SEC260 ‐‐ Optional Assignment ‐ Due over summer - ConnorEast/Tech-Journal GitHub Wiki

Lab Prep Open Kali VM from earlier with 4+GB of RAM on a Bridged Connection X:\VMS\S23\SEC-260\Kali_VM.ova user: student + pass:2616 Can use own hardware, or VPN | Viewportal + RDP into cyber.local solution

  1. Downloading and Installing Webgoat

Open up the command terminal Download WebGoat: wget https://github.com/WebGoat/WebGoat/releases/download/v2023.4/webgoat-2023.4.jar

Optional: Depending on your Kali version, you might need to ensure Java version 17 is installed with “java --version” which is required to set up WebGoat. If you have a version under that, then you’ll need to upgrade/install sudo apt update sudo apt-get install openjdk-17-jdk openjdk-17-jre java --version (for verification)

Install and Run WebGoat (May take a few moments, and it will be ready once the console stops adding output with the last line displaying “Started StartWebgoat”). java -jar webgoat-2023.4.jar --server.port=8080 --server.address=localhost

FYI: Keep Command Console open, similar to other Linux apps.

  1. Getting Started in Webgoat

Open a Web Browser within Kali Navigate to the webpage http://localhost:8080/WebGoat/loginLinks to an external site. Click “Register a new user” and create a user using the syntax
<first name + last name>. Make sure the password is not anything you do not want seen in deliverables! :) image

General: HTTP Basics Module image

Read concepts Go through the “Try it” section, and “The Quiz”.

Hint: For the quiz section, insert & submit the correct answer for 1st question, which then creates a POST with a very obvious filename viewed via Inspect Element’s Network tab. This file contains the answer via a Parameter for the 2nd question.

Deliverable 1: Screenshots of the “Try It” section, and of successful Quiz output.

Injection Flaws: SQL Injection Read concepts Go through the two “Try It” sections: String and Numeric SQLi.

Deliverable 2: Screenshots of dumped data from both “Try it” sections for SQL Injection.

Cross Site Scripting (XSS): Cross Site Scripting image

Go through the first 2 “Try It” Sections: Reflected + Stored Reminder: Open Fields == Potential entries :)

Deliverable 3: Screenshots of first 2 “Try It” Sections completed.

image