WebMaven User Guide v1.01

by David Rhoades (david@mavensecurity.com)


Introduction

WebMaven v.1.01 is an interactive web application that simulates several vulnerabilities at the application-level. WebMaven is useful for the following:


Currently, the only application presented by WebMaven is an online banking application called Buggy Bank. In the future, there will be others.


Architecture

WebMaven is a Perl CGI script that runs on a web server. A user can interact with WebMaven the same as any other web-based application. For example, they can use a standard browser, custom scripts, etc.

The client (e.g. web browser, script, etc) and WebMaven, along with the required web server, can operate all on the same system together (i.e. one computer). A network is technically not required since all interaction can be accomplished over the system’s loopback adapter.

Alternately, WebMaven, along with the required web server can be installed on a remote system, distinct from the client.

See the WebMaven Installation Guide for details on how to install WebMaven on your web server.


Getting Started

After installing WebMaven, point your web browser at the web server where WebMaven is installed.


Web Application Functionality

Buggy Bank (the only web app within WebMaven) offers the following user functionality:


Login

Known Accounts

The user is given two account numbers and PINs (i.e. test accounts) in order to get started with WebMaven. More accounts exist, but it will be up to the user to determine if various application-level weaknesses can be discovered and leveraged in order to obtain these accounts.


Initial Login Attempt

The first time the WebMaven CGI script is access (e.g. just viewing the login page), it will create a state table.

This state table tracks who is logged into WebMaven (i.e. Buggy Bank), the number of failed login attempts for each account, and the locked/active status of each account.


Resetting User Account Data

Eventually, as you begin testing WebMaven for flaws, you may lock out both known test accounts. To reset all the account data back to its default state go to the Login screen and click on the link at the bottom of the screen. The link says, “Reset all accounts to beginning state.”


Help – Where do I start?

Online Resources

The Open Source Testing Methodology Manual (OSTMM) at http://www.ideahamster.org (see the Internet Application Testing under Section 1 of the OSTMM).


The Open Source Web Application Security (OWASP) www.owasp.org

The Application Security Testing Framework Project project will outline in great detail what to look for when testing web application security. http://www.owasp.org/testing/


Finally, http://webmaven.mavensecurity.com will contain various links and resources for web application security, including those listed above, along with any new resources that become available in the future.


Some Starting Points

Things to consider when looking at web application security.

How is session tracking handled? Is it predictable?

Is user input validated by the web application (e.g. SQL injection, XSS, etc)?


Spoiler – This Section Describes the Vulnerabilities Currently Emulated by WebMaven

Don’t read this section unless you want to know exactly what the vulnerabilities are and how to exploit them. One of the major purposes of WebMaven is for you to learn and practice web assessment techniques.


There are currently 10 vulnerabilities emulated by WebMaven.

Vulnerabilities are listed in no particular order.


The current vulnerabilities are:

  1. anti-caching techniques are not used on pages displaying sensitive data

  2. predictable session ID in SessionID cookie; session cloning (aka session hijacking of current sessions)

  3. ODBC / SQL error message when special characters placed in "transaction" parameter

  4. collecting balances for other customers by exploiting a logic flaw

  5. Cross-site scripting (XSS) via the "transaction" hidden form element

  6. hidden comment in home page pointing to old CGI source code

  7. user name harvesting

  8. password (PIN) harvesting via error message for locked accounts

  9. command injection; OS commands embedded after semi-colon (;) in Account cookie (only PING or NETSTAT commands are supported because we don't want anybody hurting themselves :-)

  10. GET method exposes user account number and PIN in URL during login.