This course will become read-only in the near future. Tell us at community.p2pu.org if that is a problem.
There are many potential vulnerabilities when it comes to web development. We'll do hand-ons exercices with some of the more popular and understand how to defend against exploits.
This will be language/framework agnostic but if code does appear it will probably be: JavaScript, Python, Java or PHP.
See the "Full Description" for the lesson plan.
Web Image: Some rights reserved by Marcelo Tourne
WEBCRAFT
Welcome to the study group where we’re going to explore some of the topics in web application security. We’re going to use the Open Web Application Security Project’s (OWASP) WebGoat tool for learning about web security. It works on multiple systems and runs using the Apache Tomcat server.
First, install the application:
https://www.owasp.org/index.php/WebGoat_Installation
There are instructions to install on OpenBSD available at: http://dhobsd.pasosdejesus.org/?id=WebGoat+in+OpenBSD; that you can check in case of trouble, however if you have problems installing, please post here or you can also ask on the WebGoat mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webgoat
Once you have OWASP WebGoat open, click “Introduction” on the left to open up the first lesson. Work through those. Please make sure and install WebScarab when you are on the “Useful Tools” lesson.
WebGoat will give you feedback when you have finished like below and with a checkmark on the left of your lesson:
Once you finished the 4 tasks under “Introduction,” continue on to “General” and do “Http Basics” and “HTTP Splitting.” Click “Lesson Plan” to see the lecture material before doing the lab.
The HTTP Splitting Lesson Plan is below and was reached by clicking "Lesson Plan" in the navigation bar:
It can occurr, when the headers of a HTTP Response can be changed by user input (for example redirecting to a URL that can be specified completelly or partially by user), he/she could insert new lines and more headers.
See also https://www.owasp.org/index.php/HTTP_Response_Splitting
To prevent it, change possible newlines in headers.
Example adapted from http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
<?php
header ("Location: " . $_GET!['page']);
?>
If this script is hrhs.php call from the browser as:
hrhs.php?page=%!0aContent-Type: text/html%0aHTTP/1.1 200 OK%!0aContent-Type: text/html%0a%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E
You can remove "\n" and "\r" from the URL:
<?php
$p = str_replace(array("\n", "\r"), array("", ""), $_GET!['page']);
header ("Location: $p");
?>
At least, PHP haredened with directive suhosin.multiheader = On in ==php.ini== is not vulnerable to this atack. With it trying to inject a new line in a header produces:
[Mon Sep 12 11:42:46 2011] [error] PHP Warning: Header may not contain more than a single header, new line detected. in /path/hrs.php on line 2
To detect this vulnerability in source of a PHP appplication, look for uses of the functios header() and find if it parameter includes variables controlled by user in any form.
By the end of this first week, you should have installed WebGoat and WebScarab. You also should have worked through the labs under “General” with Http Basics and HTTP Splitting. If you have problems with any part of the lab, please post here on this task so we can work through the solution together.
This week, let’s discuss a few things:
1) Please introduce yourself to your fellow participants. You can say as much or as little about yourself as you want, but hopefully at least what you hope to gain from the study group. Please include what your preferred language/framework is.
Would you like to meet online to discuss the week’s lesson or socialize with the rest of the group? Please feel out this doodle poll by Thursday the 22nd. http://www.doodle.com/hittwxnzxdb4atx3
2) If you have a blog that you will be posting your thoughts as you go through this semester, please post that as well. We can subscribe to it and give each other feedback there too!
3) Finally, discuss briefly your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Did you have any issues installing the tools? Was it too much or too little work? Anything to add to it to make it better for the next round of students?
4) Because WebGoat focuses on Java, let's learn how to prevent vulnerabilities in other languages. For your preferred language and/or framework, research and post how you can prevent the vulnerabilities discussed this week.
5) Anything else you’d like to discuss about this week’s lesson?
A discussion works best when there are at least two people involved so we encourage you to comment on other people’s posts!
I received some questions about installing WebScarab on Windows. I was able to install on XP using http://www.acsac.org/2007/downloads/t5-webscarab-instructions.pdf which is similar to what Vladimir said. I downloaded the jar and double-clicked to install. I already had Java set up though on that machine.
If anyone is having problems installing, please post here so we can work through it :)
If you want to compile WebScarab from the sources of the GIT repository, first install git, JDK and ant. In OpenBSD you would run:
sudo pkg_add jdk git apache-ant
After that clone the repository with:
cd ~/w git clone git://dawes.za.net/webscarab.git/
Then compile with ant:
cd webscarab ant build
This will create the JAR file in the same directory, where you can run as described in may previous comment.
The easiest way to begin with WebScarab is by downloading the JAR avaialable at: http://dawes.za.net/rogan/webscarab/#current
In the moment of this writing it is: http://dawes.za.net/rogan/webscarab/webscarab-one-20110329-1330.jar
Since WebScarab was developed in Java, you also need a JRE or a JDK, you can download from one of them from http://www.oracle.com/technetwork/java/javase/downloads/index.html In the case of OpenBSD you can install JDK with: sudo pkg_add jdk
After installing in Windows possibly you just need to double-click on the JAR file of WebScarab, or in OpenBSD from the command line:
export JAVA_HOME=/usr/local/jdk-1.7.0 /usr/local/jdk-1.7.0/bin/java -jar ./webscarab-one-20110329-1330.jar