WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?
Transcript of WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?
![Page 1: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/1.jpg)
Copyright © 2007 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPBelgiumChapter
http://www.owasp.org/
WEBGOAT and the Pantera Web Assessment Studio Project
Philippe Bogaerts
![Page 2: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/2.jpg)
OWASP AppSec Europe 2006 2
Introduction
<During the day4Coming soon … I hope J
<During the night4 Independent trainer and consultant 4Trying to acquire a good understanding of
§ network security§ web application, web services and XML security§ Pen-testingmailto:[email protected]://www.radarhack.com
![Page 3: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/3.jpg)
OWASP AppSec Europe 2006 3
Why am I here ?
<A fascination for security…< I like learning and exploring new things…<Continuous education and awareness today is a must
and must be kept big fun…
<… and this resulted in writing a paper called“Getting started with OWASP WebGoat4 and SOAPUI.”
(The paper is available at http://www.radarhack.com)
… and thanks to Erwin Geirnaert from http://www.zionsecurity.com for reviewing the paper.
![Page 4: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/4.jpg)
OWASP AppSec Europe 2006 4
What is the paper about ?
<Explain in a simple and easy way what SOAP and web services are about.
<A unique opportunity to use WebGoat 4.0 for what it is intended to do: education and awareness
<The paper is about how a web service can be exploited via simple and free available invocation tools.
![Page 5: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/5.jpg)
OWASP AppSec Europe 2006 5
Part 1: WebGoat
![Page 6: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/6.jpg)
OWASP AppSec Europe 2006 6
WebGoat
<WebGoat is a deliberately insecure J2EE web application maintained by OWASP
<Designed to teach web application security
<… but also useful to test security products4IPS, Firewalls, Web Application Firewalls …
§ … against OWASP top 10 promise§ … against XML and AJAX security threats
<Who already played around with WebGoat ?
![Page 7: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/7.jpg)
OWASP AppSec Europe 2006 7
WebGoat versions
<Release Quality Projects
<Current stable version: 4.04 http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
<A promising version 5.0 will be available 01/2007.4Release candidate 1 is available since 17/01/2007
![Page 8: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/8.jpg)
OWASP AppSec Europe 2006 8
Installing WebGoat
<Download available via OWASP project pages<Windows and Unix/Linux versions
<Today we are using Windows_WebGoat-4.0_Release.zipWindows_WebGoat-5.0-RC1_Release.zip
<Just unzip the archive and click webgoat.bat4Some pitfalls
§ Make sure other web servers are stopped§ Skype for some reason dares to use port 80§ Verify with “netstat –an” port 80 is not used
![Page 9: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/9.jpg)
OWASP AppSec Europe 2006 9
Connecting the first time
<http://webgoat_server/WebGoat/attack<login with usn:guest and pwd:guest
![Page 10: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/10.jpg)
OWASP AppSec Europe 2006 10
Configuration tuning
<…Windows_WebGoat-4.0_Release\tomcat\conf\server.xml
4Port numbers of the web server
<…Windows_WebGoat-4.0_Release\tomcat\conf\tomcat-users.xml
4Tomcat usernames, passwords and role
![Page 11: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/11.jpg)
OWASP AppSec Europe 2006 11
WebGoat V4
<A set of lessons and exercises to learn about basic and advanced web application security issues.4Coverage OWASP TOP 104… and more
![Page 12: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/12.jpg)
OWASP AppSec Europe 2006 12
WebGoat is a training tool
<Tools to assist4Hints
§ Starting tips up to the solutions of the problem§ Scroll through the hints.
4Show Cookies4Show Java4Show Params4Report Card
![Page 13: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/13.jpg)
OWASP AppSec Europe 2006 13
Example 1
<Code Quality4Look in the source code4Use WebScarab !!!
§ Fragments module
![Page 14: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/14.jpg)
OWASP AppSec Europe 2006 14
Example 2
<Stored XSS
![Page 15: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/15.jpg)
OWASP AppSec Europe 2006 15
Example 3
<Exploiting Hidden Fields4Web Developer plug-in Firefox
![Page 16: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/16.jpg)
OWASP AppSec Europe 2006 16
Example 4
<Exploiting Web Services with SQL Injection4WebScarab
![Page 17: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/17.jpg)
OWASP AppSec Europe 2006 17
WebGoat V5 (rc1)
<What new ?4More XSS
§ Forced Browsing§ How to Perform CSRF
4More on SQL Injection§ Blind SQL Injection§ XPATH Injection
4Web Services§ SAX parser injection
4AJAX security lessons4… and much more
![Page 18: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/18.jpg)
OWASP AppSec Europe 2006 18
Example 5
<Web Service SAX injection
![Page 19: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/19.jpg)
OWASP AppSec Europe 2006 19
Part 2: Pantera Web Assessment Studio Project
![Page 20: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/20.jpg)
OWASP AppSec Europe 2006 20
Pantera WASP, what is it ?
<“The primary goal of Pantera is to combineautomated capabilities with complete manual testing to get the best penetration testing results.”
<penetration testing facilitation4Project management4Data mining
<Beta Status Project
![Page 21: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/21.jpg)
OWASP AppSec Europe 2006 21
Pantera
<(local) proxy4monitors and intercepts web traffic4Traffic is analyzed/modified by Pantera Passive
Analyzer Plugins (PPA)<Web based management interface
4Project management4Notes
![Page 22: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/22.jpg)
OWASP AppSec Europe 2006 22
How to install ?
<Pantera is available via the OWASP project pages on http://www.owasp.org4Current version 0.1.2
<Install the correct versions of the required software.
§ Python, MySQL, pyOpenSSL, Formbuild…
![Page 23: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/23.jpg)
OWASP AppSec Europe 2006 23
Install problems
<Installation is difficult, but it works and is well described
§ Read the INSTALL.TXT§ Very good step by step installation instructions
<Problems ? 4Contact the mailing list
§ VERY good response.§ Subscribe via the project page
![Page 24: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/24.jpg)
OWASP AppSec Europe 2006 24
Starting Pantera
<python pantera.py
![Page 25: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/25.jpg)
OWASP AppSec Europe 2006 25
Managing Pantera
<Point your browser to the Pantera proxy instance at 127.0.0.1:8080
<Browse to http://pantera
![Page 26: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/26.jpg)
OWASP AppSec Europe 2006 26
Create a project
![Page 27: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/27.jpg)
OWASP AppSec Europe 2006 27
PPA plug-in
<PPA plug-ins are used to analyze PASSIVELY all web traffic for4Authentication4Vulnerabilities4Comments4…
<File -> Configuration<Results are shown in
Tools -> PPA Analysis summary
![Page 28: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/28.jpg)
OWASP AppSec Europe 2006 28
Pantera Passive Analysis Summary
![Page 29: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/29.jpg)
OWASP AppSec Europe 2006 29
Tools
![Page 30: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/30.jpg)
OWASP AppSec Europe 2006 30
Tools
<Stats and Data Mining<Interceptor, Replacer, Supress Headers<Session Trace and HTTP Editor<Utilities
4En/decode, Hashing...
<Demo
![Page 31: WEBGOAT and the Pantera Web Assessment Studio Project · 2020-06-13 · Pantera WASP, what is it ?](https://reader033.fdocuments.net/reader033/viewer/2022043019/5f3b33bedebb981460434c1d/html5/thumbnails/31.jpg)
OWASP AppSec Europe 2006 31
Thank You