Software and Web Security 2
Software and Web Security 2, NWI-IPC026, Spring 2015
For some of the lab assignments we use WebGoat 5.4 and WebScarab.
You can also use the newer Zed Attack Proxy.
To install WebGoat
- the Tomcat server in WebGoat does not seem to work on
Java 8, so use Java 7 instead.
- For starting WebGoat 5.4 on Linux, webgoat.sh has to be
edited so that it
doesn't execute the is_java_1dor5() check, for example by
28. Also, the JAVA_HOME environment variable will need to be
set to the
There is lots of additional info on installation and use at the
WebGoat 5.4 and WebScarab websites, but you shouldn't need that.
- using your own laptop or PC:
follow the instructions of our manual
of WebGoat and WebScarab on how to install and use the
The link to download WebGoat 5.4 (https://webgoat.googlecode.com/files/WebGoat-5.4-OWASP_Standard_Win32.zip)
- in HG00.075 and other faculty terminal rooms:
WebGoat are WebScarab in the cursus drive,
which is automatically mounted if you start Windows 7.
Go to Start > Computer and then to cursus (T:) > SWS2014
There you will find a README.txt with the instructions below:
Use the browser Chrome or Firefox with these tools, Internet Explorer 8 will not work.
- Copy the directories WebGoat-5.4 and WebScarab to the local C: or D: disk
(not to the Desktop)
- To run WebGoat: open D:\WebGoat-5.4\webgoat_8080
- To run WebScarab: open WebScarab\webscarab
For instructions on how to configure your browser and
of WebGoat and WebScarab:
(on page 4 and 7; you can skip all the other installation instructions).
Starting everything up after the installation
To keep an overview with all the tools and installation
instructions above: once everything is installed, you have to
and you should be ready to start on the exercises.
- start Webgoat,
- start WebScarab,
- start your browser - Firefox or Chrome, and
- configure the network connection settings to use localhost port 8008 as a proxy,
- surf to http://localhost/WebGoat/attack or http://localhost:8080/WebGoat/attack and login
guest with password guest.
Numbering of the OWASP WebGoat exercises
- 1. Introduction
1a. How to work with WebGoat
- 2. General
2a. HTTP Basics (NB only HTTP basics, don't do
the second HTTP splitting part, which is a bit
confusing since it's not really HTTP splitting).
- 3. Insecure Storage
3a. Encoding Basics
- 4. Code quality
4a. Discover Clues in the HTML
- 5. Injection Flaws (read Section 6.3.3 of book for background)
5a. Command Injection
5b. Numeric SQL Injection
5c. Log Spoofing
5d. LAB SQL Injection (alleen stage 1 en 3;
bekijk van stage 2 en 4 alleen de
5e. String SQL Injection
5f. Modify Data with SQL Injection
5g. Add Data with SQL Injection
- 6. Parameter Tampering
6a. Bypass HTML Field Restrictions
6b. Exploit Hidden Fields
- 7. Cross-Site Scripting (XSS)
7a. LAB Cross-Site Scripting (alleen stage 1, 3 en 5;
bekijk van stage 2, 4 en 6 alleen de
7b. Stored XSS Attacks
7c. Reflected XSS Attacks
7d. Cross Site Request Forgery (CSRF)
7e. HTTPOnly Test
- 8. Session Management Flaws
8a. Spoof an Authentication Cookie
8b. Spoof an Authentication Cookie
8c. Session Fixation
- 9. Improper Error Handling
9a. Fail Open Authentication Scheme
- 10. Concurrency
10a. Shopping Cart Concurrency Flaw