Tips for an Information Security Analyst/Pentester career - Episode 8: WebGoat

DISCLAIMER: Hacking techniques explained here have been performed against a deliberately vulnerable web application running locally in a virtual machine. WebGoat is an educational tool designed to explain security flaws and show how to remediate them.

I'm not responsible for any unlawful activity performed by using this tool and said techniques in an unintended and illegal way whatsoever. You can get caught and go to jail, so you've been warned!!

In this episode, I'm going through a short overview of WebGoat, a deliberately vulnerable Web application created to practice web hacking.

You can learn a lot of stuff with this tool and, in fact, a thorough analysis of it would go beyond the scope of this post. 

So, I'm going to show only some hacks and will leave the outstanding ones to you as an exercise.

I'm going to use WebGoat as a vulnerable app and Burp Suite to intercept and manipulate HTTP requests, performing a man-in-the-middle attack and/or a session hijack attack.

Prep 

I used WebGoat 5.3 for this post. 

WebGoat comes with a zip file. 

Once uncompressed, you'll need to launch either of the batch files you find in its folder (for Windows) or the bash script (for UNIX/Linux).

The webgoat_8080.bat file will launch WebGoat on port 8080, that's the only difference with webgoat.bat.

Once launched the Tomcat server, you can access Webgoat at http://localhost/WebGoat/attack

In this case, for us to work with Burp Suite, we need to change this URL as follows: http://localhost./WebGoat/attack (thanks to shikataganai for this tip).

a) Multilevel Login 2

This is an example of a vulnerable two-factor authentication method.

In this case, we have a valid account in this company (so we can say this is a malicious insider case, too) and we're given credentials for user Joe. Our goal here is to trick the system and log in as Jane.

So let's first log in with the credentials we are given. After a successful log in, we're asked to enter the second PIN number in the above list.

After entering the PIN, we intercept the POST request with Burp Suite and we note a field saying hidden_user=Joe.

By changing the parameter from Joe to Jane and forwarding the POST request, we're able to trick the system. Yay!

b) Forgot password

This lesson exploits password recovery techniques.

We're given a username (webgoat) and his/her favorite color (red). We need to trick this recovery system in order to grab the password of another user.

So we'll start by entering the webgoat username provided, then we intercept the POST request with Burp Suite and change the username to admin; it successfully goes through (see embedded video for more details).

Afterward, we enter the favorite color for webgoat (red) and we intercept the POST request once again. By changing the color to green, we're able to achieve our goal.

c) Shopping cart concurrency flaw: 

In this case, we exploit a concurrency issue, meaning if we have two identical tabs open and we purchase an item in one tab and then we go to other tab, we can end up purchasing the more expensive item at the cheapest price.

Let's see this in detail.

Let's start by purchasing the first item in the list (the cheapest one) and clicking Purchase. A variable is created in memory for this.

In the other identical tab, this purchase isn't listed yet.

At this point, we can purchase the most expensive item in the list and click Update Cart. 

Going back to the first tab, if we click Confirm, we trick the system.

This demonstration confirms the importance of having both client-side and server-side authentication, because either one would have stopped the attack.

d) Exploit hidden fields

In this case, we try exploiting a flaw in the page. If we enter 1 in the Quantity field and click UpdateCart, we can intercept the request with Burp Suite and change the value for the price field.

At this point, I change it to $0.00 and forward the POST request, so we can have a free HDTV. 

Not bad, right?

e) WebGoat Miles Reward Program 

We're given access to three items out of five and our goal is to grab all of them.

We select the items we can legitimately grab, given our current points, and click Submit.

Intercepting the packets with Burp Suite, we notice each item is assigned an ID (1001, etc.).

If we add two more items and forward the request, we're good to go, yay!!

f) JSON injection

We're traveling and we need to grab the best flight from Boston to Seattle.

The cheapest one has two stops while the most expensive one is a direct flight. We want the direct flight at a cheaper price.

We buy the most expensive one and click Submit.

We intercept the request and we change the value from $600 to $100 (the trailing %24 is a web parameter).

After forwarding this packets, we achieve another goal.

g) Silent transaction attacks

In this case we have a money transfer page. The goal is to bypass the user's authorization and get the transaction to be silently executed.

Once again, no server-side authentication is in place.

h) Dangerous use of eval

In this case, we need to insert a script in an input field. We found the 3-digit access code was vulnerable.

i) Stored Cross-site scripting 

We perform an alike attack, being easily successful.

For more details about other cross-site scripting attacks, view the embedded video.

Wrap-up

WebGoat is a very vulnerable Web application and is very helpful in learning web hacking.

It's an example of how you should NOT setup a website, so it can be the ideal test-bed for understanding application hardening and best practices.

I don't find it extremely valuable in understanding how to attack real-world targets but, heck, each one of us has to start somewhere, so why not?

External resources

Episode 9

Episode 7