WebGoat Form-based Authentication - missing something!

512 views
Skip to first unread message

Paulo Chavez

unread,
Jun 12, 2017, 1:03:17 PM6/12/17
to OWASP ZAP User Group
Hello,

I apologize if this has been addressed in the past, unfortunately I was not able to find any previous topics that could help me with my situation. So here I go.

[ZAP version 2.6.0] [Webgoat version 7.1]

I have setup the Webgoat 7.1 jar file on a server within my network. From my workstation (Same subnet) I am proxying Firefox through ZAP trying to run an automated Ajax spider against Webgoat. Once I have ran the Ajax Spider, I'd like to run an active scan and hopefully find SQL injections and other vulnerabilities.
I am having trouble getting the WebGoat form-based Authentication setup.

Let me show you the steps I have taken so far.I go tot he hosted Webgoat. Zap succesfully detects where I'm going and captures the requests.



I then manually login using the built-in Guest account through firefox in order for zap to detect the authentication method. I then flag it and fill in the necessary information [username, pw, logged out indicator etc.] I enable guest account to be used under  the "forced user mode" feature.


Then I log out, Zap should have the necessary information to automatically login if I enable the "Forced User Mode". I can see that the Logged out indicator works because ZAP does indeed send the login request with the username and password. 

Steps done here: After logout, I click the WebGoat logo which takes me to the site /Webgoat/start.mvc which then it redirects me to the /Webgoat/login.mvc. See below:


I Then turn on the "Forced user mode". I click the WebGoat logo which takes me to the site /Webgoat/start.mvc which then it redirects me to the /Webgoat/login.mvc.. The logout indicator then is triggered thus Zap tries to authenticate as seen below:



The credentials are sent by ZAP but fails to login. I was able to see that the login POST captured by ZAP has difference in the header. See below:


Some sort of anti ant CSRF measures here? I am new in this topic and I am trying to learn about ZAP and Web Vulnerabilities. If anyone can explain what is happening here or point me to the learning material that can help me understand this, I'd be thankful.

Thank you
paulo


kingthorin+owaspzap

unread,
Jun 12, 2017, 2:51:32 PM6/12/17
to OWASP ZAP User Group
I think this has something to do with the flow of the application. As you can see when in forced user mode: If you're sitting on login.mvc and manually change the URL to welcome.mvc you'll enter the app (so ZAP did actually authenticate you)....

Will try to dig more later.

Radu

unread,
Jul 11, 2017, 6:04:00 AM7/11/17
to OWASP ZAP User Group

Hi,

Thank you for asking, this is exactly the topic I was looking for !

I might have some answers:

Watch these two videos about authentication in ZAP and about the AJAX Spider, it helped me.

But I had to improvise a little because I didn't manage to make the Forced User mode to work (is it specific to WebGoat... ?)
1) First of all, I added a regexp pattern for logged IN user, which is simply the "logout" button. To do this, manually login as guest and search for the html snippet <li><a ... href="j_spring_security_logout">Logout</a></li> in the response of the login request GET:start.mvc node.

2) Create a user from the left tabs in the same dialog: "tester_guest" as User Name, "guest" as username and "guest" as password. Hit OK.

 

3) I also set the regexp pattern for logged OUT state after manually logging out, as you did (I set as the pattern "You have logged out successfully").

4) Since I want to crawl all the website with the AJAX Spider, I have to exclude at least a link from the spider's seeds: GET:j_spring_security_logout (right-click > Exclude from... > Spider). Otherwise, ZAP will follow that link and log out from the app (Forced User mode didn't work for me, I still don't know why...).
 
5) From the HHTP Sessions tab, I set as active the session where the Token Value matches the session cookie value from WebGoat. You can find that value in the "Cookie/Parameters" table on every screen in WebGoat.

6) From the AJAX Spider tab, hit New Scan

            Starting point (adapt if your app runs not locally on port 8081): http://localhost:8081/WebGoat/attack. I added “attack” because in the Alerts tab, vulnerabilities were found passively in similar URLs.

            Context: WebGoat

            User (the one created above): tester_guest

            Show advanced options > Options tab > Maximum crawl depth & states : 0

           

            Instead of a context, you can try Just in scope option, because they’re mutually exclusive.

 

7) Now you can launch an active scan

 

It doesn’t feel like all the lessons in WebGoat were crawled by the AJAX Spider... Rather, it seems to me that the tool simply opens the tabs. Although it happened once, but I can’t recall under which settings.

The scans I ran seem to have found some vulnerabilities in the lessons (which is what we want).

 

I am also new to this software, so I may have missed several crucial points...

 

Let me know if you get something relevant

Reply all
Reply to author
Forward
0 new messages