Introduction, Tools, and HTTP Basics [Sept. 20, 2011, 7:47 a.m.]
1. Lecture
Welcome to the study group where we’re going to explore some of the topics in web application security. We’re going to use the Open Web Application Security Project’s (OWASP) WebGoat tool for learning about web security. It works on multiple systems and runs using the Apache Tomcat server.
1.1 Tools and Tasks with WebGoat
First, install the application:
https://www.owasp.org/index.php/WebGoat_Installation
There are instructions to install on OpenBSD available at: http://dhobsd.pasosdejesus.org/?id=WebGoat+in+OpenBSD; that you can check in case of trouble, however if you have problems installing, please post here or you can also ask on the WebGoat mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webgoat
Once you have OWASP WebGoat open, click “Introduction” on the left to open up the first lesson. Work through those. Please make sure and install WebScarab when you are on the “Useful Tools” lesson.
WebGoat will give you feedback when you have finished like below and with a checkmark on the left of your lesson:
Once you finished the 4 tasks under “Introduction,” continue on to “General” and do “Http Basics” and “HTTP Splitting.” Click “Lesson Plan” to see the lecture material before doing the lab.
The HTTP Splitting Lesson Plan is below and was reached by clicking "Lesson Plan" in the navigation bar:
1.2 Preventing HTTP Response Header Splitting
It can occurr, when the headers of a HTTP Response can be changed by user input (for example redirecting to a URL that can be specified completelly or partially by user), he/she could insert new lines and more headers.
See also https://www.owasp.org/index.php/HTTP_Response_Splitting
To prevent it, change possible newlines in headers.
1.2.1 Example in PHP and how to prevent and to detect it
Example adapted from http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
<?php header ("Location: " . $_GET!['page']); ?>
If this script is hrhs.php call from the browser as:
hrhs.php?page=%!0aContent-Type: text/html%0aHTTP/1.1 200 OK%!0aContent-Type: text/html%0a%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E
You can remove "\n" and "\r" from the URL:
$p = str_replace(array("\n", "\r"), array("", ""), $_GET!['page']); header ("Location: $p");
At least, PHP haredened with directive suhosin.multiheader = On in ==php.ini== is not vulnerable to this atack. With it trying to inject a new line in a header produces:
[Mon Sep 12 11:42:46 2011] [error] PHP Warning: Header may not contain more than a single header, new line detected. in /path/hrs.php on line 2
To detect this vulnerability in source of a PHP appplication, look for uses of the functios header() and find if it parameter includes variables controlled by user in any form.
2. Lab
By the end of this first week, you should have installed WebGoat and WebScarab. You also should have worked through the labs under “General” with Http Basics and HTTP Splitting. If you have problems with any part of the lab, please post here on this task so we can work through the solution together.
3. Discuss
This week, let’s discuss a few things:
1) Please introduce yourself to your fellow participants. You can say as much or as little about yourself as you want, but hopefully at least what you hope to gain from the study group. Please include what your preferred language/framework is.
Would you like to meet online to discuss the week’s lesson or socialize with the rest of the group? Please feel out this doodle poll by Thursday the 22nd. http://www.doodle.com/hittwxnzxdb4atx3
2) If you have a blog that you will be posting your thoughts as you go through this semester, please post that as well. We can subscribe to it and give each other feedback there too!
3) Finally, discuss briefly your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Did you have any issues installing the tools? Was it too much or too little work? Anything to add to it to make it better for the next round of students?
4) Because WebGoat focuses on Java, let's learn how to prevent vulnerabilities in other languages. For your preferred language and/or framework, research and post how you can prevent the vulnerabilities discussed this week.
5) Anything else you’d like to discuss about this week’s lesson?
A discussion works best when there are at least two people involved so we encourage you to comment on other people’s posts!