Practical Web Application Vulnerability Assessment Solutions

Foreword

...

Copyright

This work is Copyright © 2005, 2006, 2007 Michael Boman. This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. Due to restrictions of LuLu's print-on-demand services you are required to re-assign the copyright of any modifications of this page to me so a hard copy of the material can be offered. Contributors will be listed as co-authors.

Exercise Solutions

Exercise Solution : HTTP Basics

  1. Go to “General -> Http Basics” in WebGoat
  2. Enter your name
  3. Set Paros to intercept requests and responses
  4. Click the “Go” Button
  5. Inspect the request data (Header, Body, Cookies etc)
  6. Press “Continue” to forward the request to the web server
  7. Inspect the response data (Header, Body, Cookies etc)
  8. Press “Continue” to forward the response to the browser

Exercise Solution : Input Validation

Hidden fields modification

  1. Go to “Unvalidated Parameters -> Hidden Field Tampering”
  2. Choose how many HDTV sets you want to buy and click “Purchase” button
  3. Intercept the request and change the “Price” parameter to something else, example “1”
  4. Submit the modified the request to the server and inspect the resulting web page

Unchecked email #1

  1. Go to “Unvalidated Parameters -> Unchecked Email”
  2. In “Questions or Comments:” box, enter a Cross Site Scripting test string (example: <script>alert("XSS");</script>)
  3. Click the “Send” button
  4. Inspect the resulting page

Unchecked email #2

  1. Go to “Unvalidated Parameters -> Unchecked Email”
  2. In “Questions or Comments:” box, enter a message (example: Hello World!)
  3. Click the “Send” button
  4. Intercept the request and modify the “to” parameter to something else (example: victim@example.com)
  5. Forward the modified request to the web server
  6. Inspect the resulting web page

Exercise Solution : Source Code Hints

  1. Go to “Code Quality -> HTML Clues” in WebGoat
  2. View the source code of the page
  3. At line 847 the username/password is mentioned (search for FIXME)
  4. The username / password is admin / adminpw

Exercise Solution : Character Encoding

  1. Go to “Insecure Storage -> Encoding Basics” in WebGoat
  2. Enter a string in the input field
  3. Press the “Go” button
  4. Inspect the resulting page
  5. Discuss the output

Exercise Solution : SQL Injection

Exercise Solution : Cross Site Scripting

Exercise Solution : Session Analysis

Exercise Solution : Attacking Web Services

Challenge Solutions

Solution to Challenge 1 : Web Goat Challenge

Solution to Challenge 2 : Hacme Bank #1

Solution to Challenge 3 : Hacme Bank #2

Solution to Challenge 4 : Hacme Bank #3

Solution to Challenge 5 : Hacme Bank #4

Solution to Challenge 6 : Hacme Bank #5

Solution to Challenge 7 : Hacme Bank #6

Solution to Challenge 8 : Hacme Bank #7

Solution to Challenge 9 : Hacme Books

Comments