Setting Up WebGoat and BackTrack VM
Added on 2020-01-07
13 Pages999 Words347 Views
|
|
|
System Security
Part ASetting up WebGoat on KaliBurp Suite is already installed on Kali. This section shows you how to run Burp Suite andinstall WebGoat 5.4 on your Kali VM. Download WebGoat from the URL above, then runthe following commands:# cd /root# unzip WebGoat-5.4-OWASP_Standard_Win32.zip# cd WebGoat 5.4# nano webgoat.sh# export JAVA_HOME=/usr/lib/jvm/default-javaUsing nano, edit the WebGoat start script, webgoat.sh, and remove the check for Javaversion 1.5. You can remove the entire function and if statement that together performthe check. Once you have removed the check, you can start WebGoat on port 80 with thefollowing command:# sh webgoat.sh start80This command will produce some output, including the URL for WebGoat and the credentialsyou will need to log in. This command will not terminate until WebGoat itself is stopped.Typing ctrl-c in this terminal window will stop WebGoat.If you run WebGoat on a different machine than the Kali VM, you may not be able to run iton port 80. In this case, note that WebGoat’s other default port, 8080, is the same as BurpSuite’s default port, so that you must configure one of the applications to use yet anotherPort
WebGoat:1. Parameter tampering2. Insecure storage3. Injection flaws4. Cross-site scripting (except HTTPonly and XST)5. Insecure communicationSkip any exercises that require you to modify the code of WebGoat itself. You can also skip the XSS Phishing exercise.OWASP Stored XSS DefinitionStored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.Stored XSS
Inject XSS• View & Edit the profile forTom• Select the Address field• Paste<script>alert(0)</script>
End of preview
Want to access all the pages? Upload your documents or become a member.