"Sad but TRUE !..."

When the tides of life turn against you... And the current upsets your boat... Don't waste those tears on what might have been... Just lay on your back and float!...

Lab 5 ~ Web Application Security ~

Assalamualaikum w.b.t...

Lab 5 kali nie kiteorg blajar Web Application Security... Apa yg kiteorg blajar adalah camner menggunakan Web Application Hacking simulation using WebGoat and WebScarab. Antare objektif yg perlu dicapai:-
• Describe the flaw of web application and how it is exploited.
• Exploit web application vulnerabilities.
• List prevention method that can be taken to overcome web
application vulnerabilities

Web Application Security
Web application or simply called webapp is an application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP
and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the
machine. This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the
popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.


WebGoat and WebScarab
WebGoat is a simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application. The design of the web application in the WebGoat is deliberately designed with insecure J2EE framework so that user can understand the security issue by applying the security knowledge
they have into exploiting a real vulnerability in WebGoat application. In every scenario of the lesson, WebGoat provide hints and code to further explain the lesson. WebGoat will keep track on the progress of the user on every lesson they completed, user can see their level of competence in trying to solve every problem given in the lesson.


Web Application Hacking simulation using WebGoat and WebScarab
1. Copy the WebGoat-OWASP_Standard-5.2.zip and extract it to the C:\ drive
2. Open the C:\ WebGoat-5.2 folder and open the webgoat.bat to start the apache
tomcat J2EE

3. Open an IE 6.0 web browser or a firefox web browser and type http://localhost/WebGoat/attack

4. login as User Name: guest Password: guest

5. open webscarab-selfcontained-20070504-1631.jar
6. If the WebScarab does not open do install the JDK module (jdk-6u4-windows-i586-
p.exe) to your computer.
7. Once the WebScarab started, you should see the interface as figure below

8. Next Configure the Web browser proxy starting so that it listen to 127.0.0.1
(localhost) port 8008
9. Go to WebScarab and click on the intercept tab and enable the intercept request
checkbox but disable the intercept response checkbox. This will enable the
intercept features of the WebScarab in which it will intercept any request
signal from the web browser.

10. Close your previous web browser, open it again and type in
http://localhost/WebGoat/attack.
11. WebScarab will intercept your request to visit the website by prompting an Edit
request window as depicted in figure below. This prompted window shows the
request data that you send to the web server.

12. The text field indicated by the arrow shows the text field containing the data
you send to the web server and it can be modified.(in some of the following task
you need to modified the content of the text field to help you solve the problem
in lesson.
13. For this task do not changes the text field value just click the [Accept
changes] button to view the WebGoat main page.
14. Each time you click on a submit button or a link on the webpage, the Edit
request window will always appear, so make sure you click on Accept changes
button to view your request page display on the browser.



Getting started with WebGoat and WebScarab
1. click on [Start WebGoat]

2. Click on the Introduction | How to work with WebGoat menu.

3. Read and follow the instruction given in the WebGoat.



XSS attack
Task
1. This lesson will show you how XSS is used for phishing attack
2. Click on the Cross Site Scripting (XSS) | Phising with XSS menu.
3. Apply the script below to the text field in order to create a false login page so
that you can harvest the username and password keyed in by the user.


4. Once you hit the Search button you will see a comment page containing a place for you to login. This login page is created using the java script above.
5. Try login in with any username and password; if this is a real phishing website you would not get the prompted message on your screen but the value you supplied might be send across the world to a server that gather the login
information.
6. Next click on the Cross Site Scripting (XSS) | Reflected XSS Attacks menu.
7. In this lesson some prevention mechanism has been build in the script, some field have a validation toward the character you supplied. It will reject any tag symbol you used, however there are still some that is not protected. By using
the script below find which the text field that can be exploited using XSS attack?




Injection Flaws
Task
1. This lesson will show you how SQL Injection is applied to an application system.
2. Click on the Injection Flaws | Numeric SQL Injection menu, refer figure below

3. From the combo list choose a weather station and click the [Go!] button, (Do not
forget to click on the accept changes button of the edit request windows) you
will get the information for the country you select.
4. To apply the Injection flaws you need to choose a new country and click [Go!]
button. Before clicking the [Accept changes] button on the edit request windows,
in the [URLEncoded] tab, add the value station variable with

5. Once the value is changed, click [Accept changes] button. The entire data is
displayed on the screen. This shows that by manipulating the input field that is
not properly design we can display the entire data in the database.

6. Repeat this task on the Injection Flaws | String SQL Injection. Use the right
input for this problem and compare the result. (Hint: The input should be a
string).


Malicious File Execution
Task
1. This lesson will show you how Malicious File Execution is applied to an online application system.
2. Click on the Injection Flaws | Command Injection menu, refer figure below

3. By choosing the lesson plan to view and clicking on [View] button, user will be
shown the content of the lesson. This exercise will manipulate the input field by
adding the input with a command line instruction.
4. Select a new lesson and click [View]. Before clicking the [Accept changes] button
add the following command to your HelpFile variable value

5. Once you click the [Accept changes] button the following output will be displayed
on the screen.



Mase muler2 aku mmg xpham.. then tgk bdk2 laen wat.. so far ok laaa... buat2 ler faham.. yuhuuu.... Mcm beser siap kan review question..


alhamdulillah...


"Worry is like a rocking chair -- it gives you something to do but doesn't get you anywhere.."

dikarang oleh Azma Green

0 komplen:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts with Thumbnails