Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Web Goat J2EE Security Analysis

Verified

Added on 2020/04/01

AI Summary

This assignment involves a comprehensive security analysis of the Web Goat J2EE web application. Utilizing the Backtrack GNU/Linux distribution and the Web Goat package, students will perform various penetration testing exercises to identify vulnerabilities. The analysis will include theoretical descriptions of the attacks, short evaluations, and proposed defense mechanisms. Students will also detail procedures for downloading Web Goat, testing attack scenarios, implementing solutions, and evaluating results.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

System
security

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Table of Contents
1. Introduction....................................................................................................................................3
Part A......................................................................................................................................................3
2. Web goat J2EE web application package....................................................................................3
3. Procedures followed to download web goat................................................................................3
4. Exploits used to attack a webpage................................................................................................8
5. Description of the scenarios in 3 stages of the challenge............................................................8
6. Screenshots...................................................................................................................................13
7. Method used to test the attack and result..................................................................................16
Part B....................................................................................................................................................17
8. Backtrack GNU/Linux distributions..........................................................................................17
9. Description of the attack-DoS attack.........................................................................................20
10. Steps followed to implement (DoS) Attack............................................................................21
11. Evaluation of data after implementation...............................................................................25
12. Defence mechanisms used to defend the attack....................................................................26
13. Conclusion................................................................................................................................27
References..............................................................................................................................................28

1. Introduction
System security could be known as IT security or cyber security. It protect computer
from the damage to their hardware, theft and software. The system security will be performed
by WebGoatJ2EE web application package and Backtrack GNU/Linux distribution. The web
Goat challenging questions will be completed using the web application package. The perfect
Java source code is used for complete the Web Goat challenge. The theoretical description of
the attack will be attached. The short evaluation and considerations of the attack will be
provided. The defence mechanism will be included that is used for defend from such an
attack. Defence mechanisms are having knowledge of how people have awareness of
behaviours, feelings and unpleasant thoughts. The procedures will be included to download
web goat. The method for testing the attack and result will be added. The steps will be added
to implement the task. After the implementation step the evaluation of data will be written.
Different techniques will be used to defend such attack. Backtrack GNU/Linux distributions
description will be added.
Part A
2. Web goat J2EE web application package
Web Goat is the J2EE application maintained by OWASP. It is created with security
flaws for learning. OWASP stands for Open Web Application Security Project. It makes
freely-available articles, tools, documentation, methodologies and technologies in the web
application security field. In this application SQL injection is used for stealing the credit card
numbers. To learn and implement is difficult in web application security. The initial aim of
the web Goat is to create the de-facto interactive for web application security. It is Java based
web application. IT is very insecure one. The Web Goat attack is made by using Tamber.
Web Scarab and Burp Suite also used for this attack. Three challenges are done by the Web
Goat that is Break the authentication, steal all the credit cards from the database and deface
the website.
3. Procedures followed to download web goat
To download the web Goat some software files are needed. The required software
files
1. Operating system could be (Windows, Mac Osx, Ubuntu).
2. Download the JDK file and install.

3. Apache Tomcat Server
4. Download and install the Web Goat War file.
Create variable Java
1. Windows
2. Ubuntu
How to download and install the Apache Tomcat Server on Windows, Ubuntu, Mac OS
1. Mac OS X
Goto http://tomcat.apache.org --> Download --> Tomcat 8.0 --> "8.0.{xx}" (where {xx}
denotes the latest upgrade number) --> Binary distribution --> Core --> "tar.gz" package (e.g.,
"apache-tomcat-8.0.{xx}.tar.gz", about 8 MB)
Steps for installing Tomcat
a. Goto "~/Downloads", double-click the downloaded tarball (e.g., "apache-tomcat-8.0.
{xx}.tar.gz") to expand it into a folder (e.g., "apache-tomcat-8.0.{xx}")
b. Move the extracted folder (e.g., "apache-tomcat-8.0.{xx}") to "/Applications".
c. For ease of use, we shall shorten and rename this folder to "tomcat".
2. Windows
a. Goto http://tomcat.apache.org --> Downloads --> Tomcat 8.0 --> "8.0.{xx}" (where
{xx} is the latest upgrade number) --> Binary Distributions --> Core --> "ZIP"
package (e.g., "apache-tomcat-8.0.{xx}.zip", about 8 MB).
b. Create your project directory, say "d:\myProject" or "c:\myProject". UNZIP the
downloaded file into your project directory. Tomcat will be unzipped into directory
"d:\myProject\apache-tomcat-8.0.{xx}".
c. For ease of use, we shall shorten and rename this directory to "d:\myProject\tomcat".
Configuration for Tomcat Server
1. open the Tomcat-users.xml file under "Tomcat_Home\conf\"
2. the Tomcat manager is enabled by adding the highlighted lines, inside the <Tomcat-
users>elements

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

<tomcat-users>
<role rolename="manager-gui"/>
<user username="manager" password="xxxx" roles="manager-gui"/>
</tomcat-users>
The Webgoat.war is copied to the Tomcat directory
1. Mac OS X sudocp webgoat-container-5.4war /Applications/tomcat/webapps/
2. Ubuntu sudocp webgoat-container-5.4.war /var/lib/tomcat/webapps/
3. Windows copy webgoat-container-5.4.war and paste to D:\myProject\tomcat\
Procedure for start and shutdown Tomcat server
1. Ubuntu and Mac OS X
By using terminal select bin folder under the tomcat directory.
Type this command to run the tomcat server "sudo ./startup.sh"
Write this command to stop the tomcat server "sudo ./shutdown.sh"
2. Windows
By using window command prompt select the bin folder present in the tomcat directory.
Type this command to run the tomcat server "startup"
Write this command to stop the tomcat server "shutdown"
After the installation of tomcat server open the server and enter the URL
http://localhost:8080/webgoat_war_filename/ on browser address bar

Login as a admin with user name "webgoat" and password "webgoat"
4. Exploits used to attack a webpage
There are many exploits that are used to proceed the attack. Some of the exploits are
 SQL injection
 Session hijacking
 Url manipulation
The exploits used to complete the web goat challenge are the SQL injection and Session
hijacking.

SQL injection represent to an injection attack in which attacker can also execute malicious
SQL statement that controls a web application database server. It commonly represents
relational database management system. SQL injection obligation could possibly affect any
website or web application that uses SQL based database. One of the oldest is vulnerability. It
is one of the most dangerous web application vulnerabilities. Session hijacking or cookie
hijacking is one in which unauthorised information can be tracked.
5. Description of the scenarios in 3 stages of the challenge
Challenge 1
Breaking the authentication
The authenticated users would be done the highly secured activities. So that
authentication is introduced. Many methods are introduced to provide authentication. But
these methods are not safe and the process perfectly. Authentication page and authentication
scheme could be built using old technology. For that reason authentication page could be
broken easily. Many techniques are used for breaking authentication. Some of these
techniques are stealing session's keys, changing the form activities.
Way for attack
The User name and password could be taken by using some methods such as use the
fake URLs, session stealing, SQL injection and modifying the fixed parameters. The hacker
hacks the user name and password without the authentication through the higher level of
pages. Because the key developer code the authentication for the end user to provide the
access to the web page. The hacker produce the code like auth=0 or auth=1 for break the
authentication page without any authentication. The authentication page is bypassed with the
help of SQL injection. The user will provide the user names and password easily by sending
fake and look alike URLs. Because they think the request is come from usual websites.
Prevention ways
1. Protecting the data firmware patching
2. The metasploit is one of the authentication frameworks.
3. Check the two errors (SQL injection and Buffer overflow) in the time of development
process.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Challenge2
Credit card theft
The main usage of the credit card is taking money through e-banking. The credit theft is
made due to customers sharing their card information to their family members, unknown
person and friends. When credit card are is missed or stolen by someone.at that time the
criminals take the card details by diverting the email. Some techniques are used for stealing
credit card information, that are balance transfer check, Malware, Skimming and Phishing
(Hacking,2011).
Preventing credit card steal
1. Use the spyware remover or spam filter software for security.
2. If you received any mail or message from the financial company. Check the website
and mobile number, you receiving it from the correct person. Corresponding website
and mobile number is present at the back side of your credit card.
Challenge3
Defacing the website
For defacing the website the most common method is SQL injection. To process the injection
attack SQL commands provide the injection of query. With the help of SQL DB or web page,
the user data input theft lead the injection of SQL.DB coding is small, so it is implemented
very easily by the user. By referring Relational database management system, the web
applications data server could be controlled. Either injection or insertion are consist by SQL.
It performs many operations, that is issuing commands to the Update or insert or delete the
database, content recovery of a given file placed on the data base management system and OS
(Halde, 2014).
.
SQL injection Testing
The SQL injection is used for software manipulation such as developing and testing.
It is used for fetch the data by accessing the database. Three testing methods are there in the
SQL injection.
1. Classical SQL Injection

2. SELECT statement
3. Stack Queries
Classical SQL Injection
Consider the SQL query
To validate a login to the user the query mentioned below is been used.If the login value is
assumed to be same with the database, then the login will be valuated or the value does not
make a login to the user. The input should be given through the web pages like as given
below(Center, 2016).
The query is:
The user values inserted by GET functions,then the website shows like

SELECT statement
Consider the SQL query
this displays the current user login
The credentials results are checked via testing process.
String insert = "INSERT INTO customer(name,address,email) VALUES(?, ?, ?);";
PreparedStatementps = connection.prepareStatement(insert);
ps.setString(1, name);
ps.setString(2, addre);
ps.setString(3, email);
ResultSetrs = ps.executeQuery();

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Stack Queries
Consider the query
The execution flow
The first query will be executed without any dependency from the flow of a single
row.
The preventing steps for SQL injection
a. SQL Injection vulnerabilities of prevalence.
b. Target attractiveness
6. Screenshots

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7. Method used to test the attack and result
Security testing of the attack is nothing but the testing the following measures
 Confidentiality
 Authentication

 Authorization
 Non-repudiation
 Integrity
Some of the security testing methods that can be used to test the attack are
 Login credentials check
 Checking the execution of SQL injection
 Testing the manipulation of url
 Testing the cache usage
Login credentials check
It should be checked whether the log in page is the original login page of the website
or the defaced login page. The login page design should be such that after entering the
credentials, the user should be sent to another page for authentication. The password we enter
should always be in an encrypted format. The external recording devices such as key loggers
can be used to store or track the user inputs. Hence the use of such devices should be avoided
(Hutchens, 2014). .
Checking the execution of SQL injection
SQL injection is nothing but the technique by which the statements of our choice can
be tracked on the back end of the database. The username and password that we create for our
page get stored in the database. And each time we use the username and password it executes
by asking the query. The attacker can enter into the login page and can change the input as
username or 1=1.Now when entering 1 the query will become active and the user gets
authenticated. Checking the query page can test the attack.
Testing the manipulation of url
Before the input goes to the server side, the attacker can modify the input and make the server
believe that the browse request is the valid one. Attackers can use proxy tools to modify the
HTTP or HTTPS. The packets sent to the server can be redirected to the attacker by means of
the technique called DNS poisoning (Jaishankar,2011).
.
Testing the cache usage

Cookies are nothing but the persistent data that a page keeps on the user’s hard drive.
The cookies get stored in the text file and the attacker if accessible to the victim's machine
can carry out the attack. Cookies should be secured else they can also be used as a tool for the
attack.
Part B
8. Backtrack GNU/Linux distributions
Backtrack is one of the Linux based penetration testing. It is used in penetration
testing. Backtrack was rebuilt around the Debian distribution and released at the of Kali
linux. It has the security professional ability in the environment of hacking. It is very helpful
for new professionals in the security field to find the more databases of security tools, one
could use the Backtrack. It is very easy to find and update the databases. Backtrack is found
by offensive security which is a popular information security training provider. Backtrack is
one of the best One-stop shop for all the security needs such as exploiting servers, learning,
social-engineering, web application assessment and hacking wireless (Dean,2013). .
Installation of Kali Linux
To install the kali Linux perfect computer hardware is required. It support ARM,
amd64 and i386 hard wares. Download the kali Linux and install it with the help of USB or
DVD. For installing Kali Linux at tht computer 20GB disk space,2GB RAM are needed.
Step 1
Type the Host name 'kali" in the host name box.
Step 2
Type the default domain name for the system to use.
Step 3
Then provide the full name for a non-root user for the system.
Step 4
The default user ID is created from the full name provided in the previous step. If you want to
change the ID that is also possible.
Step 5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

After select the partition method, you could choose the partitioning method. Four
partitioning method is provided. Select Guided-use entire disk for the process.
Step 6
Choose the disk to be partitioned.
Step 7
Based upon your needs, you could select the partitioning scheme.
Step 8
Before finish the installation, you could check the disk configuration.

Step 9
The network mirror is included in the CD-RAM.you could configure the network mirror for
further process.
Step 10
Now install the GRUB boot loader to the master boot record by selecting yes button.
Step 11
Click continue to complete the Kali Linux installation (Beggs, 2014)
.

9. Description of the attack-DoS attack
DoS attack is nothing but the denial of service attack. In Dos attack, one seeks to
make the resource unavailable to the host by disrupting its services. There are two main types
of DoS attacks. One is from a single source and other is from the distributed source. If the
attack is from the multiple sources, then the attack is more dangerous since it is not possible
to stop the attack as the origin of the attack can be found out easily. Application layer DoS
attacks are more vulnerable. These types of vulnerable applicable layer attacks are used for
disrupting the transactions and the database access. The major symptoms of the DoS attacks
are as follows
 Difficulty in accessing the website
 Unusual performance of the network
 Disappearance of particular website partially
DDos appear to be carried out using cheap tools. But in some cases, there are some
vulnerable DDoS attacks. They are also called as the layer7 attacks. Application layer DDoS
fall into another two major categories. They are bandwidth exhausting and resource
exhausting. Bandwidth exhausting is nothing but the attacker tries to attack the victim by
establishing a TCP connection with the victim server. Application layer DoS attacks can
exhaust the server resources such as the bandwidth, sockets, memory and CPU(Lonea,2017).
10. Steps followed to implement (DoS) Attack
Step 1
Installation of slowhttptest in kali linux

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Slowhttptest is the software tool used for implementing the DoS attacks. Slowhttptest tool has
been installed on the Linux. Type the command
apt-get install Slowhttptest
to install the tool and then press enter. The Linux displays the installation complete message
if the tool is properly recognized and used (Bindner,2013).
Step2

Usage of slowhttptest in kali/backtrack linux
Slowhttptest has many usages.Few usages are mentioned below.
 Usage in slow message body mode
 Usage in slowloris mode
 Usage in slow read mode
Usage in slow message body mode
Usage in slowloris mode
Usage in slow read mode
Step 3
Generation of output
The output obtained is the status of the network showing the traffic details.Full traffic dump
of the requested webpage or server is displayed in the html page.

Output from attacker’s side
From the attacker side,the following command have to be typed.
After the recognition of the command, the following information will appear. The attacker is
trying to establishing many connections to the particular website to make the website to get
crashed.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Output from victim’s side
From the victim’s side if the victim types (Syngress, 2013).
pgrep httpd
the victim can find out that many connections have been established within short duration.
Thus this technique is used to crash a server very easily.

11.Evaluation of data after implementation
To evaluate DDoS attacks,the following techniques can be used .
 Understand the availability of Firewall / IDS / IPS in the network itself
 Understand the current configuration
 extract the existing log files
 use another software that can analyze the interference of the network activities
The traffic data after tracking can be evaluated by output data. The evaluation is of two types.
The first type is the basic evaluation and it involves the collection of basic data roughly. The
second type is the Real time evaluation. The ral time evaluation uses signal processing
techniques (Mirkovic,2005).
.
Rough evaluation
Rough evaluation is nothing but the evaluation of preliminary data using the display window.
 Attack duration
 Attack size
 Botnet Size
 Victim Profiles
Real time traffic data evaluation
Real time traffic data analysis involves the generation of HRPI series using the entropy
calculations.It involves complex calculations.

The data collected include test type, number of connections, the url tracked. It also displays
the content length of the header value. It displays the size of the follow up data. Interval
between the follow-up data is also displayed in the output window. The information such as
connections per second, probe connection timeout, test duration, proxy details are displayed.
Time, date and day of the request and the HTTP status is also displayed. The HTTP status
involves initializing information, pending information, connected numbers, error information
and the service availability information (Patel, R.2013).
.
12.Defence mechanisms used to defend the attack
Some of the defence mechanisms that are used to stay safe from DDoS attacks are
 Black-holing or sink holing
 Routers and firewalls
 Intrusion-detection systems
 Servers
 DDoS mitigation appliances
 Over-provisioning

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Black-holing or sink holing
Black holing is nothing but blocking of all traffics and sending it to a place called black hole
and the traffic both good and bad are discarded. By doing so, the whole network and so the
business goes offline (Dalziel,2014). .
Routers and firewalls
Routers can be configured in the way that it stops or blocks the ping attacks by filtering the
protocols.
Intrusion-detection systems
Intrusion detection systems can detect the bad or harmful protocols and can block the traffic
if insecure protocols are found.IDS should be used in conjunction with the firewall to
automatically block traffic.
Servers
Proper configuration of the server can block the DDoS attacks. The configuration should be
done by the administrator in such a way that only specific trusted protocols should be given
permission to access the server and the others should not not be given permission (Simic,
B.2012).
DDos mitigation appliances
Mitigation appliances are nothing but the devices that are used for sanitizing the traffic. The
devices can drop only some legitimate traffic and sometimes traffic affects the server (York,
D.2010).
.
13.Conclusion
The system security has been performed by Web Goat J2EE web application package and
Backtrack GNU/Linux distribution. The web Goat challenging questions would be completed
using the web application package. The perfect Java source code is used for complete the
Web Goat challenge. The theoretical description of the attack could be attached. The short
evaluation and considerations of the attack has been provided. The defence mechanism has-
been included that is used for defend from such an attack. Defence mechanisms are knowing,
how people have awareness of behaviours, feelings and unpleasant thoughts. The procedures
would be included to download web goat. The method for testing the attack and result could

be added. The steps hasbeen added to implement the task. After the implementation step the
evaluation of data would be written. Different techniques have been used to defend such
attack. Backtrack GNU/Linux distributions description would be added.
References
Beggs, R. (2014). Mastering Kali Linux for advanced penetration testing. Birmingham, UK:
Packt Pub.
Broad, J. and Andrew Bindner (2013). Hacking with Kali. Elsevier Science.
Client-side Attacks and Defense. (2013). [S.l.]: Syngress Media Inc.
Dalziel, M. (2014). How to attack and defend your website. Amsterdam: Elsevier.
Dean, J. (2013). Backtrack. London: Headline.
Hacking, S. (2011). Take a walk. Seattle, Wash.: Sasquatch Books.
Halde, J. (2014). Basics of SQL injection Analysis, Detection and Prevention. Saarbrücken:
LAP LAMBERT Academic Publishing.
Hutchens, J. (2014). Kali Linux Network Scanning Cookbook. Packt Publishing.
Jaishankar, K. (2011). Cyber criminology. Boca Raton, FL: CRC Press.
Lonea, A., Popescu, D., Prostean, O. and Tianfield, H. (2017). Evaluation of Experiments on
Detecting Distributed Denial of Service (DDoS) Attacks in Eucalyptus Private Cloud.
Mirkovic, J. (2005). Internet denial of service. Upper Saddle River, N.J.: Prentice
Hall Professional Technical Reference.
Ni, T., Gu, X., Wang, H. and Li, Y. (2017). Real-Time Detection of Application-Layer DDoS
Attack Using Time Series Analysis.
Patel, R. (2013). Kali Linux social engineering. Birmingham, UK: Packt Pub.
Paul Froutan, R. (2017). How to defend against DDoS attacks. [online] Computerworld.
Available at: https://www.computerworld.com/article/2564424/security0/how-to-defend-
against-ddos-attacks.html [Accessed 22 Sep. 2017].
Simic, B. (2012). Eliminating SQL injection and cross-site scripting with aspect oriented
programming.

Trabelsi, Z. (2013). Network attacks and defenses. Boca Raton: CRC Press.
Ventre, D. (2012). Cyberwar and information warfare. Hoboken: Wiley.
Weldekidan, D. (2014). Mitigating DoS and DDoS. Saarbrücken: AV Akademikerverlag.
York, D. (2010). Seven deadliest unified communications attacks. Burlington
(Massachusetts): Elsevier.

1 out of 28

+13062052269

info@desklib.com

Web Goat J2EE Security Analysis

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Web Goat Exploitation and Backtrack Hacking

Cybersecurity Resources and Analysis

INFORMATION SYSTEM THREATS, ATTACKS AND DEFENSES.

A Design for Gentoo and Slackware

Software Testing Tools

Network Vulnerability And Penetration Testing Assignment