Out of sight, out of mind that is the mantra that many people live by when it comes to Web security. If there are no "visible" holes like SQL injection and cross-site scripting, then all must be well in Securityland. That's hardly the case. Many developers, QA analysts and security managers don't realize the power rich Internet applications (RIAs) place in the hands of users. From AJAX to Web services, there is a whole lot of application logic exposed and ready for manipulation. Contrary to popular belief, these are the very things that automated Web vulnerability scanners are likely to miss.
So how can you learn about common RIA flaws? Well, all you have to do is find some free time and sit down and work through WebGoat. It has just what you need: a poorly-written application, learning modules for exploiting security flaws and specific solutions for each problem. WebGoat provides modules to learn about security in AJAX, Web services and a plethora of other Web components as shown in the following figure:
WebGoat's main interface showing the various Web flaws you can learn about
I think many people put off using WebGoat because they believe it's overly complex to setup. In fact, it's just the opposite. Depending on the speed of your Internet connection and computer, you should be able to get WebGoat up and running in about three minutes or less. The 83MB download takes the longest. Other than that, you simply unzip the file, run webgoat.bat to initiate the included Apache Tomcat server, point your Web browser to the main site on the localhost, login with guest/guest and you're off. If you don't already have one installed, you'll want to download a Web proxy such as Burp Suite or Paros as a lot of WebGoat's application manipulation requires such a tool.
The following figure shows how I used WebInspect's Web Proxy to capture behind-the-scenes traffic to solve one of the AJAX labs:
Working through a lesson using a Web proxy
The WebGoat AJAX security lessons mimic real-world application scenarios such as online banking transactions, rewards redemption, and application authentication. The WebGoat interface provides hints for solving the problems, displays certain parameters and even the Java source code, and also provides you with the solution to each lesson as shown in the following figure:
WebGoat interface options and solution for an AJAX security lesson
Additional rich Internet application exercises are included in the four separate Web Services components:
- Create a SOAP Request
- WSDL Scanning
- Web Service SAX Injection
- Web Service SQL Injection
You can even create your own lessons in WebGoat to share with others.
WebGoat provides some of the best Web security training you're going to get. And it's free! In
addition to WebGoat, you may want to check out Foundstone's Hacme Travel, Hackme Bank and related teaching
tools. They are also excellent and free resources for learning how applications are
Using WebGoat and similar tools will increase your Web security skills for RIAs and more. Doing so will make you more valuable to your employer and an asset to your businesses' overall information security program, something we can all use a little more of this day and time.
All you have to do is commit the time to work through the exercises.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
This was first published in July 2009