Wednesday, March 3, 2010

Journey with OWASP Webgoat v5.2 - Lesson 2: Bypass a Path Based Access Control Scheme

This lesson is to teach the directory traversal vulnerability. Basically it is due to the failure of sanitizing of the user input file name that allows user to traverse to other directories.


For detailed information for testing such vulnerability: http://www.owasp.org/index.php/Testing_for_Path_Traversal


The tutorial assumes you have installed the following software (good to go):

1. OWASP Webgoat v5.2: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

2. OWASP WebScarab (proxy server): http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project



Start your Webgoat -> Click on CSRF.html for the file to view -> Click on View File button

(Note: Ensure that you have checked your Webgoat to Intercept requests before you click on the Search! button)


Webscarab will intercept your request as shown below.

Change the highlight text (CSRF.html) to below value -> Click on Accept changes

../../../conf/tomcat-users.xml


The reason why the value is as such is because we need to traverse up 3 levels. By keying each “../”, it will move up 1 level.

Current Directory

Target Directory



Before changing the request:

After changing the request:

Now you have completed the Bypass a Path Based Access Control Scheme lesson:

Posted by at No comments:
Labels: , , , , ,

Resolve 99% CPU consumption in Backtrack 4 Final with vmware workstation 6.5 - artsd issue

I am running my Backtrack 4 Final vm image on 2 laptops:
  1. MacBook
  2. Dell Latitude D610
Somehow there was an issue whenever I run my Backtrack 4 Final in my Dell laptop, the CPU consumption could run up to 99%. After googling for a while, I managed to find the solution. Below are the steps:
  1. Login to Backtrack 4 Final
  2. Type "startx"
  3. It will start to be very lag, try to click the icon for Terminal / bash service
  4. Type "top"
  5. Try to look for "artsd", should be easy to find since it uses around 90+% CPU
  6. Key "k", enter the pid (e.g. 5528)
  7. Once you kill the process "artsd", Backtrack 4 Final should return to normal
  8. To prevent such thing to happen again, you can follow the step or watch the YouTube video as shown. Kmenu > system > settings > sound & multimedia > sound system
Posted by at No comments:
Labels: , , , , , ,

Journey with OWASP Webgoat v5.2 - Lesson 1: HTTP Splitting

Actually it is also known as HTTP response splitting. Basically it is due to the failure of sanitizing the carriage return (CR or hex representation: %0d or “\r”) and line feed (LF or hex representation: %0a or “\n”) during a 302 redirect, in the Location or Set-Cookie header.


It can used to perform:

1. cross-site scripting attacks

2. cross-user defacement

3. web cache poisoning


For detailed information: http://www.securiteam.com/securityreviews/5WP0E2KFGK.html


The tutorial assumes you have installed the following software (good to go):

1. OWASP Webgoat v5.2: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

2. OWASP WebScarab (proxy server): http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project


For this exercise, Webgoat has split the lesson into 2 stages: HTTP Splitting & Cache Poisoning. For the Cache Poisoning, it is almost same as HTTP Splitting. The only difference is included “Last Modified” in the header. (e.g. Last Modified: Mon, 27 Oct 2012 14:50:18 GMT). No worries just follow thru the steps first.


Start your Webgoat -> Click on HTTP Splitting -> Key the value as “en” for Search by Country field -> Click on Search! button

(Note: Ensure that you have checked your Webgoat to Intercept requests before you click on the Search! button)

Webscarab will intercept your request as shown below.

Check on Intercept responses -> Click on Accept changes



Webscarab will intercept your response as shown below.

Change the highlight text (en) to below value -> Click on Accept changes

foobar%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aContent-Length:%2047%0a%0a<html>Hacked J</html>


Above value can be decoded to below:

foobar

Content-Length: 0

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 47

Hacked J


(Note: The above value is for unix system as unix recognizes LF only. For windows system, please replace all “%0a” to “%0d%0a”. It is equivalent to CRLR.)


Before changing the response:

After changing the response:

Click on Accept changes

Click on Accept changes

You will be able to see a page contains “Hacked J” as shown below:

To go back to Webgoat page, key in the below URL:

http://192.168.38.134:8088/WebGoat/attack

(Note: replace the IP address/port to your IP address/port – default is 127.0.0.1 and port is 80 or 8080)

Key the value as “en” for Search by Country field -> Click on Search! button

(Note: Ensure that you have checked your Webgoat to Intercept requests before you click on the Search! button)

Webscarab will intercept your request as shown below.

Check on Intercept responses -> Click on Accept changes



Webscarab will intercept your response as shown below.

Change the highlight text (en) to below value -> Click on Accept changes

foobar%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aLast-Modified:%20Mon,%2027%20Oct%202012%2014:50:18%20GMT%0aContent-Length:%2047%0a%0a<html>Hacked J</html>


Above value can be decoded to below:

foobar

Content-Length: 0

HTTP/1.1 200 OK

Content-Type: text/html

Last Modified: Mon, 27 Oct 2012 14:50:18 GMT

Content-Length: 47

Hacked J


(Note: The above value is for unix system as unix recognizes LF only. For windows system, please replace all “%0a” to “%0d%0a”. It is equivalent to CRLR.)

Before changing the response:

After changing the response:

The rest of the screens are similar as HTTP Splitting. Just keep Click on Accept changes. Until you see the below screen:

Now you have completed the HTTP Splitting lesson:



Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Comments (Atom)