Hack the OWASP Goat!

We will take a look at how we can get more acquainted with the OWASP top 10 vulnerabilities. After a short introduction about OWASP, we will show you how you can make use of WebGoat and WebWolf to get a better understanding of the OWASP top 10 vulnerabilities.

1. What Is OWASP?

OWASP (Open Web Application Security Project) is a community focused on improving the security of software. Several projects concerning application security are provided. One of these projects is the OWASP Top 10. The OWASP Top 10 is a security awareness document containing the most critical web application risks according to several security experts from around the world. The last update of the document was in 2017 and the document can be found here.

Currently, security awareness has become more and more important. Although a lot of frameworks already protect you against these vulnerabilities, it is definitely a good thing to get acquainted with the vulnerabilities and the way hackers can make use of them.

A good starting point is to read the OWASP Top 10 document. Another more practical way of learning is to use the WebGoat Project. WebGoat is a deliberately insecure web application designed to get acquainted with the most common security vulnerabilities. Currently, version 8 is still being developed with another approach in mind than previous versions. Several lessons are provided starting with explaining the vulnerability. After that, assignments are provided where you must try to exploit the vulnerability yourself. Besides WebGoat, also an application WebWolf is provided which gives you the opportunity to perform actions as being a hacker. This makes the lessons more realistic and more understandable.

2. Setup WebGoat and WebWolf

The easiest way to use WebGoat and WebWolf is to make use of the Docker images and Docker Compose. This way, both applications are set up automatically. First, we create a new directory. From this directory, we execute the following command (assuming that you have already installed Docker and Docker Compose, otherwise, take a look at a previous post):

$ curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up

At the time of writing, we are using version v8.0.0.M25. The sources of WebGoat and WebWolf are available at GitHub.

WebGoat and WebWolf are available at URL’s http://localhost:8080/WebGoat and  http://localhost:9090/WebWolf after successful startup of the Docker containers.

The following login screen is shown when opening the WebGoat URL.

webgoat-inlog

Since this is the first time we are using WebGoat, we need to register a user first. This will be a local registration, so it is not a registration at OWASP. The only thing we need to do is to enter a user name and password. As you can see, there are some incomplete translations in the application. Since we are localized in the Netherlands, some GUI elements are in Dutch, but most of them are English.

webgoat-register-page

The first assignments are intended to give you some information how to solve the security assignments. It is necessary to check whether your environment has been set up correctly before starting to solve the security assignments. We have noticed that not everything is working out-of-the-box and we will share our experiences with the setup.

2.1 Reset Password Assignment

The WebWolf introduction lesson contains an assignment to intercept your password when you have clicked a link in a ‘reset password’ mail. In the web page you can enter a new password.

webgoat-reset-password

However, clicking the Save-button, redirects you to the URL http://webwolf:9090/landing. However, the domain webwolf cannot be resolved. We therefore need to add an entry to the hosts file. First, retrieve the IP address of the WebWolf container. We list the containers and then print the details of the container with the docker inspect command. In the NetworkSettings part, the IP address can be retrieved.

$ docker ps
CONTAINER ID    IMAGE                  COMMAND                   CREATED              STATUS              PORTS                                             NAMES
47adb3b18f7c    webgoat/webgoat-8.0    "java -Djava.securit…"    About an hour ago    Up About an hour    0.0.0.0:8080->8080/tcp, 0.0.0.0:9001->9001/tcp    webgoat_webgoat_1
0f028b5bc318    webgoat/webwolf        "/home/webwolf/start…"    About an hour ago    Up About an hour    0.0.0.0:9090->9090/tcp                            webgoat_webwolf_1
$ docker inspect 0f028b5bc318
...
"NetworkSettings": {
   ...
   "NetworkID": "1383e11e7d2eb4a394d85fbef97047dbe210f62f2acae10d3d5326d9534454ea",
   "EndpointID": "0154575b1587f4f841e05c77c2f12ed89c91db20488196ea07dd90b60847309c",
   "Gateway": "172.21.0.1",
   "IPAddress": "172.21.0.3",
   "IPPrefixLen": 16,
   "IPv6Gateway": "",
   "GlobalIPv6Address": "",
   "GlobalIPv6PrefixLen": 0,
   "MacAddress": "02:42:ac:15:00:03",
   "DriverOpts": null
}
...

Add the following line to your hosts file (we are using Ubuntu, the file is located in the /etc/ directory):

172.21.0.3    webwolf

The request will be visible in the Incoming Requests section in WebWolf after clicking the Save-button.

2.2 ZAP Proxy

The General – HTTP Proxies lesson requires you to install OWASP ZAP as a proxy server (or another one of your choice, but we will use ZAP). The easiest way to use the proxy server is to use the in-browser. We therefore first click the Manual Explore button in the welcome screen of ZAP.

zaproxy-manual-explore

In the next screen it is possible to choose one of the preconfigured browsers.

zaproxy-choose-browser

Using Chrome did not work for us. Chrome just did not start and no error message is shown. An error message is only visible in the console window but it took some time before we figured that out:

71260 [ZAP-BrowserLauncher] ERROR org.zaproxy.zap.extension.quickstart.launch.ExtensionQuickStartLaunch - session not created: This version of ChromeDriver only supports Chrome version 75

Only version 75 is supported and we were using Chrome 77.

So, eventually we ended up by using Firefox which worked flawlessly. It is also possible to enable HUD which brings ZAP functionality into your browser. However, it lacks some functionality which is available in the ZAP client. E.g. when you intercept a request, the ZAP client can convert the request from a POST to a GET request. This is not available with HUD at the moment. Therefore, we prefer using the ZAP client.

The filtering of requests in ZAP proxy by means of regex pattern did not work from the first time. It did work after a restart of ZAP proxy and a restart of the Docker containers. We don’t know why it didn’t work right away, but after the restart, it continued to work all of the time.

It is also advised to save your session in order to be able to use it a next time, otherwise you have to add the session properties you have changed each time you start ZAP again. You can do so by choosing the second option when ZAP starts.

zapproxy-persist-session

Afterwards, you can select the saved session again via File – Open Session…

3. Experiences Using WebGoat

In this section we will list some of the experiences we encountered by using WebGoat.

Finished assignments are marked with green, unfinished assignments are marked with red. Unfortunately, marking an assignment as finished does not always work. Sometimes the assignment indicates that it has been successfully executed, but the assignment does not become green.

webgoat-unfinished-assignments

webgoat-assignments-succes

The input field for the SQL injection assignments is very small. Therefore you need to create the SQL in a separate text editor and then copy this to the input field. Otherwise it is too difficult to see what you have been typing in the input field.

Some of the assignments are very easy, some of them are quite difficult. You can spend a lot of time searching for the answer, but sometimes it is better to limit the time you spend per assignment. Tips are available, but even then it is possible that you just don’t find the answer. In that case, you can take a look at this page where some of the solutions are listed. But only take a look at this page when you are really stuck.

We noticed that the answer is not evaluated anymore when you have tried a solution several times in the same input form. In ZAP you will see a Bad Gateway message. Solution is to restart WebGoat again.

webgoat-bad-gateway

4. Conclusion

In general, we are quite enthusiastic about the new approach being used in WebGoat. The lessons in combination with the assignments is a good way of learning the security vulnerabilities. Besides that, it is also advised to read the OWASP Top 10 document.

The version 8 milestone release has still some issues as already mentioned above. Sometimes the documentation is not correct which makes it difficult to finish certain assignments within a certain time limit. Nevertheless, it is a good way to get acquainted with security vulnerabilities in applications.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.