Webserver for exemplifying various web attacks

by Virginia Diaz

Welcome to our webserver

This is a exemplary web server in Java which can be used as an educational tool for the demonstration and explanations of the most typical web security vulnerabilities, why they happen, how to exploit them, and how to prevent such security problems when programming in Java. This is the reason why this webserver is deliberately very vulnerable.

Introduction to web security

Because use of the Internet is rapidly increasing, security in this net becomes more and more important. The online shops, companies, or business are working online with big amounts of money and sensitive user's data and all of this should be stored in a safe place. Now most of the security problems are located in the application layer and are usually due to a faulty programing code. In this server, as we said above, we are using the Java programming language, but (almost) all attacks apply to (almost) all other programming language as well.

During the development of this exercise we will cover the most important security vulnerabilities, following the last OWASP guide, published in 2010.

OWASP, stands for Open Web Application Security Project. It is an organisation that tries to fight against the causes which makes software insecure. You can look for more information about them under the link .

In order to cover most important aspects, we will show some more application not directly applicable to Java or easy to demonstrate to complete the web security topic.

How to use this tool

The student can have different workflows in this webserver depending on the knowledge level. If the student has already some knowledge about web security and the possible attacks a web site can suffer, then he/she could try to attack each application without the previous introduction. For this aim there is a link to each vulnerable application in the top frame, "Direct access to the vulnerable application". In the top frame there is also available all the users passwords, which might be required for the individual applications.

Beginners should use the left frame, in which they can follow the normal webserver workflow by reading the introductory explanation to understand the flaw and risk, and then trying by themselves the mentioned application.

List of applications

This is the current list of applications within the server. In the left side of the web page there is a short link to each of these applications.

• A1 - Injection
• 1.1 - SQL injection
• 1.2 - OS command injection
• A2 - Cross-Site Scripting (XSS)
• 2.3 - Stored XSS
• 2.4 - Reflected XSS
• A3 - Broken authentication and session Management
• 3.5 - No logout mechanism and session ID in URL
• 3.6 - No proper session timeout
• 3.25 - Authentication by Cleartext Cookie
• A4 - Insecure direct object references
• 4.7 - Direct object reference
• 4.8 - Path traversal attack
• A5 - Cross-Site Request Forgery
• 5.9 - CSRF by an image within a hidden iframe
• 5.10 - CSRF adds an admin user through a URL
• A6 - Security misconfiguration
• 6.12 - Too informative error messages
• A7 - Insecure cryptographic storage
• 7.13 - Password stored in Cleartext
• 7.14 - Using XOR encryption for password
• 7.15 - Fixed salt and MD5
• A8 - Failure to restrict URL access
• 8.16 - Bypassing authentication through directly accessing a deep URL
• 8.17 - Using JavaScript in the client for access control
• A9 - Insufficient transport layer protection
• 9.18 - Password recovery by sending it in an Email in clear text
• 9.19 - Using an HTTPS cookie without setting its secure flag
• A10 - Unvalidated redirects and forwards
• 10.20 - Redirect to a site passed it as a parameter
• A22 - Buffer overflows
• A23 - Malicious file execution
• A24 - CSS Hacking / Click jacking / CSS History Stealing
• A25 - HTTP response splitting
• A26 - Zip, XML, and fork bombs
• A27 - Man-in-the-Middle Attack

For all vulnerabilities we will include - as far as possible - a small summary about how common the weakness is, how easy the attack is and so on. You can find the possible values in the image below:

Content for each application

For each application we have the following deployment in the web server:

• index.html: Accessible from the link in the left frame on the web page. Brief introduction of the vulnerability discussed and links to other information on the vulnerability.
• Explanation_insecure.html: Accessible from the index within the application. It details the process by which the vulnerability could be exploited in the application. It includes links to the real application where the student can try the application in action and test the attack.
• Code_insecure.html: Accessible from the index within the application. It shows the application code in the insecure version.
• Explanation_secure.html: Accessible from the index within the application. In this section is the demonstration about why the fixed application cannot be attacked with the method presented in the first part (Explanation Insecure). Explanation about how to modify the application, mostly the source code's section vulnerable to the mentioned attack, in order to secure it.
• Code_secure.html: Accessible from the index within the application. It shows the application code in the secured version.

After the explanation of the main idea of this tool, I hope you will enjoy the experience!
Virginia Diaz Brugos

Download

Back to Overview