Professional Documents
Culture Documents
Lab 5
Lab 5
Lab 5
Initial Setup
Virtual Machine
Tamper Data
Web Goat
Basics
HTTP Basics
Sniffing
• In order to perform a manipulated HTTP request, press “Start Tamper”, then perform an
action resulting in a request (clicking a button, link, etc.)
• You can also view the HTTP requests and responses in the ‘ongoing requests’ window.
Wireshark
HTTP Request
HTTP Response
HTTP Request
HTTP REQUEST
d
username an
password are
sent (most
!)
likely in clear!
over the
network.
They can be
intercepted
HTTP Response
The response
can be
nd
intercepted a
parameters
e
values can b
changed
HTTP Basics - Exercise
• Important note: first click Purchase without tampering, this will open another purchase page.
• Perform the tampering on this new page
Parameter Tampering – Solution
• Start Tampering Data then press the button
Purchase
• Change the parameter Price to the value 1.00$
• If successful you will get a Congratulations message
Lesson learned
Client
internet
webserver
webapplication
database
• The WEBAPPLICATION presents a
form with username and password
• What happens in the database?
In the database…
Client
internet
webserver
webapplication
database
• SELECT … FROM users WHERE
username = ‘$username’ AND
password = ‘$password’
What happens if …
of.
• Particularly useful for
webserver data extrusion (stealing
of data like passwords).
webapplication • But it can also be used
for something else …
database • … like having the
database modify the data
it has.
• Let’s see an example
SQL Injection – Stealing information
5/12/18
SQL Injection: Pulling Data from Other Tables
(or)
5/12/18
Lesson Learned
• Tom Cat can view his own profile, and he cannot see
the profiles of his colleagues.
• On the other hand, David and Jerry can see the
profiles of a few people.
• In particular Jerry can see Tom’s profile.
• Now, Tom can try to attack Jerry by storing
something a “kind of virus” on his profile.
• In the moment Jerry will look at Tom’s profile, he will
be infected.
Solution
• Go to the exercise 7
• You have to find out which of the fields is susceptible to javascript and
insert the suggested script.
• Forge an URL that contains such script.
Hint
• Correct solution:
• Go to the exercise 13
• Your goal is to write a comment that calls the javascript function
webgoat.customjs.phoneHome()
Solution
• Write as comment:
• <script>webgoat.customjs.phoneHome()</script>
• Try with the 3rd, 4th letter etc. until it returns false for
the range a-Z.
• Try with the 3rd, 4th letter etc. until it returns false for
the range a-Z.