WebMaven User Guide v1.01
by David Rhoades (david@mavensecurity.com)
WebMaven v.1.01 is an interactive web application that simulates several vulnerabilities at the application-level. WebMaven is useful for the following:
Training: practicing security assessment techniques
Benchmarking: ensure your security tools perform their tests correctly
Currently, the only application presented by WebMaven is an online banking application called Buggy Bank. In the future, there will be others.
WebMaven is a Perl CGI script that runs on a web server. A user can interact with WebMaven the same as any other web-based application. For example, they can use a standard browser, custom scripts, etc.
The client (e.g. web browser, script, etc) and WebMaven, along with the required web server, can operate all on the same system together (i.e. one computer). A network is technically not required since all interaction can be accomplished over the system’s loopback adapter.
Alternately, WebMaven, along with the required web server can be installed on a remote system, distinct from the client.
See the WebMaven Installation Guide for details on how to install WebMaven on your web server.
After installing WebMaven, point your web browser at the web server where WebMaven is installed.
Buggy Bank (the only web app within WebMaven) offers the following user functionality:
Login
Account Summary
Funds Transfer
Logout
The user is given two account numbers and PINs (i.e. test accounts) in order to get started with WebMaven. More accounts exist, but it will be up to the user to determine if various application-level weaknesses can be discovered and leveraged in order to obtain these accounts.
The first time the WebMaven CGI script is access (e.g. just viewing the login page), it will create a state table.
This state table tracks who is logged into WebMaven (i.e. Buggy Bank), the number of failed login attempts for each account, and the locked/active status of each account.
Eventually, as you begin testing WebMaven for flaws, you may lock out both known test accounts. To reset all the account data back to its default state go to the Login screen and click on the link at the bottom of the screen. The link says, “Reset all accounts to beginning state.”
The Open Source Testing Methodology Manual (OSTMM) at http://www.ideahamster.org (see the Internet Application Testing under Section 1 of the OSTMM).
The Open Source Web Application Security (OWASP) www.owasp.org
The Application Security Testing Framework Project project will outline in great detail what to look for when testing web application security. http://www.owasp.org/testing/
Finally, http://webmaven.mavensecurity.com will contain various links and resources for web application security, including those listed above, along with any new resources that become available in the future.
Things to consider when looking at web application security.
How is session tracking handled? Is it predictable?
Is user input validated by the web application (e.g. SQL injection, XSS, etc)?
Don’t read this section unless you want to know exactly what the vulnerabilities are and how to exploit them. One of the major purposes of WebMaven is for you to learn and practice web assessment techniques.
There are currently 10 vulnerabilities emulated by WebMaven.
Vulnerabilities are listed in no particular order.
The current vulnerabilities are:
anti-caching techniques are not used on pages displaying sensitive data
predictable session ID in SessionID cookie; session cloning (aka session hijacking of current sessions)
ODBC / SQL error message when special characters placed in "transaction" parameter
collecting balances for other customers by exploiting a logic flaw
Cross-site scripting (XSS) via the "transaction" hidden form element
hidden comment in home page pointing to old CGI source code
user name harvesting
password (PIN) harvesting via error message for locked accounts
command injection; OS commands embedded after semi-colon (;) in Account cookie (only PING or NETSTAT commands are supported because we don't want anybody hurting themselves :-)
GET method exposes user account number and PIN in URL during login.