OWASP WebGoat Web Hacking Simulation Series © YGN Ethical Hacker Group (YEHG), Yangon, Myanmar

OWASP WebGoat v5.4 Web Hacking Simulation WalkThrough Series [Download all movies]

Lesson category titles (e.g., Unvalidated Parameters) may be dynamically changing per WebGoat new version. Please search your desired movies by lesson titles such as Command Injection, Stored XSS, Forced Browsing. We won't be modifying category titles in our movies in accordance with every new WebGoat version.
Tools and techniques used in our movies are not the only way to get through. There are many other alternatives to achieve the same goal. There are a few movies left intentionally. These are do-it-yourself exercises.

Note:

Download WebGoat, WebScarab, Burp Suite, and YEHG's updated HackerFirefox and YEHG's JHijack.
Check out and get Firefox addons used in demo movies.
Should already learnt any unfamiliar concepts in W3Schools, W3c , Google, OWASP, and WASC.
If you don't know what I'm showing, stop the movie and learn the concept. If you get stuck, post your questions via contact form at our home page.
PHP Charset Encoder, CSRF Generators used in movies can be found at http://yehg.net/lab/#toolbox.
Check out other movies which might reinforce your skills.
Check out our collected web security bookmarks
Report broken download links to 404 @ yehg.net

Keywords: Webgoat Lessons, Webgoat Tutorials, Webgoat Trainings, Webgoat Movies

Index of -

General
Code Quality
Concurrency
Unvalidated Parameters
[as of 5.3, changed to Parameter Tampering]
Access Control Flaws
Authentication Flaws
Session Management Flaws
Cross-Site Scripting (XSS)
Buffer Overflows

Injection Flaws
Insecure Storage
Denial of Service (DOS)
Insecure Communication
Insecure Configuration
Malicious Execution
Web Services
AJAX Security
Challenge

OWASP WebGoat: General [View | Download] [Top]
Description: It includes HTTP Basics, HTTP SPLITTING, and 'Create a WebGoat Lesson' tutorial. This lesson presents the basics for understanding the transfer of data between the browser and the web application and how to perform HTTP Splitting attacks.
Size: 3.2 MB
OWASP WebGoat: Code Quality [View | Download] [Top]
Description: It includes Discovering clues in HTML Source [View | Download]. Developers are notorious for leaving statements like FIXME's, Code Broken, Hack, etc... inside the source code. Review the source code for any comments denoting passwords, backdoors, or something doesn't work right.
Size: 2.16 MB
OWASP WebGoat: Concurrency [View | Download] [Top]
Description: It includes Threat Safety Problem and Shopping Cart Concurrency Flaw which are commonly caused due to the improper use of Java Static methods. Web applications can handle many HTTP requests simultaneously. Developers often use variables that are not thread safe. Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time. Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently.
Size: 6.24 MB
OWASP WebGoat: Unvalidated Parameters [View | Download] [as of 5.3, changed to Parameter Tampering][Top]
Description: It includes Exploiting Hidden Fields, Exploiting Unchecked Emails and Bypassing Client Side JavaScript Validation and Bypassing HTML Field Restrictions^v5.3 [View | Download] . Exploiting Hidden Fields: Developers will use hidden fields for tracking, login, pricing, etc.. information on a loaded page. While this is a convenient and easy mechanism for the developer, they often don't validate the information that is received from the hidden field. This lesson will teach the attacker to find and modify hidden fields to obtain a product for a price other than the price specified. It is always a good practice to validate all inputs. Exploiting Unchecked Emails: Most sites allow non-authenticated users to send e-mail to a 'friend'. This is a great mechanism for spammers to send out email using your corporate mail server. Bypassing Client Side JavaScript Validation: Client-side validation should not be considered a secure means of validating parameters. This validation only helps reducing the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application.
Size: 3.71 MB
WebGoat: Access Control Flaws [Top]
Description: It includes
- Using an Access Control Matrix [View | Download]
- Bypass a Path Based Access Control Scheme [View | Download]
- LAB: Role Based Access Control
  - Stage 1: Bypass Business Layer Access Control [View | Download]
  - Stage 2: Add Business Layer Access Control
  - Stage 3: Bypass Data Layer Access Control [View | Download]
  - Stage 4: Add Data Layer Access Control
- Remote Admin Access [View | Download]
In a role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control scheme normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow allow privilege escalation to an unauthorized role.In a path based access control scheme, an attacker can traverse a path by providing relative path information. Therefore an attacker can use relative paths to access files that normally are not directly accessible by anyone, or would otherwise be denied if requested directly. Remote Admin Access: applications will often have an administrative interface that allows privileged users access to functionality that normal users shouldn't see. The application server will often have an admin interface as well. Size: N/A
OWASP WebGoat: Authentication Flaws [Top]
Description: It includes
- Password Strength [View | Download]
- Exploiting Forgot Password [View | Download] *same file
- Probing Basic Authentication [View | Download] *same file
- Multi-Level Login 1^v5.3 [View | Download]
- Multi-Level Login 2^v5.3 [View | Download]
Web applications frequently provide their users the ability to retrieve a forgotten password. Unfortunately, many web applications fail to implement the mechanism properly. The information required to verify the identity of the user is often overly simplistic. Basic Authentication is used to protect server side resources. The web server will send a 401 authentication request with the response for the requested resource. The client side browser will then prompt the user for a user name and password using a browser supplied dialog box. The browser will base64 encode the user name and password and send those credentials back to the web server. The web server will then validate the credentials and return the requested resource if the credentials are correct. These credentials are automatically resent for each page protected with this mechanism without requiring the user to enter their credentials again.
Size: 3.13 MB
OWASP WebGoat: Session Management Flaws   [Top]
Description: It includes Session Fixation  [View | Download], Spoofing an Authentication Cookie  [View | Download] and Hijacking a Session  [View | Download]. Spoofing an Authentication Cookie: Many applications will automatically log a user into their site if the right authentication cookie is specified. Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained. Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability. Some times the cookies maybe intercepted using Cross site scripting. This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.

Before we can hijack a session, we must do Session Analysis  [View | Download] to determine exploitable sign.

Hijacking a Session: Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.
Size: N/A
WebGoat: Cross-Site Scripting (XSS) [Top]
Description: It includes
- Phishing with XSS [View | Download]
- LAB: Cross Site Scripting
  - Stage 1: Stored XSS [View | Download]
  - Stage 2: Block Stored XSS using Input Validation
  - Stage 3: Stored XSS Revisited [View | Download]
  - Stage 4: Block Stored XSS using Output Encoding [View | Download]
  - Stage 5: Reflected XSS [View | Download]
  - Stage 6: Block Reflected XSS
- Stored XSS Attacks [View | Download]
- Reflected XSS Attacks [View | Download]
- Cross Site Request Forgery (CSRF) [View | Download]
- CSRF Prompt By-Pass^v5.3 [View | Download]
- CSRF Token By-Pass^v5.3 [View | Download]
- HTTPOnly Test [View | Download]
- Cross Site Tracing (XST) Attacks [View | Download]
Size: N/A
OWASP WebGoat: Buffer Overflows [View | Download] [Top]
Description: Version 5.4 introduced nice Off-by-One Buffer Overflow vulnerability drill. Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language. For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte. As a result, further information is returned back to the user, due to the fact that no null byte was found. As of writing, this lesson has not been developed yet by WebGoat authors.
Size: N/A
OWASP WebGoat: Injection Flaws [Top]
Description: It includes the following:
- Command Injection [View | Download]
- Blind SQL Injection [View | Download] (as of 5.3, changed to Blind String SQL Injection)
- Numeric SQL Injection [View | Download]
- Log Spoofing [View | Download]
- XPATH Injection! [View | Download]
- LAB: SQL Injection
- String SQL Injection [View | Download]
- Modify Data with SQL Injection^v5.3 [View | Download] *same file
- Add Data with SQL Injection^v5.3 [View | Download] *same file
- Database Backdoors [View | Download]
- Blind Numeric SQL Injection^v5.3 [View | Download]
Size: N/A
OWASP WebGoat: Improper Error Handling [View | Download] [Top]
Description: It includes Fail-Open Authentication Scheme. This lesson presents the basics for understanding the "fail open" condition regarding authentication. The security term, "fail open" describes a behavior of a verification mechanism. This is when an error (i.e. unexpected exception) occurs during a verification method causing that method to evaluate to true. This is especially dangerous during login. This is analogous to my movie 'Exploiting Logic Flaws'.
Size: N/A
OWASP WebGoat: Insecure Storage [View | Download] [Top]
Description: It includes Probing Encoding Basics. This lesson will familiarize the user with different encoding schemes.
Size: N/A
OWASP WebGoat: Denial of Service (DOS) [View | Download] [Top]
Description: It includes Denial of Service from Multiple Logins. Denial of service attacks are a major issue in web applications. If the end user cannot conduct business or perform the service offered by the web application, then both time and money is wasted. Business loses millions of $. If an e-commerce site can generate $1 million per hour, then 1-hr DOS cause loss of $1 million for that business.
Size: N/A
OWASP WebGoat: Insecure Communication | Insecure Login [View | Download] [Top]
Description: Sensitive data should never sent in plaintext! Often applications switch to a secure connection after the authorization. An attacker could just sniff the login and use the gathered information to break into an account. A good webapplication always takes care of encrypting sensitive data. See how easy it is to sniff a password in plaintext. Understand the advantages of encrypting the login data!
Size: N/A
OWASP WebGoat: Insecure Configuration [View | Download] [Top]
Description: It includes Forced Browsing. Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible. One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. This one is what I call 'Directory BruteForcing'.
Size: N/A
OWASP WebGoat: Malicious Execution [View | Download] [Top]
Description: This lesson allows you to upload an image which will be displayed on the page. Features like this are often found on web based discussion boards and social networking sites. This feature is vulnerable to Malicious File Execution. In order to pass this lesson, upload and run a malicious file. In order to prove that your file can execute, it should create another file named \WebGoat-x.x\tomcat\webapps\webgoat\mfe_target\guest.txt. Once you have created this file, you will pass the lesson.
Size: N/A
OWASP WebGoat: Web Services [Top]
Description: It includes
- Create a SOAP Request [View | Download]
- WSDL Scanning [View | Download]
- Web Service SAX Injection [View | Download]
- Web Service SQL Injection [View | Download]
Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL). Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends.
Size: N/A
OWASP WebGoat: AJAX Security [Top]
Description: It includes
- LAB: Client Side Filtering [View | Download]
- LAB: DOM-Based cross-site scripting [View | Download]
- DOM Injection [View | Download]
- Same Origin Policy Protection [View | Download]
- XML Injection [View | Download]
- JSON Injection [View | Download]
- Silent Transactions Attacks [View | Download]
- Insecure Client Storage [View | Download]
- Dangerous Use of Eval [View | Download]
Size: N/A
OWASP WebGoat: Challenge [Download] [Top]
Description: The mission is to break the authentication scheme, steal all the credit cards from the database, and then deface the website.
Size: N/A