WebGoat Plus: An Extension of the WebGoat Tool for Security Vulnerabilities Teaching
Abstract
Hands-on vulnerability exploitation activities can provide students a better understanding of security vulnerabilities. Thus, this paper proposes to provide an extension from the WebGoat application that allows the practice of OS Injection vulnerability. In this work tests were applied with nine students who used and evaluated the application. When evaluating the amount of completed assignments, it was noticed that 80% of students solved at least 60% of the assignments. As for user satisfaction, 88% of them would recommend the application to a third party. Thus, it is possible to conclude which the application may contributed in teaching OS Injection vulnerability.
Keywords:
Teaching Vulnerabilities, OS Injection, WebGoat
References
Associação Brasileira de Normas Técnicas (2005) “NBR ISO/IEC 27002:2005: Tecnologia da informação – Técnicas de segurança – Código de prática para a gestão da segurança da informação”. Rio de Janeiro, 2005. 120 p.
Chin, John P.; Diehl, Virginia A.; Norman, Kent L (1998) “Development of an instrument measuring user satisfaction of the human-computer interface”. In: SIGCHI Conference on Human Factors in Computing System, [S.I], 1988, Washington. Proceedings, Association for Computing Machinery. p. 213-218.
Common Weakness Enumeration (2020a) “2020 CWE Top 25 Most Dangerous Software Weaknesses”. Disponível em: https://cwe.mitre.org/top25/archive/2020/2020cwetop25.html. Acesso em: 04 out. 2020.
Common Weakness Enumeration (2021) “CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')”. Disponível em: https://cwe.mitre.org/data/definitions/77.html. Acesso em: 28 jun. 2021.
Common Weakness Enumeration (2020b) CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Disponível em: https://cwe.mitre.org/data/definitions/78.html. Acesso em: 20 nov. 2020.
Federal Bureau of Investigation (2021) “2020 Internet Crime Report”. Disponível em: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. Acesso em: 03 jul. 2021.
Hartley, Regina D. (2015) “Ethical Hacking Pedagogy: an analysis and overview of teaching students to hack”. Journal Of International Technology And Information Management, [S.I.], ano 4, v. 24, p. 95-104, Disponível em: https://scholarworks.lib.csusb.edu/jitim/vol24/iss4/6/. Acesso em: 15 jun. 2021.
Howard, Michael; Leblanc, David; Viega, John. (2010) “24 DEADLY SINS OF SOFTWARE SECURITY: programming flaws and how to fix them”. New York: McGraw Hill.
Logan, Patricia Y.; Clarkson, Allen. (2005) “Teaching students to hack: curriculum issues in information security”. In: 36th SIGCSE Techinical Symposium on
Computer Science Education. 36, Nova Iorque. Proceedings. Association for Computing Machinery, 2005. p. 157-161.
Lund, Arnold M. (2001) “Measuring usability with the USE questionnaire”. Usability interface, [S.I.] v. 8, n. 2, p. 3-6.
Open Web Application Security Project (OWASP) (2020) “OWASP WebGoat”. Disponível em: https://owasp.org/www-project-webgoat/. Acesso em: 04 out. 2020.
Pashel, B. A (2006) “Teaching Students to Hack: Ethical Implications in Teaching Students to Hack at the University Level”. In: Annual Conference on Information Security Curriculum Development, 3. 2006, Kennesaw, Proceedings, Association for Computing Machinery. p. 197–200. https://doi.org/10.1145/1231047.1231088
Rowe, Dale C.; Lunt, Barry M.; Ekstrom, Joseph J. (2011) “The role of cyber-security in information technology education”. In: 2011 Conference on Information Technology Education. 3. 2011, Nova Yorque. Proceedings, Association for Computing Machinery. p. 113-122.
Stasinopoulos, Anastasios; Ntantogian, Christoforos ; Xenakis, Christos. (2015) “Commix: Detecting and exploiting command injection flaws”. In: Blackhat Europe 2015, Amsterdam. Proceedings, Blackhat, [9] p., Disponível em: [link]. Acesso em: 13 junho 2021.
Stefinko, Yaroslav; Piskozub, Andrian; Banakh, Roman. (2016) “Manual and automated penetration testing. Benefits and drawbacks. Modern tendency”. In: 13th International Conference on Modern Problems of Radio Engineering, Telecommunications And Computer Science (TCSET), 13, 2016, Liviv. Proceedings, IEEE. p. 488-491.
Trabelsi, Zouheir; McCoey, Margaret. (2016) “Ethical Hacking in Information Security Curricula”. International Journal Of Information And Communication Technology Education (IJICTE), [S.L.], ano 1, v. 12, p. 1-10.
Vigna G. (2003) “Teaching Network Security through Live Exercises” In: Security Education and Critical Infrastructures. WISE 2003. IFIP Advances in Information and Communication Technology, vol 125, p. 3-18.
Xie, Jing; Lipford, Heather Richter; Chu, Bill (2011) “Why do programmers make security errors?”. In: 2011 IEEE Symposium on Visual Languages And Human-centric Computing (VL/HCC). [S.I], 2011, Pittsburgh. Proceedings IEEE. p. 161-164. DOI 10.1109/VLHCC.2011.6070393.
Whitman, Michael E; Mattord, Herbert J (2017) “Principles of Information Security”. 6. ed. Boston: Cengage Learning. 656 p.
Chin, John P.; Diehl, Virginia A.; Norman, Kent L (1998) “Development of an instrument measuring user satisfaction of the human-computer interface”. In: SIGCHI Conference on Human Factors in Computing System, [S.I], 1988, Washington. Proceedings, Association for Computing Machinery. p. 213-218.
Common Weakness Enumeration (2020a) “2020 CWE Top 25 Most Dangerous Software Weaknesses”. Disponível em: https://cwe.mitre.org/top25/archive/2020/2020cwetop25.html. Acesso em: 04 out. 2020.
Common Weakness Enumeration (2021) “CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')”. Disponível em: https://cwe.mitre.org/data/definitions/77.html. Acesso em: 28 jun. 2021.
Common Weakness Enumeration (2020b) CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Disponível em: https://cwe.mitre.org/data/definitions/78.html. Acesso em: 20 nov. 2020.
Federal Bureau of Investigation (2021) “2020 Internet Crime Report”. Disponível em: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. Acesso em: 03 jul. 2021.
Hartley, Regina D. (2015) “Ethical Hacking Pedagogy: an analysis and overview of teaching students to hack”. Journal Of International Technology And Information Management, [S.I.], ano 4, v. 24, p. 95-104, Disponível em: https://scholarworks.lib.csusb.edu/jitim/vol24/iss4/6/. Acesso em: 15 jun. 2021.
Howard, Michael; Leblanc, David; Viega, John. (2010) “24 DEADLY SINS OF SOFTWARE SECURITY: programming flaws and how to fix them”. New York: McGraw Hill.
Logan, Patricia Y.; Clarkson, Allen. (2005) “Teaching students to hack: curriculum issues in information security”. In: 36th SIGCSE Techinical Symposium on
Computer Science Education. 36, Nova Iorque. Proceedings. Association for Computing Machinery, 2005. p. 157-161.
Lund, Arnold M. (2001) “Measuring usability with the USE questionnaire”. Usability interface, [S.I.] v. 8, n. 2, p. 3-6.
Open Web Application Security Project (OWASP) (2020) “OWASP WebGoat”. Disponível em: https://owasp.org/www-project-webgoat/. Acesso em: 04 out. 2020.
Pashel, B. A (2006) “Teaching Students to Hack: Ethical Implications in Teaching Students to Hack at the University Level”. In: Annual Conference on Information Security Curriculum Development, 3. 2006, Kennesaw, Proceedings, Association for Computing Machinery. p. 197–200. https://doi.org/10.1145/1231047.1231088
Rowe, Dale C.; Lunt, Barry M.; Ekstrom, Joseph J. (2011) “The role of cyber-security in information technology education”. In: 2011 Conference on Information Technology Education. 3. 2011, Nova Yorque. Proceedings, Association for Computing Machinery. p. 113-122.
Stasinopoulos, Anastasios; Ntantogian, Christoforos ; Xenakis, Christos. (2015) “Commix: Detecting and exploiting command injection flaws”. In: Blackhat Europe 2015, Amsterdam. Proceedings, Blackhat, [9] p., Disponível em: [link]. Acesso em: 13 junho 2021.
Stefinko, Yaroslav; Piskozub, Andrian; Banakh, Roman. (2016) “Manual and automated penetration testing. Benefits and drawbacks. Modern tendency”. In: 13th International Conference on Modern Problems of Radio Engineering, Telecommunications And Computer Science (TCSET), 13, 2016, Liviv. Proceedings, IEEE. p. 488-491.
Trabelsi, Zouheir; McCoey, Margaret. (2016) “Ethical Hacking in Information Security Curricula”. International Journal Of Information And Communication Technology Education (IJICTE), [S.L.], ano 1, v. 12, p. 1-10.
Vigna G. (2003) “Teaching Network Security through Live Exercises” In: Security Education and Critical Infrastructures. WISE 2003. IFIP Advances in Information and Communication Technology, vol 125, p. 3-18.
Xie, Jing; Lipford, Heather Richter; Chu, Bill (2011) “Why do programmers make security errors?”. In: 2011 IEEE Symposium on Visual Languages And Human-centric Computing (VL/HCC). [S.I], 2011, Pittsburgh. Proceedings IEEE. p. 161-164. DOI 10.1109/VLHCC.2011.6070393.
Whitman, Michael E; Mattord, Herbert J (2017) “Principles of Information Security”. 6. ed. Boston: Cengage Learning. 656 p.
Published
2021-10-04
How to Cite
BIZON, Artur Ricardo; JUSTINO, Gilvan.
WebGoat Plus: An Extension of the WebGoat Tool for Security Vulnerabilities Teaching. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 21. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 138-150.
DOI: https://doi.org/10.5753/sbseg_estendido.2021.17348.
