Part 5 WebGoat Library CVSS Lab

Video Activity

In this lab-based lesson, participants examine the bundled up distribution of Web Goat and discover the CVSS scores associated with them and see if there are any known vulnerabilities within the libraries.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

In this lab-based lesson, participants examine the bundled up distribution of Web Goat and discover the CVSS scores associated with them and see if there are any known vulnerabilities within the libraries.

Video Transcription
00:04
Hello and welcome to the side. Very secure coding course. My name is Sonny. Where? And this is Boa's top 10 for 2013
00:13
a nine using components with known vulnerabilities Lab, web, goat Looking at the libraries that are used in Web goat and their CVS s scores. Now, for this lab, we're going to take a look at
00:29
the bundled up distribution of Web goat. And so, if we were to go ahead and open up a terminal
00:41
and I'm gonna make this little bit bigger
00:44
So if I wanted to find out the location of where the binaries air running for this particular application, I could just grip,
00:59
I'm gonna grope for Tomcat.
01:03
And what it does is it tells me where Tomcat is running.
01:08
And so if I go to that directory,
01:19
I can see that there's a Web APS
01:23
directory
01:26
and I can see my Web go there. So I've got the war file, of course, exploded when it was deployed and created this Web goat directory.
01:38
So once I'm inside of there, I can actually see
01:44
the contents of the war file.
01:49
You want to go to this Web dash I n f because that's going to have
01:57
the additional libraries that have been added
02:01
to the distribution.
02:07
So if we take a look at this live directory here,
02:14
we can see that there are lots of jar files that are added. So all of these jar files represent third party components, and
02:23
all of these look like they're open source. So that makes it super easy to
02:30
google them and determine if they have any CVS test scores associated with them.
02:37
So I'm gonna go ahead and take a look at a couple of them.
02:42
Maybe this access one
02:45
and maybe this Commons file upload. So let me switch over.
02:52
So googling the access one first, I'm just going to type in the letter CBss
02:59
the word access and then the version that I'm looking for. I do receive a hit on the 1.2 point one summer click That,
03:09
and that looks like it's of interest to us. So we've got
03:15
ah, several CVS s items that are listed here.
03:23
Now, if I take a look at the next one,
03:25
the Commons dash files uploaded and put a version number with this one, you could or you could just leave it generic like that and looks like it's this first link here. So I'll click that and
03:39
definitely have a couple of C V e numbers associate ID.
03:45
And once again, if you click these numbers in detail
03:50
and you go down to the oval section,
03:53
you will see a link for
03:57
getting information about patches,
04:01
and you just look for the particular environment that you're running on the particular platform and get the appropriate patch.
04:11
So your assignment is to basically go through all of the libraries that are used
04:17
and determine if there are known vulnerabilities for those libraries.
Up Next