Software and Web Security 2
Software and Web Security 2, NWI-IPC026, Spring 2014
For the lab assignments we use WebGoat 5.4 and WebScarab.
Warning: de Tomcat server in WebGoat does not seem to work on
Java 8, so use Java 7 instead.
There is lots of additional info on installation and use at the
WebGoat 5.4 and WebScarab websites, but you shouldn't need that.
- using your own laptop or PC:
follow the instructions of our manual
of WebGoat and WebScarab on how to install and use the
- in HG00.075 and other faculty terminal rooms:
WebGoat are WebScarab in the xpcursus drive,
which is automatically mounted if you start Windows 7.
Go to Start > Computer and then to xpcursus (T:) > SWS2014
There you will find a README.txt with the instructions below:
Use the browser Chrome or Firefox with these tools, Internet Explorer 8 will not work.
- Copy the directories WebGoat-5.4 and WebScarab to the local D: disk
(not to the Desktop)
- To run WebGoat: open D:\WebGoat-5.4\webgoat_8080
- To run WebScarab: open WebScarab\webscarab
For instructions on how to configure your browser and
of WebGoat and WebScarab:
(on page 4 and 7; you can skip all the other installation instructions).
Starting everything up after the installation
To keep an overview with all the tools and installation
instructions above: once everything is installed, you have to
and you should be ready to start on the exercises below.
- start Webgoat,
- start WebScarab,
- start your browser - Firefox or Chrome, and
- configure the network connection settings to use localhost port 8008 as a proxy,
- surf to http://localhost:8080/WebGoat/attack - NB port 8080, not port 8008, and login
guest with password guest.
Below the WebGoat exercises that we will do, per category.
You can simply start from the top; precisely which ones should
be handed in by when will be announced as we go along.
You should at least be able to get 1, 2, and 3 done in the first
werkcollege, unless you run into serious installation
The WebGoat maintains a score card, which shows which lessons you
have done, and how many hints you used.
When you are done
with an lesson, print this report card to a PDF file (because
when you restart webgoat in a VM or terminal room this
information might be lost).
Give this file a meaningful name,
which should include the number of the lesson, the date and
your names. We will sent email announcements on how and
when you to hand in these report cards, via Blackboard
so that we can find out which lessons typically requires
more/fewer hints. (The number of hints you needed won't count
towards a grade or anything, so there is no reason to cheat.
Clearly, the whole report card can be faked anyway.)
We changed the order but kept the original numbering, so the
numbering below is not always consecutive.
- 1. Introduction
1a. How to work with WebGoat
- 2. General
2a. HTTP Basics (NB only HTTP basics, don't do
the second HTTP splitting part, which is a bit
confusing since it's not really HTTP splitting).
- 3. Insecure Storage
3a. Encoding Basics
- 4. Code quality
4a. Discover Clues in the HTML
- 8. Session Management Flaws
8a. Spoof an Authentication Cookie
- 5. Injection Flaws (read Section 6.3.3 of book for background)
5a. Numeric SQL Injection
5b. Log Spoofing
5c. LAB SQL Injection (alleen stage 1 en 3;
bekijk van stage 2 en 4 alleen de
5d. String SQL Injection
5e. Modify Data with SQL Injection
5f. Add Data with SQL Injection
- 6. Parameter Tampering
6a. Exploit Hidden Fields
- 7. Cross-Site Scripting (XSS)
7a. LAB Cross-Site Scripting (alleen stage 1, 3
bekijk van stage 2, 4 en 6 alleen de
7b. Stored XSS Attacks
7c. Reflected XSS Attacks
7d. Cross Site Request Forgery (CSRF)
7e. HTTPOnly Test
- 9. Improper Error Handling
9a. Fail Open Authentication Scheme
- 10. Concurrency
10a. Shopping Cart Concurrency Flaw