Week3-SampleSolution-1.pdf - INSC 561 Individual Project 3 Security Testing 1 1 Hands-On Target WebGoat Tool OWASP ZAP Mapping the Application Step 1

Week3-SampleSolution-1.pdf - INSC 561 Individual Project 3...

This preview shows page 1 - 5 out of 15 pages.

INSC 561 Individual Project 3: Security Testing 1 1. Hands-On Target: WebGoat Tool: OWASP ZAP Mapping the Application Step 1: Automated Spider Scan Starting from the initial login page of WebGoat, an initial spider scan was completed without authentication to see what an automated spider could identify. Figure 1 shows the spider scan being initiated from the WebGoat login page and Figure 2 shows the results of the scan without authentication. Figure 1. ZAP Spider Scan on WebGoat Target: Unauthenticated From Figure 2, it can be seen that the results returned a few web pages and a number of resources for the application. For web pages, there is a login page, which is where the spider scan began, a registration page and another login page with a query string of “error.” The last page is the error login page, indicating ZAP spider attempted to login with blank credentials and failed to login. There are also other fetched resources such as CSS, some XML, some bootstrap files and a robots.txt file, which could be useful later on. 1
Image of page 1
Figure 2. Spider Scan Results for WebGoat Target: Unauthenticated Step 2: Authenticate and Run Second Automated Spider Scan The second step is to log in to WebGoat using user credentials. A page beyond the login is shown in Figure 3, which is the introduction lesson page. Figure 4 shows starting another automated spider scan starting from the introduction page now that authentication has been completed (the current session must be set to “Active” in ZAP as well). The new automated spider results are shown in Figure 5. 2
Image of page 2
Figure 3. WebGoat Introduction Page: Authenticated Figure 4. ZAP Spider Scan on WebGoat Target: Authenticated 3
Image of page 3
Figure 5. Spider Scan Results for WebGoat Target: Authenticated As shown in Figure 5, the results are still somewhat limited and the only actual web pages to be shown are still the login and registration. The automated spider is having some trouble finding additional pages. Looking back at Figure 3, the WebGoat introduction page, it shows a menu on the left hand side for navigation and no links or other navigation directly within the page. The automated spider was not able to reach the items within the context menu of the WebGoat site, but it was able to get internal WebGoat resources from the main login and the introduction page. Figure 5 shows that many JavaScript, .mvc, and bootstrap files were obtained via the authenticated spider. A manual crawling must be done to reach into the pages buried within the WebGoat navigation menu. Even when authenticated, the spider reaches the logout feature at some point because it is available from any page in the menu up at the top, so the automated spider always returns to login page. Step 3: Authenticated Manual Crawl Throughout the manual crawl, some things are clearly evident. Results of the manual crawl are shown in Figure 6. WebGoat is also set up such that it contains its web pages within the .lesson files instead of standard HTML, so GET requests to these pages return .lesson files, .mvc files, and JavaScript files for the page. The browser continues to request the “lessonoverview” and
Image of page 4
Image of page 5

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture