Configuration to use OWASP WebGoat whilw online? [closed]

OWASP WebGoat is a deliberately insecure webapplication with a set of tutorials how to hack it (and how to protect your own application). OWASP advises to disconnect from the internet while using it since it is an insecure application after all, and firewalls might be misconfigured or missing (see the prior question OWASP WebGoat Warning Meaning).

Is there a checklist how to use WebGoat safely while in a video conference? The first step is presumably to run it in the docker container. How do I configure that docker?

OWASP ZAP bruteforce 3 parameters Request from 3 payloads (parallel)

How i can fuzz request with 3 parameters(locations) and 3 payloads

request1 => parameter1=payload1.1; parameter2=payload2.1; parameter3=payload3.1;

request2 => parameter1=payload1.2; parameter2=payload2.2; parameter3=payload3.2;

request3 => parameter1=payload1.3; parameter2=payload2.3; parameter3=payload3.3;

Where payload1.2 means take string#2 from payload1 … etc


Is `SecAction` order important for an OWASP ModSecurity config file?

Using a web server with Nginx + ModSecurity + OWASP ModSecurity Core Rules…

On the OWASP config file crs-setup.conf is the order of the config section SecAction important or can i order them differently from the example config file ?


SecAction \  "id:900250,\   phase:1,\   nolog,\   pass,\   t:none,\   setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"  SecAction \  "id:900200,\   phase:1,\   nolog,\   pass,\   t:none,\   setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" 

By default SecAction id:900200 is written before SecAction id:900250, is that order important?

OWASP Client-Side Testing – How To

In the OWASP Testing Guide, it has a whole section called “Client-Side Testing.” This section has to do with testing for things such as DOM-based XSS, JavaScript execution, HTML injection, Client-Side URL Redirect, etc. The examples in the testing guide for the first four vulnerabilities (the ones I just listed) all include code that access document.location.

My question is, what other ways are there for these kinds of vulnerabilities to be introduced into a web page without accessing document.location? In other words, if a page does not ever access document.location, is it definitely free from these vulnerabilities?

Stop an in-progress passive scan in OWASP ZAP 2.9

I would like to know if anyone knows how to stop or speed-up an in-progress ZAP passive scan on version 2.9. I have a 64000+ passive scan queue and it is not draining fast at all. I have disabled all of the passive scan rules by going to Options -> Passive Scan Rules and setting the threshold to “OFF” on everything.

The console log is saying the following over and over – of course with different times and different URLs

[ZAP-PassiveScanner] WARN org.zaproxy.zap.extension.pscan.PassiveScanThread - Passive Scan rule html_mailto took 211 seconds to scan https://[target-site-url]

How to resolve the Format String Error alert in OWASP ZAP for a web application (ASP.NET C#)?

I have a web application with a log in page. In the log in page, I’ve set maxlength for the username input and the password input, which looks like the code below.

@Html.TextBoxFor(m => m.Username, new { @maxlength="30"}) 

When I run OWASP ZAP, it gives me an alert with the following description.

A Format String error occurs when the submitted data of an input string is evaluated as a command by the application

Potential Format String Error. The script closed the connection on a /%s

But when I remove @maxlength="30", the alert goes away.

I’ve been trying to find the remediation for this alert, but I’ve read that Format String vulnerability doesn’t really exist in C#: Do format string vulnerabilities exist in C# or Java? .

Is it just a “potential” error and nothing to worry about because it’s in C#? Or.. if this is something that needs to be taken care of, what can be done to resolve this alert from OWASP ZAP? (I’d believe removing @maxlength is not a solution).

Cannot Import Zap AddOn in Owasp Zap latest version [closed]

I downloaded a Zap addon here :

Now I wanted to import it in my Owasp Zap but I get the following error :

It says : “cannot load specified addon : not before 2.3.0”

I tried to find owasp zap 2.3.0 but I did not find it

Can you help me install this addon on my ZAP (latest version) or find a version of ZAP that would accept it ?

The big problem is that this version is not in the list of available addon in ZAP it’d been easier

enter image description here

OWASP ZAP submit forms

I’m trying to find SQL injection vulnerability in DVWA with OWASP ZAP. After some clicking through the page I have a small site map:

enter image description here

I ran Active scan, Spider and AJAX spider on the GET:sqli node. As you can see in the screenshot above, SQL injection vulnerability was not found. Neither was the form action from the https://localhost:8081/vulnerabilities/sqli/ page:

enter image description here

Only if I manually submit the form, the form action shows up in the Sites tab:

enter image description here

And only if I run Active scan again, the SQL Injection vulnerability is detected.

enter image description here

Is there any way to force spider / active scan to submit forms and detect their vulnerabilities automatically?

Modsecurity – OWASP CRS 901001

Ubuntu 18.04
ModSecurity for Apache/2.9.2 (; OWASP_CRS/3.0.0
modsecurity-crs 3.0.2-1

This is a new server. The following message appears in modsec_audit.log in every entry:

--c2d2e910-H-- Message: Warning. Operator EQ matched 0 at TX. [file  "/usr/share/modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf"]  [line "56"] [id "901001"] [msg "ModSecurity Core Rules setup file has  not been detected. Threat detection and blocking may be nonfunctional.  Please ensure to make a copy of the setup template crs-  setup.conf.example, and include your crs-setup.conf file in your  webserver configuration before including the CRS rules."] [severity  "WARNING"] 


me@www:~$   apache2ctl -t -D DUMP_MODULES |grep security2_module  security2_module (shared) 

As shown above, the module is loaded. My Apache conf has an <IfModule security2_module> stanza that includes:

IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load 

The file owasp-crs.load has:

Include /etc/modsecurity/crs/crs-setup.conf IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf Include /usr/share/modsecurity-crs/rules/*.conf IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf 


me@www:~$   ls /etc/modsecurity/crs/crs-setup.conf /etc/modsecurity/crs/crs-setup.conf 

As the warning states, crs-setup.conf can’t be found though the file exists in the specified location. However, the system seems to be working properly. For example, in crs-setup.conf if I remove all HTTP methods from ID 900200 then I get a HTTP 403 Forbidden which is expected based on how I have the system configured.

Your thoughts and experience are appreciated in helping to resolve this.

Thank you.