In my undergrad security class the prof posed a challenge that whoever could make themself an admin would get bonus marks.
Using one vulnerability I found there was an xml file on the server that defined the list of admins.
Once you find that you can use another vulnerability (something with file uploads + JSP) that let you run arbitrary Java code to modify the file on the server.
Problem is after adding myself to the file it didn’t have any effect. I figured okay that file is probably only read into memory once when the server first starts.
So I thought no problem, I’ll just run a piece of Java that exits the JVM process.
Unfortunately there was no process manager to restart the sever process so it took down WebGoat for the entire class.
Oops. People were pretty pissed on the class discussion board because they couldn’t even work on the regular assignment.
Eventually I emailed someone in university IT and got them to just reboot the Linux instance but it took a couple days.
When the server came back up I had admin privileges and ended up getting the bonus marks.
I still wonder to this day if “crashing the server” was the real way you were supposed to do that.
My company makes fuzzing software to find security vulnerabilities. We use webgoat as a learning example as well. Feel free to have a look at our free readonly SaaS version with webgoat to see how it works. https://app.code-intelligence.com (GitHub login, not mobile friendly)
I learned a lot with Webgoat. Can anyone recommend similar resources but with increased difficulty? I am specifically interested in XSS and SQL injection.
This is aimed more at companies signing up rather than individuals, but a company called Security Innovation has a product that kind of gamify's (sp?) hacking vulnerable websites: https://www.securityinnovation.com/training/ (the cmd+ctrl training)
They have a couple of fake websites that have a bunch of vulnerabilities of varying difficulty and you get points for exploiting them.
I am not affiliated with them, but saw a demo once and thought it was cool.
In my undergrad security class the prof posed a challenge that whoever could make themself an admin would get bonus marks.
Using one vulnerability I found there was an xml file on the server that defined the list of admins.
Once you find that you can use another vulnerability (something with file uploads + JSP) that let you run arbitrary Java code to modify the file on the server.
Problem is after adding myself to the file it didn’t have any effect. I figured okay that file is probably only read into memory once when the server first starts.
So I thought no problem, I’ll just run a piece of Java that exits the JVM process.
Unfortunately there was no process manager to restart the sever process so it took down WebGoat for the entire class.
Oops. People were pretty pissed on the class discussion board because they couldn’t even work on the regular assignment.
Eventually I emailed someone in university IT and got them to just reboot the Linux instance but it took a couple days.
When the server came back up I had admin privileges and ended up getting the bonus marks.
I still wonder to this day if “crashing the server” was the real way you were supposed to do that.
Sorry guys XD