3. By guda on Jun 2, 2008 | Reply

    This is open-source program, you can download it from

    http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824

    Run it on your local machine, and play with it via your browser

    All the lessons are there, and most of them have a solutions in the help.

Post a Comment

Trackback URL for this post:
http://www.gudasoft.com/uncategorized/05/08/18/avoid-common-mistake-in-web-programming/2008/trackback