This course will become read-only in the near future. Tell us at community.p2pu.org if that is a problem.

Introduction, Tools, and HTTP Basics


1. Lecture

Welcome to the study group where we’re going to explore some of the topics in web application security. We’re going to use the Open Web Application Security Project’s (OWASP) WebGoat tool for learning about web security. It works on multiple systems and runs using the Apache Tomcat server.

1.1 Tools and Tasks with WebGoat

First, install the application:
https://www.owasp.org/index.php/WebGoat_Installation

There are instructions to install on OpenBSD available at: http://dhobsd.pasosdejesus.org/?id=WebGoat+in+OpenBSD; that you can check in case of trouble, however if you have problems installing, please post here or you can also ask on the WebGoat mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webgoat

Once you have OWASP WebGoat open, click “Introduction” on the left to open up the first lesson. Work through those. Please make sure and install WebScarab when you are on the “Useful Tools” lesson.

WebGoat will give you feedback when you have finished like below and with a checkmark on the left of your lesson:

Success with WebGoat

Once you finished the 4 tasks under “Introduction,” continue on to “General” and do “Http Basics” and “HTTP Splitting.” Click “Lesson Plan” to see the lecture material before doing the lab.

The HTTP Splitting Lesson Plan is below and was reached by clicking "Lesson Plan" in the navigation bar:

Splitting Lesson Plan
 

1.2 Preventing HTTP Response Header Splitting

It can occurr, when the headers of a HTTP Response can be changed by user input (for example redirecting to a URL that can be specified completelly or partially by user), he/she could insert new lines and more headers.

See also
https://www.owasp.org/index.php/HTTP_Response_Splitting

To prevent it, change possible newlines in headers.

1.2.1 Example in PHP and how to prevent and to detect it

Example adapted from http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
 

<?php
  header ("Location: " . $_GET!['page']);
?>


If this script is hrhs.php call from the browser as:
 

hrhs.php?page=%!0aContent-Type: text/html%0aHTTP/1.1 200 OK%!0aContent-Type: text/html%0a%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E


You can remove "\n" and "\r" from the URL:

<?php
$p = str_replace(array("\n", "\r"), array("", ""), $_GET!['page']);
  header ("Location: $p");
?>

 

At least, PHP haredened with directive suhosin.multiheader = On in ==php.ini== is not vulnerable to this atack.  With it trying to inject a new line in a header produces:

[Mon Sep 12 11:42:46 2011] [error] PHP Warning:  Header may not contain more
than a single header, new line detected. in /path/hrs.php on line 2

 

To detect this vulnerability in source of a PHP appplication, look for uses of the functios header() and find if it parameter includes variables controlled by user in any form.
 

2. Lab

By the end of this first week, you should have installed WebGoat and WebScarab. You also should have worked through the labs under “General” with Http Basics and HTTP Splitting. If you have problems with any part of the lab, please post here on this task so we can work through the solution together.
 

3. Discuss

This week, let’s discuss a few things:

1) Please introduce yourself to your fellow participants. You can say as much or as little about yourself as you want, but hopefully at least what you hope to gain from the study group. Please include what your preferred language/framework is.

Would you like to meet online to discuss the week’s lesson or socialize with the rest of the group? Please feel out this doodle poll by Thursday the 22nd.
http://www.doodle.com/hittwxnzxdb4atx3

2) If you have a blog that you will be posting your thoughts as you go through this semester, please post that as well. We can subscribe to it and give each other feedback there too!

3) Finally, discuss briefly your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Did you have any issues installing the tools? Was it too much or too little work? Anything to add to it to make it better for the next round of students?

4) Because WebGoat focuses on Java, let's learn how to prevent vulnerabilities in other languages. For your preferred language and/or framework, research and post how you can prevent the vulnerabilities discussed this week.

5) Anything else you’d like to discuss about this week’s lesson?

A discussion works best when there are at least two people involved so we encourage you to comment on other people’s posts!

Task Discussion


  • Jessica Ledbetter   Sept. 25, 2011, 10:05 p.m.

    I received some questions about installing WebScarab on Windows. I was able to install on XP using http://www.acsac.org/2007/downloads/t5-webscarab-instructions.pdf which is similar to what Vladimir said. I downloaded the jar and double-clicked to install. I already had Java set up though on that machine.

    If anyone is having problems installing, please post here so we can work through it :)

  • Vladimir Támara Patiño   Sept. 24, 2011, 8:08 p.m.

    If you want to compile WebScarab from the sources of the GIT repository, first install git, JDK and ant.  In OpenBSD you would run:

    sudo pkg_add jdk git apache-ant
    

    After that clone the repository with:

    cd ~/w
    git clone git://dawes.za.net/webscarab.git/
    

    Then compile with ant:

    cd webscarab
    ant build
    

    This will create the JAR file in the same directory, where you can run as described in may previous comment.
     

  • Vladimir Támara Patiño   Sept. 24, 2011, 11:23 a.m.

    The easiest way to begin with WebScarab is by downloading the JAR avaialable at: http://dawes.za.net/rogan/webscarab/#current

    In the moment of this writing it is: http://dawes.za.net/rogan/webscarab/webscarab-one-20110329-1330.jar

    Since WebScarab was developed in Java, you also need a JRE or a JDK, you can download from one of them from http://www.oracle.com/technetwork/java/javase/downloads/index.html  In the case of OpenBSD you can install JDK  with: sudo pkg_add jdk

    After installing in Windows possibly you just need to double-click on the JAR file of WebScarab, or in OpenBSD from the command line:

    export JAVA_HOME=/usr/local/jdk-1.7.0
    /usr/local/jdk-1.7.0/bin/java -jar ./webscarab-one-20110329-1330.jar