securing_webgoat_using_modsecurity资源-CSDN文库

需积分: 7 14 浏览量 2018-05-29 09:57:19 上传评论收藏 3.58MB PDF 举报

资源推荐

资源详情

资源评论

beta

OWASP

The Open Web Application Security Project

Creative Commons (CC) Attribution Share-Alike

Free version at http://www.owasp.org

Securing WebGoat

Using ModSecurity

OWASP Summer of Code 2008 Beta

Table of Contents

Page iii

Table of Contents

1. INTRODUCTION ..................................................................................................1

1.1 BACKGROUND ................................................................................................................................................. 1

1.2 PURPOSE.......................................................................................................................................................... 1

1.3 TASKS AND DELIVERABLES ............................................................................................................................. 2

1.4 PROJECT MEMBER COMMENTS AT 100%.......................................................................................................... 2

1.5 FUTURE DEVELOPMENT AND LONG-TERM VISION ............................................................................................ 3

1.6 CONTRIBUTORS ............................................................................................................................................... 5

2. WEBGOAT ............................................................................................................5

2.1 OVERVIEW ...................................................................................................................................................... 5

2.2 HOW IT WORKS................................................................................................................................................ 6

2.3 LESSON TABLE OF CONTENTS ........................................................................................................................ 11

2.4 OVERVIEW OF LESSON RESULTS .................................................................................................................... 14

3. MODSECURITY PROTECTING WEBGOAT ..................................................15

3.1 PROJECT SETUP AND ENVIRONMENT ............................................................................................................. 16

3.1.1 Network/hardware/software .................................................................................................................... 16

3.1.2 Tools used ................................................................................................................................................ 16

3.2 DOING THE WEBGOAT LESSONS - TIPS AND TRICKS....................................................................................... 17

3.3 TESTING MODSECURITY RULES – TIPS AND TRICKS....................................................................................... 18

3.4 PROJECT ORGANIZATION ............................................................................................................................... 19

3.4.1 ModSecurity rules .................................................................................................................................... 19

3.4.2 SecDirData directory............................................................................................................................... 20

3.4.3 Error pages.............................................................................................................................................. 20

3.4.4 Informational and debug messages.......................................................................................................... 20

4. MITIGATING THE WEBGOAT LESSONS......................................................21

4.1 PROJECT METRICS AT 50% PROJECT COMPLETION ......................................................................................... 21

4.2 PROJECT METRICS AT 100% PROJECT COMPLETION ....................................................................................... 22

4.3 SUBLESSONS THAT DON’T COUNT OR WERE NOT SOLVED (AND WHY) ........................................................... 23

4.4 UNFINISHED BUSINESS................................................................................................................................... 24

4.4.1 Concurrent file access.............................................................................................................................. 24

4.4.2 Lua security in ModSecurity .................................................................................................................... 25

4.5 OVERALL STRATEGY ..................................................................................................................................... 31

4.6 REVIEWER COMMENTS .................................................................................................................................. 32

4.7 USING THE LUA SCRIPTING LANGUAGE ......................................................................................................... 33

4.8 USING JAVASCRIPT ‘PREPEND’ AND ‘APPEND’ .............................................................................................. 34

4.9 STRUCTURE OF MITIGATING A LESSON .......................................................................................................... 34

4.10 THE MITIGATING SOLUTIONS ......................................................................................................................... 35

5. THE MITIGATING SOLUTIONS ......................................................................37

5.1 SUBLESSON 1.1: HTTP BASICS ..................................................................................................................... 37

5.2 SUBLESSON 1.2: HTTP SPLITTING................................................................................................................. 40

5.3 SUBLESSON 2.2: BYPASS A PATH BASED ACCESS CONTROL SCHEME ........................................................... 41

5.4 SUBLESSON 2.3: LAB: ROLE BASED ACCESS CONTROL................................................................................ 42

5.5 SUBLESSON 2.4: REMOTE ADMIN ACCESS..................................................................................................... 43

5.6 SUBLESSON 3.1: LAB: DOM-BASED CROSS-SITE SCRIPTING ........................................................................ 44

5.7 SUBLESSON 3.2: LAB: CLIENT SIDE FILTERING ............................................................................................ 46

5.8 SUBLESSON 3.4: DOM INJECTION ................................................................................................................. 47

5.9 SUBLESSON 3.5: XML INJECTION.................................................................................................................. 49

5.10 SUBLESSON 3.6: JSON INJECTION ................................................................................................................. 52

5.11 SUBLESSON 3.7: SILENT TRANSACTIONS ATTACKS ....................................................................................... 54

5.12 SUBLESSON 3.8: DANGEROUS USE OF EVAL.................................................................................................. 58

5.13 SUBLESSON 3.9: INSECURE CLIENT STORAGE ............................................................................................... 60

OWASP Summer of Code 2008 Beta

Table of Contents

Page iv

5.14

SUBLESSON 4.2: FORGOT PASSWORD ............................................................................................................ 61

5.15 SUBLESSON 4.4: MULTI LEVEL LOGIN 1........................................................................................................ 73

5.16 SUBLESSON 4.5: MULTI LEVEL LOGIN 2........................................................................................................ 73

5.17 SUBLESSON 6.1: DISCOVER CLUES IN THE HTML......................................................................................... 74

5.18 SUBLESSON 7.1: THREAD SAFETY PROBLEM ................................................................................................. 77

5.19 SUBLESSON 7.2: SHOPPING CART CONCURRENCY FLAW .............................................................................. 82

5.20 LESSON 8: CROSS-SITE SCRIPTING (XSS) ..................................................................................................... 85

5.21 SUBLESSON 8.3: STORED XSS ATTACKS....................................................................................................... 89

5.22 SUBLESSON 8.1: PHISHING WITH XSS ........................................................................................................... 89

5.23 SUBLESSON 8.2: LAB: CROSS SITE SCRIPTING.............................................................................................. 89

5.24 SUBLESSON 8.4: REFLECTED XSS ATTACKS ................................................................................................. 89

5.25 SUBLESSON 8.5: CROSS SITE REQUEST FORGERY (CSRF) ............................................................................ 89

5.26 SUBLESSON 8.7: CROSS SITE TRACING (XST) ATTACKS ............................................................................... 89

5.27 SUBLESSON 8.6: HTTPONLY TEST................................................................................................................ 94

5.28 SUBLESSON 9.1: DENIAL OF SERVICE FROM MULTIPLE LOGINS .................................................................... 94

5.29 SUBLESSON 10.1: FAIL OPEN AUTHENTICATION SCHEME ............................................................................. 97

5.30 SUBLESSON 11.1: COMMAND INJECTION ....................................................................................................... 98

5.31 SUBLESSON 11.2: BLIND SQL INJECTION ...................................................................................................... 98

5.32 SUBLESSON 11.3: NUMERIC SQL INJECTION................................................................................................. 98

5.33 SUBLESSON 11.4: LOG SPOOFING.................................................................................................................. 98

5.34 SUBLESSON 11.5: XPATH INJECTION ........................................................................................................... 98

5.35 SUBLESSON 11.6: STRING SQL INJECTION .................................................................................................... 98

5.36 SUBLESSON 11.7: LAB: SQL INJECTION ....................................................................................................... 98

5.37 SUBLESSON 11.8: DATABASE BACKDOORS ................................................................................................... 98

5.38 SUBLESSON 12.1: INSECURE LOGIN ............................................................................................................... 99

5.39 SUBLESSON 13.1: FORCED BROWSING......................................................................................................... 105

5.40 SUBLESSON 15.1: EXPLOIT HIDDEN FIELDS................................................................................................. 107

5.41 SUBLESSON 15.2: EXPLOIT UNCHECKED EMAIL.......................................................................................... 107

5.42 SUBLESSON 15.3: BYPASS CLIENT SIDE JAVASCRIPT VALIDATION............................................................. 109

5.43 SUBLESSON 16.1: HIJACK A SESSION........................................................................................................... 111

5.44 SUBLESSON 16.2: SPOOF AN AUTHENTICATION COOKIE ............................................................................. 112

5.45 SUBLESSON 16.3: SESSION FIXATION .......................................................................................................... 113

5.46 SUBLESSON 17.1: CREATE A SOAP REQUEST ............................................................................................. 114

5.47 SUBLESSON 17.2: WSDL SCANNING........................................................................................................... 116

5.48 SUBLESSON 17.3: WEB SERVICE SAX INJECTION ....................................................................................... 117

5.49 SUBLESSON 17.4: WEB SERVICE SQL INJECTION........................................................................................ 117

6. APPENDIX A: WEBGOAT LESSON PLANS AND SOLUTIONS ...............118

7. APPENDIX B: PROJECT SOLUTION FILES.................................................119

8. APPENDIX C: BUILDING THE LUA LIBRARY AND STANDALONE

EXECUTABLE.........................................................................................................120

剩余129页未读，继续阅读

评论收藏

内容反馈

fengnanman

粉丝: 6
资源: 18

securing_webgoat_using_modsecurity

mod_security

modSecurity

使用ModSecurity阻止IP

Securing_Electronic_Medical_Records_using_Biometric_Authentication.pdf

AWS_Securing_Data_at_Rest_with_Encryption

Beyond_the_Ballot_Box_Securing_Americas_Supporting_Election_

Test_and_Learn_Securing_Connected_Products_and_Services.pdf

Securing_the_Digital_Now.pdf

信息安全_数据安全_Securing_Intel_PC_for_FIDO_suppo.pdf

「安全人才」Beyond_the_Ballot_Box_Securing_Americas_Supporting_Elec

iSEC_Securing_Android_Apps

信息安全_数据安全_Securing_Cloud-Native_Applicatio.pdf

Cloud_Computing_Securing_ourlcc_carefulpk1_mobilecloud_mobilecom

TCG_Guidance_for_Securing_IoT_1_0r21.pdf

ASZ_ASWPS_Securing_Apache.pdf

Guide_to_Securing_Legacy_IEEE_802.11_Wireless_Networks.pdf

Securing_IPSAN

Securing_DevOps

Securing_Apps2

Securing Android-Powered Mobile Devices Using SELinux

「攻防靶场」Proactive_Directory_Practical_Counterdefenses_to_Securi

ssl and tls essentials - securing the web_ssltlsebook_

【船级社】 ClassNK gl_container Stowage and Securing Arrangements

信息安全_数据安全_Securing the Distribution Grid：T.pdf

Securing And Optimizing Linux

Securing Visual Cryptographic Shares using Public KEY

最新资源