Introduction to pentesting: Web-Based Exploitation

How do I practise this step?

As mentioned at the beginning of this chapter, it is important that you learn to master the basics of web exploitation. However, finding vulnerable websites on which you are authorized to conduct these attacks can be difficult. Fortunately, the fine folks at the Open Web Application Security Project (OWASP) organization have developed a vulnerable platform for learning and practising web based attacks. This project, called WebGoat is, is an intentionally misconfigured and vulnerable web server.

WebGoat was built using J2EE, which means it’s capable of running on any system that has the Java Runtime Environment installed. WebGoat includes more than 30 individual lessons that provide a realistic, scenario-driven learning environment. Current lessons include all the attacks we described in this chapter and many more. Most lessons include all the attacks we described in this chapter and many more. Most lessons require you to perform a certain attack like using SQL injection to bypass authentication. Each lesson comes complete with hints that will help you solve the puzzle. As with other scenario-driven exercises, it’s important to work hard and attempt to find the answer on your own before using the help files.

If you’re making use of virtual machines in your hacking lab, you’ll need to download and install WebGoad inside a virtual machine. As discussed previously, WebGoat will run in either Linux or Windows, just be sure to install Java (JRE) on your system prior to starting WebGoat.

WebGoat can be downloaded from the official OWASP website. The file you need to download will require 7zip or a program capable of unzipping a .7z file. Unzip the file and remember the location of the uncompressed WebGoat folder. If you are running WebGoat on Windows, you can navigate to the unzipped WebGoat folder and locate the “webgoat_8080.bat” file. Execute this batch file by double-clicking it. A terminal window will appear; you’ll need to leave this window open and running in order for WebGoat to function properly. At this point, assuming that you are accessing WebGoat from the same machine you are running the WebGoat server on, you can begin using WebGoat by opening a browser and entering the URL: localhost:8080/webgoat/attack.

If everything went properly, you’ll be presented with a log-in prompt. Both the username and password are set to: guest.

As a final note, please pay attention to the warnings posted in the “readme” file. Specifically you should understand that running WebGoat outside a lab environment is extremely dangerous, as your system will be vulnerable to attacks. Always use caution and only run WebGoat in a properly sandboxed environment.